From 3e4c86a5bf83328a805467d823e4e44512f3254a Mon Sep 17 00:00:00 2001 From: "steven.y.gui" Date: Mon, 9 Oct 2023 21:11:46 +0800 Subject: [PATCH] add openeuler supporting --- add-openeuler-control-rules.patch | 4992 +++++++++++++++++++++++++++++ add-openeuler-support.patch | 448 +++ scap-security-guide.spec | 8 +- 3 files changed, 5447 insertions(+), 1 deletion(-) create mode 100644 add-openeuler-control-rules.patch create mode 100644 add-openeuler-support.patch diff --git a/add-openeuler-control-rules.patch b/add-openeuler-control-rules.patch new file mode 100644 index 0000000..6b102c3 --- /dev/null +++ b/add-openeuler-control-rules.patch @@ -0,0 +1,4992 @@ +From 609b79104a186853755763c144c70a7fbe26d632 Mon Sep 17 00:00:00 2001 +From: "steven.y.gui" +Date: Mon, 9 Oct 2023 21:05:12 +0800 +Subject: [PATCH] add openeuler control rules + +--- + controls/std_openeuler.yml | 1786 ++++++++++++++++- + .../service_avahi-daemon_disabled/rule.yml | 2 +- + .../file_groupowner_cron_d/rule.yml | 2 +- + .../file_groupowner_cron_daily/rule.yml | 2 +- + .../file_groupowner_cron_hourly/rule.yml | 2 +- + .../file_groupowner_cron_monthly/rule.yml | 2 +- + .../file_groupowner_cron_weekly/rule.yml | 2 +- + .../file_groupowner_crontab/rule.yml | 2 +- + .../cron_and_at/file_owner_cron_d/rule.yml | 2 +- + .../file_owner_cron_daily/rule.yml | 2 +- + .../file_owner_cron_hourly/rule.yml | 2 +- + .../file_owner_cron_monthly/rule.yml | 2 +- + .../file_owner_cron_weekly/rule.yml | 2 +- + .../cron_and_at/file_owner_crontab/rule.yml | 2 +- + .../file_permissions_cron_d/rule.yml | 2 +- + .../file_permissions_cron_daily/rule.yml | 2 +- + .../file_permissions_cron_hourly/rule.yml | 2 +- + .../file_permissions_cron_monthly/rule.yml | 2 +- + .../file_permissions_cron_weekly/rule.yml | 2 +- + .../file_permissions_crontab/rule.yml | 2 +- + .../file_at_deny_not_exist/rule.yml | 2 +- + .../file_cron_deny_not_exist/rule.yml | 2 +- + .../file_groupowner_at_allow/rule.yml | 2 +- + .../file_groupowner_cron_allow/rule.yml | 2 +- + .../file_owner_at_allow/rule.yml | 2 +- + .../file_owner_cron_allow/rule.yml | 2 +- + .../file_permissions_at_allow/rule.yml | 2 +- + .../file_permissions_cron_allow/rule.yml | 2 +- + .../service_crond_enabled/rule.yml | 2 +- + .../service_dhcpd_disabled/rule.yml | 2 +- + .../service_named_disabled/rule.yml | 2 +- + .../package_httpd_removed/rule.yml | 2 +- + .../package_openldap-clients_removed/rule.yml | 2 +- + .../package_openldap-servers_removed/rule.yml | 2 +- + .../service_rpcbind_disabled/rule.yml | 2 +- + .../service_nfs_disabled/rule.yml | 2 +- + .../rule.yml | 2 +- + .../ntp/ntpd_configure_restrictions/rule.yml | 2 +- + .../nis/package_ypbind_removed/rule.yml | 2 +- + .../nis/package_ypserv_removed/rule.yml | 2 +- + .../obsolete/service_rsyncd_disabled/rule.yml | 4 +- + .../printing/package_cups_removed/rule.yml | 2 +- + .../package_samba_removed/rule.yml | 2 +- + .../package_net-snmp_removed/rule.yml | 2 +- + .../sshd_use_strong_ciphers/rule.yml | 2 +- + .../ssh_server/sshd_use_strong_kex/rule.yml | 2 +- + .../ssh_server/sshd_use_strong_macs/rule.yml | 2 +- + .../guide/services/ssh/sshd_strong_kex.var | 1 + + .../rule.yml | 2 +- + .../xwindows_remove_packages/rule.yml | 2 +- + .../file_groupowner_etc_issue/rule.yml | 2 +- + .../file_groupowner_etc_issue_net/rule.yml | 2 +- + .../file_groupowner_etc_motd/rule.yml | 2 +- + .../file_owner_etc_issue/rule.yml | 2 +- + .../file_owner_etc_issue_net/rule.yml | 2 +- + .../file_owner_etc_motd/rule.yml | 2 +- + .../file_permissions_etc_issue/rule.yml | 2 +- + .../file_permissions_etc_issue_net/rule.yml | 2 +- + .../file_permissions_etc_motd/rule.yml | 2 +- + .../accounts-banners/warning_banners/rule.yml | 24 + + .../rule.yml | 2 +- + .../oval/openeuler.xml | 291 +++ + .../rule.yml | 2 +- + .../oval/openeuler.xml | 285 +++ + .../rule.yml | 2 +- + ...nts_passwords_pam_faillock_unlock_time.var | 1 + + .../accounts_password_pam_dcredit/rule.yml | 2 +- + .../accounts_password_pam_dictcheck/rule.yml | 2 +- + .../rule.yml | 2 +- + .../accounts_password_pam_lcredit/rule.yml | 2 +- + .../accounts_password_pam_minclass/rule.yml | 2 +- + .../accounts_password_pam_minlen/rule.yml | 2 +- + .../accounts_password_pam_ocredit/rule.yml | 2 +- + .../accounts_password_pam_retry/rule.yml | 2 +- + .../accounts_password_pam_ucredit/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../oval/shared.xml | 2 +- + .../require_emergency_target_auth/rule.yml | 4 +- + .../service_debug-shell_disabled/rule.yml | 2 +- + .../account_temp_expire_date/rule.yml | 2 +- + .../account_unique_id/rule.yml | 2 +- + .../group_unique_id/rule.yml | 2 +- + .../group_unique_name/rule.yml | 2 +- + .../accounts_maximum_age_login_defs/rule.yml | 1 - + .../accounts_minimum_age_login_defs/rule.yml | 1 - + .../no_forward_files/rule.yml | 2 +- + .../root_logins/use_pam_wheel_for_su/rule.yml | 2 +- + .../accounts-session/accounts_tmout/rule.yml | 2 +- + .../rule.yml | 2 +- + .../accounts_umask_etc_bashrc/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../audit_rules_login_events_lastlog/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../audit_rules_sudoers/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../auditd_audispd_disk_full_action/rule.yml | 2 +- + .../rule.yml | 2 +- + .../auditd_data_retention_space_left/rule.yml | 2 +- + .../auditing/grub2_audit_argument/rule.yml | 2 +- + .../rule.yml | 2 +- + .../non-uefi/grub2_password/rule.yml | 2 +- + .../uefi/grub2_uefi_password/rule.yml | 2 +- + .../rsyslog_cron_logging/rule.yml | 2 +- + .../rsyslog_logging_configured/rule.yml | 2 +- + .../rsyslog_remote_access_monitoring/rule.yml | 2 +- + .../logging/rsyslog_filecreatemode/rule.yml | 2 +- + .../service_firewalld_enabled/rule.yml | 2 +- + .../set_firewalld_appropriate_zone/rule.yml | 2 +- + .../rule.yml | 2 +- + .../set_ipv6_loopback_traffic/rule.yml | 4 + + .../set_loopback_traffic/rule.yml | 4 + + .../set_iptables_default_rule/rule.yml | 4 + + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 5 +- + .../rule.yml | 5 +- + .../rule.yml | 5 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../sysctl_net_ipv4_ip_forward/rule.yml | 2 +- + .../rule.yml | 2 +- + .../service_nftables_enabled/rule.yml | 2 +- + .../set_nftables_loopback_traffic/rule.yml | 2 +- + .../set_nftables_new_connections/rule.yml | 2 +- + .../kernel_module_sctp_disabled/rule.yml | 2 +- + .../wireless_disable_interfaces/rule.yml | 6 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../file_permissions_ungroupowned/rule.yml | 2 +- + .../files/no_files_unowned_by_user/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../sysctl_kernel_randomize_va_space/rule.yml | 3 + + .../sysctl_kernel_dmesg_restrict/rule.yml | 2 +- + .../restrictions/sysctl_kernel_sysrq/rule.yml | 2 +- + .../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +- + .../selinux_confinement_of_daemons/rule.yml | 2 +- + .../selinux/selinux_policytype/rule.yml | 2 +- + .../crypto/configure_crypto_policy/rule.yml | 2 +- + .../aide/aide_build_database/rule.yml | 2 +- + .../aide/package_aide_installed/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../ensure_gpgcheck_never_disabled/rule.yml | 2 +- + products/openeuler/product.yml | 1 + + products/openeuler2203/product.yml | 1 + + shared/applicability/package.yml | 2 +- + 195 files changed, 2599 insertions(+), 187 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml + +diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml +index 5599b04..eb66293 100644 +--- a/controls/std_openeuler.yml ++++ b/controls/std_openeuler.yml +@@ -7,28 +7,1808 @@ levels: + - id: base + + controls: ++ - id: 1.1.1_no_unowner_ungroup_files ++ title: Ensure All Files Have Owner And Group ++ levels: ++ - base ++ status: automated ++ rules: ++ - no_files_unowned_by_user ++ - no_files_unowned_by_user.severity=high ++ - file_permissions_ungroupowned ++ - file_permissions_ungroupowned.severity=high ++ ++ - id: 1.1.2_no_empty_symlink ++ title: Ensure No Empty Symlink ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.3_no_hidden_exec_files ++ title: Ensure No Hidden Executable Files ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.4_global_writable_dir_sticky_set ++ title: Ensure Sticky Set On Global Writable Folder ++ levels: ++ - base ++ status: automated ++ rules: ++ - dir_perms_world_writable_sticky_bits ++ - dir_perms_world_writable_sticky_bits.severity=high ++ ++ - id: 1.1.5_umask_set_correct ++ title: Ensure UMASK Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_bashrc.severity=high ++ - var_accounts_user_umask=077 ++ ++ - id: 1.1.6_no_global_writable_file ++ title: Ensure No Global Writable File ++ levels: ++ - base ++ status: automated ++ rules: ++ - file_permissions_unauthorized_world_writable ++ - file_permissions_unauthorized_world_writable.severity=high ++ ++ - id: 1.1.7_umount_unnecessary_file_system ++ title: Umount Unnecessary File System ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.8_mount_as_readonly ++ title: Ensure Mount As Readonly If No Need To Write ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.9_mount_as_nodev ++ title: Ensure Mount As Nodev ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.10_mount_as_noexec ++ title: Ensure Mount As Noexec ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.11_mount_as_noexec_nodev_for_removable ++ title: Ensure Mount As Noexec And Nodev For Removable Device ++ levels: ++ - base ++ status: automated ++ rules: ++ - mount_option_noexec_removable_partitions ++ - mount_option_noexec_removable_partitions.severity=high ++ - mount_option_nodev_removable_partitions ++ - mount_option_nodev_removable_partitions.severity=high ++ ++ - id: 1.1.12_mount_as_nosuid ++ title: Ensure Mount As Nosuid ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.13_remove_unnecessary_suid_sgid ++ title: Ensure Remove Unnecessary SUID And SGID ++ levels: ++ - base ++ status: automated ++ rules: ++ - file_permissions_unauthorized_suid ++ - file_permissions_unauthorized_suid.severity=high ++ - file_permissions_unauthorized_sgid ++ - file_permissions_unauthorized_sgid.severity=high ++ ++ - id: 1.1.14_file_permission_minimize ++ title: Ensure File Permission Minimize ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.15_ulimit_correctly ++ title: Ensure Ulinmit Correctly ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.16_symlinks_hardlinks_protected ++ title: Ensure Symlinks And Hardlinks Protected ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_fs_protected_symlinks ++ - sysctl_fs_protected_symlinks.severity=high ++ - sysctl_fs_protected_hardlinks ++ - sysctl_fs_protected_hardlinks.severity=high ++ ++ - id: 1.1.17_usb_disabled ++ title: Ensure USB Disabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - kernel_module_usb-storage_disabled ++ - kernel_module_usb-storage_disabled.severity=low ++ ++ - id: 1.1.18_partitions_management ++ title: Ensure Different Data Store In Different Partitions ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.19_library_path_correct ++ title: Ensure LD_LIBRARY_PATH Correct ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.1.20_user_path_correct ++ title: Ensure User PATH Correct ++ levels: ++ - base ++ status: planned ++ + - id: 1.2.1_ftp_not_installed +- title: Ensure FTP is not installed ++ title: Ensure FTP Not Installed + levels: + - base + status: automated + rules: + - package_ftp_removed ++ - package_ftp_removed.severity=high + + - id: 1.2.2_tftp_server_not_installed +- title: Ensure TFTP Server is not installed ++ title: Ensure TFTP Server Not Installed + levels: + - base + status: automated + rules: + - package_tftp_removed ++ - package_tftp_removed.severity=high + - package_tftp-server_removed ++ - package_tftp-server_removed.severity=high + + - id: 1.2.3_telnet_server_not_installed +- title: Ensure Telnet Server is not installed ++ title: Ensure Telnet Server Not Installed + levels: + - base + status: automated + rules: + - package_telnet_removed ++ - package_telnet_removed.severity=high + - package_telnet-server_removed ++ - package_telnet-server_removed.severity=high ++ ++ - id: 1.2.4_snmp_not_installed ++ title: Ensure SNMP Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_net-snmp_removed ++ - package_net-snmp_removed.severity=high ++ ++ - id: 1.2.5_python2_not_installed ++ title: Ensure Python2 Not Installed ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.2.6_gpg_check_configured ++ title: Ensure GPG Check Configured ++ levels: ++ - base ++ status: automated ++ rules: ++ - ensure_gpgcheck_globally_activated ++ - ensure_gpgcheck_globally_activated.severity=high ++ - ensure_gpgcheck_never_disabled ++ - ensure_gpgcheck_never_disabled.severity=high ++ ++ - id: 1.2.7_debug-shell_disabled ++ title: Ensure Debug-Shell Disabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_debug-shell_disabled ++ - service_debug-shell_disabled.severity=high ++ ++ - id: 1.2.8_rsync_not_installed ++ title: Ensure Rsync Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_rsyncd_disabled ++ - service_rsyncd_disabled.severity=high ++ ++ - id: 1.2.9_avahi_not_installed ++ title: Ensure Avahi Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_avahi-daemon_disabled ++ - service_avahi-daemon_disabled.severity=high ++ ++ - id: 1.2.10_ldap_server_not_installed ++ title: Ensure LDAP Server Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_openldap-servers_removed ++ - package_openldap-servers_removed.severity=high ++ ++ - id: 1.2.11_cups_not_installed ++ title: Ensure CUPS Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_cups_removed ++ - package_cups_removed.severity=high ++ ++ - id: 1.2.12_nis_server_not_installed ++ title: Ensure NIS Server Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_ypserv_removed ++ - package_ypserv_removed.severity=high ++ ++ - id: 1.2.13_nis_client_not_installed ++ title: Ensure NIS Client Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_ypbind_removed ++ - package_ypbind_removed.severity=high ++ ++ - id: 1.2.14_ldap_client_not_installed ++ title: Ensure LDAP Client Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_openldap-clients_removed ++ - package_openldap-clients_removed.severity=high ++ ++ - id: 1.2.15_no_network_sniffing_software ++ title: Ensure Network Sniffing Software Removed ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.2.16_no_debug_tools ++ title: Ensure Debug Tools Removed ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.2.17_no_compiler_tools ++ title: Ensure Compiler Tools Removed ++ levels: ++ - base ++ status: planned ++ ++ - id: 1.2.18_xwindow_not_installed ++ title: Ensure X Window Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - xwindows_remove_packages ++ - xwindows_remove_packages.severity=low ++ ++ - id: 1.2.19_http_not_installed ++ title: Ensure Http Service Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_httpd_removed ++ - package_httpd_removed.severity=low ++ ++ - id: 1.2.20_samba_not_installed ++ title: Ensure Samba Service Not Installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_samba_removed ++ - package_samba_removed.severity=low ++ ++ - id: 1.2.21_dns_disabled ++ title: Ensure DNS Service Disabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_named_disabled ++ - service_named_disabled.severity=low ++ ++ - id: 1.2.22_nfs_disabled ++ title: Ensure NFS Service Disabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_nfs_disabled ++ - service_nfs_disabled.severity=low ++ ++ - id: 1.2.23_rpc_disabled ++ title: Ensure RPC Service Disabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_rpcbind_disabled ++ - service_rpcbind_disabled.severity=low ++ ++ - id: 1.2.24_DHCP_disabled ++ title: Ensure DHCP Service Disabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_dhcpd_disabled ++ - service_dhcpd_disabled.severity=low ++ ++ ++ - id: 2.1.1_login_accounts_are_necessary ++ title: Ensure All Login Accounts Are Necessary ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.1.2_no_unused_accounts ++ title: Ensure No Unused Accounts ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.1.3_different_accounts_have_different_groupid ++ title: Ensure Different Accounts Have Different GroupID ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.1.4_no_uid_0_except_root ++ title: Ensure Only Root's UID Is 0 ++ levels: ++ - base ++ status: automated ++ rules: ++ - accounts_no_uid_except_zero ++ - accounts_no_uid_except_zero.severity=high ++ ++ - id: 2.1.5_account_related_files_permission ++ title: Ensure Account Related Files Have Correct Permission ++ levels: ++ - base ++ status: automated ++ rules: ++ - file_owner_etc_passwd ++ - file_owner_etc_passwd.severity=high ++ - file_groupowner_etc_passwd ++ - file_groupowner_etc_passwd.severity=high ++ - file_owner_etc_shadow ++ - file_owner_etc_shadow.severity=high ++ - file_groupowner_etc_shadow ++ - file_groupowner_etc_shadow.severity=high ++ - file_owner_etc_group ++ - file_owner_etc_group.severity=high ++ - file_groupowner_etc_group ++ - file_groupowner_etc_group.severity=high ++ - file_owner_etc_gshadow ++ - file_owner_etc_gshadow.severity=high ++ - file_groupowner_etc_gshadow ++ - file_groupowner_etc_gshadow.severity=high ++ - file_owner_backup_etc_passwd ++ - file_owner_backup_etc_passwd.severity=high ++ - file_groupowner_backup_etc_passwd ++ - file_groupowner_backup_etc_passwd.severity=high ++ - file_owner_backup_etc_shadow ++ - file_owner_backup_etc_shadow.severity=high ++ - file_groupowner_backup_etc_shadow ++ - file_groupowner_backup_etc_shadow.severity=high ++ - file_owner_backup_etc_group ++ - file_owner_backup_etc_group.severity=high ++ - file_groupowner_backup_etc_group ++ - file_groupowner_backup_etc_group.severity=high ++ - file_owner_backup_etc_gshadow ++ - file_owner_backup_etc_gshadow.severity=high ++ - file_groupowner_backup_etc_gshadow ++ - file_groupowner_backup_etc_gshadow.severity=high ++ - file_permissions_etc_passwd ++ - file_permissions_etc_passwd.severity=high ++ - file_permissions_etc_shadow ++ - file_permissions_etc_shadow.severity=high ++ - file_permissions_etc_group ++ - file_permissions_etc_group.severity=high ++ - file_permissions_etc_gshadow ++ - file_permissions_etc_gshadow.severity=high ++ - file_permissions_backup_etc_passwd ++ - file_permissions_backup_etc_passwd.severity=high ++ - file_permissions_backup_etc_shadow ++ - file_permissions_backup_etc_shadow.severity=high ++ - file_permissions_backup_etc_group ++ - file_permissions_backup_etc_group.severity=high ++ - file_permissions_backup_etc_gshadow ++ - file_permissions_backup_etc_gshadow.severity=high ++ ++ - id: 2.1.6_account_has_home_dir ++ title: Ensure All Accounts Have Own Home Folder ++ levels: ++ - base ++ status: automated ++ rules: ++ - accounts_user_interactive_home_directory_exists ++ - accounts_user_interactive_home_directory_exists.severity=high ++ ++ - id: 2.1.7_all_groups_existed ++ title: Ensure All Groups Existed ++ levels: ++ - base ++ status: automated ++ rules: ++ - gid_passwd_group_same ++ - gid_passwd_group_same.severity=high ++ ++ - id: 2.1.8_unique_uid ++ title: Ensure UID Unique ++ levels: ++ - base ++ status: automated ++ rules: ++ - account_unique_id ++ - account_unique_id.severity=high ++ ++ - id: 2.1.9_account_unique_name ++ title: Ensure Account Name Unique ++ levels: ++ - base ++ status: automated ++ rules: ++ - account_unique_name ++ - account_unique_name.severity=high ++ ++ - id: 2.1.10_group_unique_id ++ title: Ensure Group Unique ID ++ levels: ++ - base ++ status: automated ++ rules: ++ - group_unique_id ++ - group_unique_id.severity=high ++ ++ - id: 2.1.11_group_unique_name ++ title: Ensure Group Unique Name ++ levels: ++ - base ++ status: automated ++ rules: ++ - group_unique_name ++ - group_unique_name.severity=high ++ ++ - id: 2.1.12_account_expire ++ title: Ensure Account Expire Date Correct ++ levels: ++ - base ++ status: manual ++ rules: ++ - account_temp_expire_date ++ - account_temp_expire_date.severity=low ++ ++ - id: 2.1.13_no_forward_in_home ++ title: Ensure No .forward Files In Home Folder ++ levels: ++ - base ++ status: automated ++ rules: ++ - no_forward_files ++ - no_forward_files.severity=low ++ ++ - id: 2.1.14_no_netrc_in_home ++ title: Ensure No .netrc Files In Home Folder ++ levels: ++ - base ++ status: automated ++ rules: ++ - no_netrc_files ++ - no_netrc_files.severity=low ++ ++ - id: 2.2.1_password_complexity_correct ++ title: Ensure Set Correct Password Complexity ++ levels: ++ - base ++ status: automated ++ rules: ++ - accounts_password_pam_minlen ++ - accounts_password_pam_minlen.severity=high ++ - var_password_pam_minlen=8 ++ - accounts_password_pam_minclass ++ - accounts_password_pam_minclass.severity=high ++ - var_password_pam_minclass=3 ++ - accounts_password_pam_retry ++ - accounts_password_pam_retry.severity=high ++ - var_password_pam_retry=3 ++ - accounts_password_pam_dcredit ++ - accounts_password_pam_dcredit.severity=high ++ - var_password_pam_dcredit=0 ++ - accounts_password_pam_ucredit ++ - accounts_password_pam_ucredit.severity=high ++ - var_password_pam_ucredit=0 ++ - accounts_password_pam_lcredit ++ - accounts_password_pam_lcredit.severity=high ++ - var_password_pam_lcredit=0 ++ - accounts_password_pam_ocredit ++ - accounts_password_pam_ocredit.severity=high ++ - var_password_pam_ocredit=0 ++ - accounts_password_pam_enforce_root ++ - accounts_password_pam_enforce_root.severity=high ++ ++ - id: 2.2.2_history_password_not_used ++ title: Ensure No History Password Used ++ levels: ++ - base ++ status: automated ++ rules: ++ - accounts_password_pam_unix_remember ++ - accounts_password_pam_unix_remember.severity=high ++ - var_password_pam_unix_remember=5 ++ ++ - id: 2.2.3_verify_old_password ++ title: Ensure Old Password Verified ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.2.4_no_username_in_password ++ title: Ensure Password Not Contain User Name ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.2.5_strong_hash_algorithm_for_password ++ title: Ensure Using Strong Hash Algorithm To Encipher Password ++ levels: ++ - base ++ status: automated ++ rules: ++ - set_password_hashing_algorithm_systemauth ++ - set_password_hashing_algorithm_systemauth.severity=high ++ - set_password_hashing_algorithm_passwordauth ++ - set_password_hashing_algorithm_passwordauth.severity=high ++ ++ - id: 2.2.6_password_dictionary_correct ++ title: Ensure Password Dictionary Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - accounts_password_pam_dictcheck ++ - accounts_password_pam_dictcheck.severity=high ++ ++ - id: 2.2.7_password_expire_correct ++ title: Ensure Password Expire Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - accounts_maximum_age_login_defs ++ - accounts_maximum_age_login_defs.severity=high ++ - var_accounts_maximum_age_login_defs=90 ++ - accounts_password_warn_age_login_defs ++ - accounts_password_warn_age_login_defs.severity=high ++ - var_accounts_password_warn_age_login_defs=7 ++ - accounts_minimum_age_login_defs ++ - accounts_minimum_age_login_defs.severity=high ++ - var_accounts_minimum_age_login_defs=0 ++ ++ - id: 2.2.8_forbid_empty_password ++ title: Ensure No Empty Password ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_disable_empty_passwords ++ - sshd_disable_empty_passwords.severity=high ++ ++ - id: 2.2.9_grub_password_set ++ title: Ensure Grub Password Set ++ levels: ++ - base ++ status: automated ++ rules: ++ - grub2_password ++ - grub2_password.severity=high ++ - grub2_uefi_password ++ - grub2_uefi_password.severity=high ++ ++ - id: 2.2.10_single_user_password_set ++ title: Ensure Password Set In Single User Mode ++ levels: ++ - base ++ status: automated ++ rules: ++ - require_emergency_target_auth ++ - require_emergency_target_auth.severity=high ++ ++ - id: 2.2.11_chpwd_at_first_login ++ title: Ensure Password Changed At First Login ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.3.1_account_lock_after_accessing_fail ++ title: Ensure Account Locked After Accessing Fail ++ levels: ++ - base ++ status: automated ++ rules: ++ - accounts_passwords_pam_faillock_deny ++ - accounts_passwords_pam_faillock_deny.severity=high ++ - var_accounts_passwords_pam_faillock_deny=3 ++ - accounts_passwords_pam_faillock_unlock_time ++ - accounts_passwords_pam_faillock_unlock_time.severity=high ++ - var_accounts_passwords_pam_faillock_unlock_time=300 ++ ++ - id: 2.3.2_session_timeout_set_correct ++ title: Ensure TIMOUT Set Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - accounts_tmout ++ - accounts_tmout.severity=high ++ - var_accounts_tmout=5_min ++ ++ - id: 2.3.3_banners_correct ++ title: Ensure Warning Banners Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - warning_banners ++ - warning_banners.severity=high ++ - file_groupowner_etc_issue ++ - file_groupowner_etc_issue.severity=high ++ - file_groupowner_etc_issue_net ++ - file_groupowner_etc_issue_net.severity=high ++ - file_groupowner_etc_motd ++ - file_groupowner_etc_motd.severity=high ++ - file_owner_etc_issue ++ - file_owner_etc_issue.severity=high ++ - file_owner_etc_issue_net ++ - file_owner_etc_issue_net.severity=high ++ - file_owner_etc_motd ++ - file_owner_etc_motd.severity=high ++ - file_permissions_etc_issue ++ - file_permissions_etc_issue.severity=high ++ - file_permissions_etc_issue_net ++ - file_permissions_etc_issue_net.severity=high ++ - file_permissions_etc_motd ++ - file_permissions_etc_motd.severity=high ++ ++ - id: 2.3.4_banners_path_correct ++ title: Ensure Warning Path Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_enable_warning_banner_net ++ - sshd_enable_warning_banner_net.severity=high ++ ++ - id: 2.4.1_histsize_limited ++ title: Ensure HISTSIZE Limited ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.4.2_selinux_enforce ++ title: Ensure SELinux Enforce ++ levels: ++ - base ++ status: automated ++ rules: ++ - selinux_state ++ - selinux_state.severity=low ++ ++ - id: 2.4.3_selinux_config ++ title: Ensure SELinux Configurate Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - selinux_policytype ++ - selinux_policytype.severity=low ++ ++ - id: 2.4.4_su_usage_limited ++ title: Ensure SU Usage Limited ++ levels: ++ - base ++ status: automated ++ rules: ++ - use_pam_wheel_for_su ++ - use_pam_wheel_for_su.severity=high ++ ++ - id: 2.4.5_use_sudo_to_run ++ title: Ensure Use Sudo To Run ++ levels: ++ - base ++ status: automated ++ rules: ++ - sudo_restrict_privilege_elevation_to_authorized ++ - sudo_restrict_privilege_elevation_to_authorized.severity=high ++ ++ - id: 2.4.6_no_low-privilege_user_writable_files_with_sudo ++ title: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.4.7_cannot_use_pkexec_escalate ++ title: Ensure Low-privilege User Cannot Escalate By Pkexec ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.4.8_always_set_path_config ++ title: Ensure ALWAYS_SET_PATH Configurated ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.4.9_root_can_not_login_local ++ title: Ensure Root Can Not Login Local ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.4.10_not_use_unconfined_service_t ++ title: Ensure Not Run Files wiht unconfined_service_t Flag ++ levels: ++ - base ++ status: automated ++ rules: ++ - selinux_confinement_of_daemons ++ - selinux_confinement_of_daemons.severity=low ++ ++ - id: 2.4.11_all_daemons_run_with_mini_permission ++ title: Ensure All Daemons Run With Minimum Permission ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.5.1_ima_enabled ++ title: Ensure IMA Enabled ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.5.2_aide_enabled ++ title: Ensure AIDE Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_aide_installed ++ - package_aide_installed.severity=low ++ - aide_build_database ++ - aide_build_database.severity=low ++ ++ - id: 2.6.1_haveged_enabled ++ title: Ensure Haveged Enabled ++ levels: ++ - base ++ status: planned ++ ++ - id: 2.6.2_global_crypto_setting ++ title: Global Crypto Setting Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - configure_crypto_policy ++ - configure_crypto_policy.severity=low ++ ++ ++ - id: 3.1.1_unusual_network_service_not_used ++ title: Ensure No Unusual Network Service ++ levels: ++ - base ++ status: automated ++ rules: ++ - kernel_module_sctp_disabled ++ - kernel_module_sctp_disabled.severity=low ++ - kernel_module_tipc_disabled ++ - kernel_module_tipc_disabled.severity=low ++ ++ - id: 3.1.2_wireless_disabled ++ title: Ensure No WIFI ++ levels: ++ - base ++ status: automated ++ rules: ++ - wireless_disable_interfaces ++ - wireless_disable_interfaces.severity=low ++ ++ - id: 3.2.1_firewalld_enabled ++ title: Ensure Firewalld Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_firewalld_enabled ++ - service_firewalld_enabled.severity=low ++ ++ - id: 3.2.2_firewalld_default_zone_correct ++ title: Ensure Firewalld Set Default Zone Correctly ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.2.3_firewalld_interface_set_to_correct_zone ++ title: Ensure Firewalld Set Correct Interface Zone ++ levels: ++ - base ++ status: manual ++ rules: ++ - set_firewalld_appropriate_zone ++ - set_firewalld_appropriate_zone.severity=low ++ ++ - id: 3.2.4_firewalld_disable_unnecessary_service_and_port ++ title: Ensure Unnecessary Service And Port Disabled ++ levels: ++ - base ++ status: manual ++ rules: ++ - unnecessary_firewalld_services_ports_disabled ++ - unnecessary_firewalld_services_ports_disabled.severity=low ++ ++ - id: 3.2.5_iptables_enabled ++ title: Ensure Iptables Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_iptables_enabled ++ - service_iptables_enabled.severity=low ++ - service_ip6tables_enabled ++ - service_ip6tables_enabled.severity=low ++ ++ - id: 3.2.6_iptables_default_refuse_rules ++ title: Ensure Iptables Default Refuse Rules Set ++ levels: ++ - base ++ status: manual ++ rules: ++ - set_iptables_default_rule ++ - set_iptables_default_rule.severity=low ++ ++ - id: 3.2.7_iptables_loopback_rules ++ title: Ensure Iptables Loopback Rules Set ++ levels: ++ - base ++ status: automated ++ rules: ++ - set_loopback_traffic ++ - set_loopback_traffic.severity=low ++ - set_ipv6_loopback_traffic ++ - set_ipv6_loopback_traffic.severity=low ++ ++ - id: 3.2.8_iptables_input_rules ++ title: Ensure Iptables Input Rules Set ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.2.9_iptables_output_rules ++ title: Ensure Iptables Output Rules Set ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.2.10_iptables_input_output_connection_rules ++ title: Ensure Iptables Input Output Connection Rules Set ++ levels: ++ - base ++ status: manual ++ rules: ++ - set_iptables_outbound_n_established ++ - set_iptables_outbound_n_established.severity=low ++ ++ - id: 3.2.11_nftables_enabled ++ title: Ensure Nftables Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_nftables_enabled ++ - service_nftables_enabled.severity=low ++ ++ - id: 3.2.12_nftables_default_refuse_rules ++ title: Ensure Nftables Default Refuse Rules Set ++ levels: ++ - base ++ status: manual ++ rules: ++ - nftables_ensure_default_deny_policy ++ - nftables_ensure_default_deny_policy.severity=low ++ ++ - id: 3.2.13_nftables_loopback_rules ++ title: Ensure Nftables Loopback Rules Set ++ levels: ++ - base ++ status: manual ++ rules: ++ - set_nftables_loopback_traffic ++ - set_nftables_loopback_traffic.severity=low ++ ++ - id: 3.2.14_nftables_input_rules ++ title: Ensure Nftables Input Rules Set ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.2.15_nftables_output_rules ++ title: Ensure Nftables Output Rules Set ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.2.16_nftables_input_output_connection_rules ++ title: Ensure Nftables Input Output Connection Rules Set ++ levels: ++ - base ++ status: manual ++ rules: ++ - set_nftables_new_connections ++ - set_nftables_new_connections.severity=low ++ ++ - id: 3.3.1_sshd_protocol_is_2 ++ title: Ensure SSHd Protocol Version Is 2 ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_allow_only_protocol2 ++ - sshd_allow_only_protocol2.severity=high ++ ++ - id: 3.3.2_sshd_authentication_setting_correct ++ title: Ensure SSHd Authentication Setting Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_disable_rhosts ++ - sshd_disable_rhosts.severity=high ++ - disable_host_auth ++ - disable_host_auth.severity=high ++ ++ - id: 3.3.3_sshd_keyexchange_correct ++ title: Ensure SSHd Key Exchange Algorithm Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_use_strong_kex ++ - sshd_use_strong_kex.severity=high ++ - sshd_strong_kex=std_openeuler ++ ++ - id: 3.3.4_sshd_pubkey_correct ++ title: Ensure SSHd Pubkey Algorithm Correct ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.3.5_sshd_pam_enabled ++ title: Ensure SSHd PAM Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_enable_pam ++ - sshd_enable_pam.severity=high ++ ++ - id: 3.3.6_sshd_mac_correct ++ title: Ensure SSHd MACs Algorithm Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_use_strong_macs ++ - sshd_use_strong_macs.severity=high ++ ++ - id: 3.3.7_sshd_ciphers_correct ++ title: Ensure SSHd Ciphers Algorithm Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_use_strong_ciphers ++ - sshd_use_strong_ciphers.severity=high ++ ++ - id: 3.3.8_sshd_ciphers_not_overwritten ++ title: Ensure SSHd Ciphers Algorithm Not Overwritten ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.3.9_sshd_forbid_root_login ++ title: Ensure SSHd Forbid Root Login From Remote ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_disable_root_login ++ - sshd_disable_root_login.severity=low ++ ++ - id: 3.3.10_sshd_log_level_correct ++ title: Ensure SSHd Log Level Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_set_loglevel_verbose ++ - sshd_set_loglevel_verbose.severity=low ++ ++ - id: 3.3.11_sshd_listen_addr ++ title: Ensure SSHd Listen Address Set Correct ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.3.12_sshd_maxstartups_correct ++ title: Ensure SSHd MaxStartups Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_set_maxstartups ++ - sshd_set_maxstartups.severity=low ++ - var_sshd_set_maxstartups=10:30:60 ++ ++ - id: 3.3.13_sshd_maxsessions_correct ++ title: Ensure SSHd Maxsessions Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_set_max_sessions ++ - sshd_set_max_sessions.severity=low ++ - var_sshd_max_sessions=10 ++ ++ - id: 3.3.14_sshd_forbid_x11_forwarding ++ title: Ensure SSHd X11 Forwarding Forbidden ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_disable_x11_forwarding ++ - sshd_disable_x11_forwarding.severity=high ++ ++ - id: 3.3.15_sshd_maxauthtries_correct ++ title: Ensure SSHd MaxAuthTries Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_set_max_auth_tries ++ - sshd_set_max_auth_tries.severity=low ++ - sshd_max_auth_tries_value=3 ++ ++ - id: 3.3.16_sshd_forbid_permituserenvironment ++ title: Ensure SSHd PermitUserEnvironment Forbidden ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_do_not_permit_user_env ++ - sshd_do_not_permit_user_env.severity=high ++ ++ - id: 3.3.17_sshd_logingracetime_correct ++ title: Ensure SSHd LoginGraceTime Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_set_login_grace_time ++ - sshd_set_login_grace_time.severity=low ++ - var_sshd_set_login_grace_time=60 ++ ++ - id: 3.3.18_sshd_authorized_keys_forbidden ++ title: Ensure SSHd Authorized Keys Not Set ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.3.19_sshd_known_hosts_forbidden ++ title: Ensure SSHd Known Hosts Not Set ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_disable_user_known_hosts ++ - sshd_disable_user_known_hosts.severity=high ++ ++ - id: 3.3.20_sshd_no_obsolete_config ++ title: Ensure SSHd Has No Obsolete Configurations ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.3.21_ssh_tcp_forward_disabled ++ title: Ensure SSHd TCP Forward Disabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - sshd_disable_tcp_forwarding ++ - sshd_disable_tcp_forwarding.severity=high ++ ++ - id: 3.4.1_crontab_not_run_low_privilege_user_writable_bash ++ title: Ensure Cron Not Run Low Privilege User Writable Bash ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.4.2_cron_enabled ++ title: Ensure Cron Deamon Running ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_crond_enabled ++ - service_crond_enabled.severity=high ++ ++ - id: 3.4.3_at_cron_set_correct ++ title: Ensure AT And Cron Set Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - file_groupowner_cron_d ++ - file_groupowner_cron_d.severity=high ++ - file_groupowner_cron_daily ++ - file_groupowner_cron_daily.severity=high ++ - file_groupowner_cron_hourly ++ - file_groupowner_cron_hourly.severity=high ++ - file_groupowner_cron_monthly ++ - file_groupowner_cron_monthly.severity=high ++ - file_groupowner_cron_weekly ++ - file_groupowner_cron_weekly.severity=high ++ - file_groupowner_crontab ++ - file_groupowner_crontab.severity=high ++ - file_owner_cron_d ++ - file_owner_cron_d.severity=high ++ - file_owner_cron_daily ++ - file_owner_cron_daily.severity=high ++ - file_owner_cron_hourly ++ - file_owner_cron_hourly.severity=high ++ - file_owner_cron_monthly ++ - file_owner_cron_monthly.severity=high ++ - file_owner_cron_weekly ++ - file_owner_cron_weekly.severity=high ++ - file_owner_crontab ++ - file_owner_crontab.severity=high ++ - file_permissions_cron_d ++ - file_permissions_cron_d.severity=high ++ - file_permissions_cron_daily ++ - file_permissions_cron_daily.severity=high ++ - file_permissions_cron_hourly ++ - file_permissions_cron_hourly.severity=high ++ - file_permissions_cron_monthly ++ - file_permissions_cron_monthly.severity=high ++ - file_permissions_cron_weekly ++ - file_permissions_cron_weekly.severity=high ++ - file_permissions_crontab ++ - file_permissions_crontab.severity=high ++ - file_at_deny_not_exist ++ - file_at_deny_not_exist.severity=high ++ - file_cron_deny_not_exist ++ - file_cron_deny_not_exist.severity=high ++ - file_groupowner_at_allow ++ - file_groupowner_at_allow.severity=high ++ - file_groupowner_cron_allow ++ - file_groupowner_cron_allow.severity=high ++ - file_owner_at_allow ++ - file_owner_at_allow.severity=high ++ - file_owner_cron_allow ++ - file_owner_cron_allow.severity=high ++ - file_permissions_at_allow ++ - file_permissions_at_allow.severity=high ++ - file_permissions_cron_allow ++ - file_permissions_cron_allow.severity=high ++ ++ - id: 3.5.1_kaslr_enabled ++ title: Ensure KASLR Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_kernel_randomize_va_space ++ - sysctl_kernel_randomize_va_space.severity=high ++ ++ - id: 3.5.2_dmesg_access_permission_correct ++ title: Ensure Dmesg Access Permission Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_kernel_dmesg_restrict ++ - sysctl_kernel_dmesg_restrict.severity=high ++ ++ - id: 3.5.3_kptr_restrict_correct ++ title: Ensure Kptr_restrict Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_kernel_kptr_restrict ++ - sysctl_kernel_kptr_restrict.severity=high ++ - sysctl_kernel_kptr_restrict_value=1 ++ ++ - id: 3.5.4_smap_enabled ++ title: Ensure Kernel SMAP Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - grub2_nosmap_argument_absent ++ - grub2_nosmap_argument_absent.severity=high ++ ++ - id: 3.5.5_smep_enabled ++ title: Ensure Kernel SMEP Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - grub2_nosmep_argument_absent ++ - grub2_nosmep_argument_absent.severity=high ++ ++ - id: 3.5.6_not_response_icmp_broadcast ++ title: Ensure ICMP Broadcast Package Not Responsed ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high ++ ++ - id: 3.5.7_not_receive_icmp_redirect ++ title: Ensure ICMP Redirect Package Not Received ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects.severity=high ++ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects.severity=high ++ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects.severity=high ++ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects.severity=high ++ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled ++ ++ - id: 3.5.8_forbid_forward_icmp_redirect_package ++ title: Ensure No ICMP Redirect Package Forwarded ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_all_send_redirects.severity=high ++ - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects.severity=high ++ ++ - id: 3.5.9_ignore_all_icmp_request ++ title: Ensure Ignore All ICMP Request ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.5.10_ignore_bogus_error_icmp_package ++ title: Ensure Ignore Bogus Error ICMP Package ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled ++ ++ - id: 3.5.11_rp_filter_enabled ++ title: Ensure Reverse Proxy Filter Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_all_rp_filter.severity=high ++ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled ++ - sysctl_net_ipv4_conf_default_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter.severity=high ++ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled ++ ++ - id: 3.5.12_forbid_ip_forwarding ++ title: Ensure IP Forwarding Disabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv4_ip_forward.severity=high ++ - sysctl_net_ipv6_conf_all_forwarding ++ - sysctl_net_ipv6_conf_all_forwarding.severity=high ++ - sysctl_net_ipv6_conf_all_forwarding_value=disabled ++ ++ - id: 3.5.13_source_route_disabled ++ title: Ensure Source Route Disabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_accept_source_route.severity=high ++ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route.severity=high ++ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route.severity=high ++ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route.severity=high ++ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled ++ ++ - id: 3.5.14_tcp-syn_cookie_enabled ++ title: Ensure TCP-SYN Cookie Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_tcp_syncookies.severity=high ++ ++ - id: 3.5.15_log_martians ++ title: Ensure Source Route And Redirectly Logged ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_all_log_martians.severity=high ++ - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians.severity=high ++ ++ - id: 3.5.16_tcp_timestamps_disabled ++ title: Ensure tcp_timestamps Disabled ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.5.17_tcp_time_wait_config ++ title: Ensure TCP Time Wait Correct ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.5.18_syn_recv_set_correct ++ title: Ensure SYN Recv Set Correct ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.5.19_arp_proxy_disabled ++ title: Ensure No ARP Proxy ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.5.20_core_dump_set_correct ++ title: Ensure Core Dump Set Correct ++ levels: ++ - base ++ status: planned ++ ++ - id: 3.5.21_sysrq_disabled ++ title: Ensure SysRq Key Disabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_kernel_sysrq ++ - sysctl_kernel_sysrq.severity=high ++ ++ - id: 3.5.22_ptrace_scope_correct ++ title: Ensure ptrace_scope Set Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_kernel_yama_ptrace_scope ++ - sysctl_kernel_yama_ptrace_scope.severity=low ++ ++ - id: 3.5.23_seccomp_enabled ++ title: Ensure Seccomp Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - kernel_config_seccomp ++ - kernel_config_seccomp.severity=low ++ ++ - id: 3.6.1_ntpd_configuration_correct ++ title: Ensure Ntpd Configuration Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_ntpd_enabled ++ - service_ntpd_enabled.severity=low ++ - ntpd_configure_restrictions ++ - ntpd_configure_restrictions.severity=low ++ - ntpd_specify_remote_server ++ - ntpd_specify_remote_server.severity=low ++ ++ - id: 3.6.2_chrony_configuration_correct ++ title: Ensure Chrony Configuration Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_chronyd_enabled ++ - service_chronyd_enabled.severity=low ++ - chronyd_specify_remote_server ++ - chronyd_specify_remote_server.severity=low ++ ++ ++ - id: 4.1.1_auditd_enabled ++ title: Ensure Auditd Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_auditd_enabled ++ - service_auditd_enabled.severity=high ++ ++ - id: 4.1.2_auditd_rotate_enabled ++ title: Ensure Auditd Rotate Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_max_log_file_action.severity=high ++ - var_auditd_max_log_file_action=rotate ++ - auditd_data_retention_num_logs ++ - auditd_data_retention_num_logs.severity=high ++ - var_auditd_num_logs=5 ++ ++ - id: 4.1.3_lastlog_config ++ title: Ensure Lastlog Recorded ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_login_events_lastlog ++ - audit_rules_login_events_lastlog.severity=low ++ ++ - id: 4.1.4_audit_account_change ++ title: Ensure Account Info Changing Audited ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_group.severity=low ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_gshadow.severity=low ++ - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_opasswd.severity=low ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_passwd.severity=low ++ - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_shadow.severity=low ++ ++ - id: 4.1.5_audit_escalation ++ title: Ensure Escalation Audited ++ levels: ++ - base ++ status: planned ++ ++ - id: 4.1.6_audit_module ++ title: Ensure Module Changes Audited ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_privileged_commands_modprobe ++ - audit_rules_privileged_commands_modprobe.severity=low ++ - audit_rules_privileged_commands_insmod ++ - audit_rules_privileged_commands_insmod.severity=low ++ - audit_rules_privileged_commands_rmmod ++ - audit_rules_privileged_commands_rmmod.severity=low ++ - audit_rules_kernel_module_loading ++ - audit_rules_kernel_module_loading.severity=low ++ ++ - id: 4.1.7_audit_sudo ++ title: Ensure Sudo Operation Audited ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_privileged_commands_sudo ++ - audit_rules_privileged_commands_sudo.severity=low ++ ++ - id: 4.1.8_enable_audit_during_boot ++ title: Ensure Auditd Enabled During Boot ++ levels: ++ - base ++ status: automated ++ rules: ++ - grub2_audit_argument ++ - grub2_audit_argument.severity=low ++ ++ - id: 4.1.9_audit_backlog_limit_correct ++ title: Ensure Audit Backlog Limit Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - grub2_audit_backlog_limit_argument ++ - grub2_audit_backlog_limit_argument.severity=low ++ ++ - id: 4.1.10_audit_not_use_auditctl ++ title: Ensure Auditctl Not Used ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_immutable ++ - audit_rules_immutable.severity=low ++ ++ - id: 4.1.11_audit_logsize_correct ++ title: Ensure Audit Log Size Set Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - auditd_data_retention_max_log_file ++ - auditd_data_retention_max_log_file.severity=high ++ - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_max_log_file_action.severity=high ++ ++ - id: 4.1.12_audit_disk_space_config ++ title: Ensure Audit Disk Space Set Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - auditd_data_retention_space_left ++ - auditd_data_retention_space_left.severity=low ++ - auditd_data_retention_space_left_action ++ - auditd_data_retention_space_left_action.severity=low ++ - var_auditd_space_left_action=syslog ++ - auditd_data_retention_admin_space_left_percentage ++ - auditd_data_retention_admin_space_left_percentage.severity=low ++ - var_auditd_admin_space_left_percentage=50pc ++ - auditd_data_retention_admin_space_left_action ++ - auditd_data_retention_admin_space_left_action.severity=low ++ - var_auditd_admin_space_left_action=suspend ++ - auditd_audispd_disk_full_action ++ - auditd_audispd_disk_full_action.severity=low ++ - auditd_data_disk_full_action ++ - auditd_data_disk_full_action.severity=low ++ - var_auditd_disk_full_action=suspend ++ - auditd_data_disk_error_action ++ - auditd_data_disk_error_action.severity=low ++ - var_auditd_disk_error_action=suspend ++ ++ - id: 4.1.13_audit_sudoers ++ title: Ensure Sudoers Audited ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_sudoers ++ - audit_rules_sudoers.severity=low ++ ++ - id: 4.1.14_audit_session ++ title: Ensure Session Audited ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_session_events ++ - audit_rules_session_events.severity=low ++ ++ - id: 4.1.15_audit_time_changing ++ title: Ensure Time Changing Audited ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_time_adjtimex ++ - audit_rules_time_adjtimex.severity=low ++ - audit_rules_time_settimeofday ++ - audit_rules_time_settimeofday.severity=low ++ - audit_rules_time_clock_settime ++ - audit_rules_time_clock_settime.severity=low ++ ++ - id: 4.1.16_audit_selinux ++ title: Ensure SELinux Audited ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_mac_modification ++ - audit_rules_mac_modification.severity=low ++ - audit_rules_mac_modification_usr_share ++ - audit_rules_mac_modification_usr_share.severity=low ++ ++ - id: 4.1.17_audit_network ++ title: Ensure Network Audited ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_networkconfig_modification ++ - audit_rules_networkconfig_modification.severity=low ++ ++ - id: 4.1.18_audit_successful_file_access ++ title: Ensure Successful File Access Audited ++ levels: ++ - base ++ status: manual ++ rules: ++ - audit_rules_successful_file_modification_chmod ++ - audit_rules_successful_file_modification_chmod.severity=low ++ - audit_rules_successful_file_modification_fchmod ++ - audit_rules_successful_file_modification_fchmod.severity=low ++ - audit_rules_successful_file_modification_fchmodat ++ - audit_rules_successful_file_modification_fchmodat.severity=low ++ - audit_rules_successful_file_modification_chown ++ - audit_rules_successful_file_modification_chown.severity=low ++ - audit_rules_successful_file_modification_fchown ++ - audit_rules_successful_file_modification_fchown.severity=low ++ - audit_rules_successful_file_modification_fchownat ++ - audit_rules_successful_file_modification_fchownat.severity=low ++ - audit_rules_successful_file_modification_setxattr ++ - audit_rules_successful_file_modification_setxattr.severity=low ++ - audit_rules_successful_file_modification_lsetxattr ++ - audit_rules_successful_file_modification_lsetxattr.severity=low ++ - audit_rules_successful_file_modification_fsetxattr ++ - audit_rules_successful_file_modification_fsetxattr.severity=low ++ - audit_rules_successful_file_modification_removexattr ++ - audit_rules_successful_file_modification_removexattr.severity=low ++ - audit_rules_successful_file_modification_lremovexattr ++ - audit_rules_successful_file_modification_lremovexattr.severity=low ++ - audit_rules_successful_file_modification_fremovexattr ++ - audit_rules_successful_file_modification_fremovexattr.severity=low ++ ++ - id: 4.1.19_audit_unsuccessful_file_access ++ title: Ensure Unsuccessful File Access Audited ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_unsuccessful_file_modification ++ - audit_rules_unsuccessful_file_modification.severity=low ++ ++ - id: 4.1.20_audit_file_delete ++ title: Ensure File Delete Audited ++ levels: ++ - base ++ status: manual ++ rules: ++ - audit_rules_successful_file_modification_rename ++ - audit_rules_successful_file_modification_rename.severity=low ++ - audit_rules_successful_file_modification_renameat ++ - audit_rules_successful_file_modification_renameat.severity=low ++ - audit_rules_successful_file_modification_unlink ++ - audit_rules_successful_file_modification_unlink.severity=low ++ - audit_rules_successful_file_modification_unlinkat ++ - audit_rules_successful_file_modification_unlinkat.severity=low ++ ++ - id: 4.1.21_audit_mount ++ title: Ensure Mount Audited ++ levels: ++ - base ++ status: planned ++ ++ - id: 4.2.1_rsyslog_enabled ++ title: Ensure Rsyslog Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_rsyslog_enabled ++ - service_rsyslog_enabled.severity=high ++ ++ - id: 4.2.2_rsyslog_auth ++ title: Ensure Authentication Logged ++ levels: ++ - base ++ status: automated ++ rules: ++ - rsyslog_remote_access_monitoring ++ - rsyslog_remote_access_monitoring.severity=high ++ ++ - id: 4.2.3_rsyslog_cron ++ title: Ensure Cron Logged ++ levels: ++ - base ++ status: automated ++ rules: ++ - rsyslog_cron_logging ++ - rsyslog_cron_logging.severity=high ++ ++ - id: 4.2.4_rsyslog_file_permission ++ title: Ensure Rsyslog's Files Permission Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - rsyslog_filecreatemode ++ - rsyslog_filecreatemode.severity=low ++ ++ - id: 4.2.5_rsyslog_for_services ++ title: Ensure Important Services Logged ++ levels: ++ - base ++ status: automated ++ rules: ++ - rsyslog_logging_configured ++ - rsyslog_logging_configured.severity=low ++ ++ - id: 4.2.6_rsyslog_journald_transfer ++ title: Ensure Journald Transfer Set Correct ++ levels: ++ - base ++ status: planned ++ ++ - id: 4.2.7_rsyslog_rotate ++ title: Ensure Rotate Setting In Rsyslog ++ levels: ++ - base ++ status: planned ++ ++ - id: 4.2.8_rsyslog_remote_server_config ++ title: Ensure Remote Log Server Correct ++ levels: ++ - base ++ status: planned ++ ++ - id: 4.2.9_rsyslog_only_specified_server_receive_logs ++ title: Ensure Only Specified Server Can Receive Logs ++ levels: ++ - base ++ status: automated ++ rules: ++ - rsyslog_accept_remote_messages_tcp ++ - rsyslog_accept_remote_messages_tcp.severity=low ++ - rsyslog_accept_remote_messages_udp ++ - rsyslog_accept_remote_messages_udp.severity=low +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +index 2b0e53a..b19024e 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Avahi Server Software' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +index 4ce4b1e..d3e3cfd 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Who Owns cron.d' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +index 032b15e..eec4953 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Who Owns cron.daily' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +index 2d4f1f9..b7c758b 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Who Owns cron.hourly' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +index d47730c..c179f68 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Who Owns cron.monthly' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +index c63c3de..c8571b5 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Who Owns cron.weekly' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +index 3f43b81..90eed40 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Who Owns Crontab' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +index 49b2e3a..7f9f665 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Owner on cron.d' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +index 74210b6..b3a3d7a 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Owner on cron.daily' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +index 9e4ab04..ab90317 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Owner on cron.hourly' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +index 78dadcc..5c1d4b1 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Owner on cron.monthly' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +index 69001b6..6fdb59a 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Owner on cron.weekly' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +index 2636571..b47a978 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Owner on crontab' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +index 8d5e6dd..5b5544e 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Permissions on cron.d' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +index 175ba80..9d220b5 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Permissions on cron.daily' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +index 7578b5d..d031af5 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Permissions on cron.hourly' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +index 4694a91..752c881 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Permissions on cron.monthly' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +index 5409311..67c6101 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Permissions on cron.weekly' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +index 009a233..0a5b580 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Permissions on crontab' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml +index 81e089f..c4392c4 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 + + title: 'Ensure that /etc/at.deny does not exist' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml +index a164bf3..6ef3b6d 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 + + title: 'Ensure that /etc/cron.deny does not exist' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml +index c060951..07ba6d8 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,openeuler,openeuler2203,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Who Owns /etc/at.allow file' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +index a62e314..17156d9 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Who Owns /etc/cron.allow file' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml +index dafb8d4..32bd17d 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,openeuler,openeuler2203,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify User Who Owns /etc/at.allow file' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +index 4e59001..ce37c45 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify User Who Owns /etc/cron.allow file' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +index aaa429e..1fc04cf 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,openeuler,openeuler2203,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Permissions on /etc/at.allow file' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +index c2710c4..f718d9f 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Permissions on /etc/cron.allow file' + +diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +index ec390e3..57b10d5 100644 +--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Enable cron Service' + +diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +index 356f236..e47ce65 100644 +--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml ++++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Disable DHCP Service' + +diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +index ce858b1..e519031 100644 +--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml ++++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Disable named Service' + +diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +index 044177b..dbf39f7 100644 +--- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml ++++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Uninstall httpd Package' + +diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +index 2ec31a2..429ee11 100644 +--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml ++++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +@@ -8,7 +8,7 @@ + + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 + + title: 'Ensure LDAP client is not installed' + +diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml +index bf75fff..15cfa2c 100644 +--- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml ++++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml +@@ -11,7 +11,7 @@ + + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 ++prodtype: openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 + + title: 'Uninstall openldap-servers Package' + +diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +index 9071b7e..632ebdd 100644 +--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Disable rpcbind Service' + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +index 91f73ab..8a33473 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,fedora,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Disable Network File System (nfs)' + +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +index c74221c..d0047a2 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4 ++prodtype: alinux2,fedora,ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhv4 + + title: 'Specify a Remote NTP Server' + +diff --git a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml +index de51899..bdcec4b 100644 +--- a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml ++++ b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,rhel7,sle12,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,openeuler,openeuler2203,rhel7,sle12,ubuntu2004,ubuntu2204 + + title: 'Configure server restrictions for ntpd' + +diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +index c5f90c4..0c02891 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Remove NIS Client' + +diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +index b057fc5..273ac59 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Uninstall ypserv Package' + +diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +index de1f832..38fcbb5 100644 +--- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Ensure rsyncd service is disabled' + +@@ -47,3 +47,5 @@ template: + packagename@ol7: rsync + packagename@sle12: rsync + packagename@sle15: rsync ++ packagename@openeuler: rsync ++ packagename@openeuler2203: rsync +diff --git a/linux_os/guide/services/printing/package_cups_removed/rule.yml b/linux_os/guide/services/printing/package_cups_removed/rule.yml +index df44086..390d453 100644 +--- a/linux_os/guide/services/printing/package_cups_removed/rule.yml ++++ b/linux_os/guide/services/printing/package_cups_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Uninstall CUPS Package' + +diff --git a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml +index 1b633c6..8c85563 100644 +--- a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml ++++ b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Uninstall Samba Package' + +diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml +index 3763480..9cfc697 100644 +--- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml ++++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: debian10,debian11,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: debian10,debian11,fedora,ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Uninstall net-snmp Package' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml +index 91e0556..1fbb9ad 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,rhel7,sle12,sle15,ubuntu2204 ++prodtype: ol7,openeuler,openeuler2203,rhel7,sle12,sle15,ubuntu2204 + + title: 'Use Only Strong Ciphers' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml +index 0a0b3a9..25f9bcb 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: openeuler,openeuler2203,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Use Only Strong Key Exchange algorithms' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +index b6fea18..290b6d7 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,rhel7,sle12,sle15,ubuntu2204 ++prodtype: ol7,openeuler,openeuler2203,rhel7,sle12,sle15,ubuntu2204 + + title: 'Use Only Strong MACs' + +diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var +index 9becb4b..c0519e2 100644 +--- a/linux_os/guide/services/ssh/sshd_strong_kex.var ++++ b/linux_os/guide/services/ssh/sshd_strong_kex.var +@@ -17,3 +17,4 @@ options: + cis_sle12: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + cis_sle15: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + cis_ubuntu2004: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 ++ std_openeuler: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +index 170f89f..70416f0 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Remove the X Windows Package Group' + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +index 607ed94..1c24b38 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Disable graphical user interface' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml +index 5e6d02f..eba37aa 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Ownership of System Login Banner' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml +index 76b10f4..8ce74bf 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Ownership of System Login Banner for Remote Connections' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +index 2e796ee..ce9743c 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify Group Ownership of Message of the Day Banner' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml +index 70b4f39..37b8fba 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify ownership of System Login Banner' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml +index cff8e39..180bdab 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify ownership of System Login Banner for Remote Connections' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml +index 16011b1..c53d09b 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify ownership of Message of the Day Banner' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +index 9968c5c..f7a4761 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify permissions on System Login Banner' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml +index cb8d9db..13c9b06 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify permissions on System Login Banner for Remote Connections' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +index 339274b..f78d355 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify permissions on Message of the Day Banner' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml b/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml +new file mode 100644 +index 0000000..c6e6793 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: openeuler,openeuler2203 ++ ++title: 'Check Warning Banners Correctly' ++ ++description: |- ++

It can not be scanned automatically, please check it manually.

++ Warning banners contain warning information added on the system login page and are marked by all users who log in to the system. ++
++ Proper security warning information may increase the risk of system attacks or violate local laws and regulations. ++
++ openEuler security warning banners must be formulated by security department personnel and comply with local laws and regulations. ++
++ In addition, don't expose the system version, application server type, functions through warning banners, to prevent attackers from obtaining system information and launching attacks. ++
++ Run the cat command to check the warning banners in the /etc/motd, /etc/issue, and /etc/issue.net files. Check whether the information is reasonable. ++ ++rationale: |- ++ None ++ ++severity: high ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +index f3e6931..8ec50b5 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Limit Password Reuse' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml +new file mode 100644 +index 0000000..0abb80d +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml +@@ -0,0 +1,291 @@ ++ ++ ++ {{{ oval_metadata("Lockout account after failed login attempts") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^[\s]*auth\N+pam_unix\.so ++ ++ ++ ++ ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail ++ ++ ++ ++ ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so ++ ++ ++ ++ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) ++ ++ ++ ++ ^[\s]*deny[\s]*=[\s]*([0-9]+) ++ ++ ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ 0 ++ ++ ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/security/faillock.conf$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +index 3f7bbd8..1cc2638 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,ubuntu2204 + + title: 'Lock Accounts After Failed Password Attempts' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml +new file mode 100644 +index 0000000..94c1eca +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml +@@ -0,0 +1,285 @@ ++ ++ ++ {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^[\s]*auth\N+pam_unix\.so ++ ++ ++ ++ ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail ++ ++ ++ ++ ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so ++ ++ ++ ++ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) ++ ++ ++ ++ ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) ++ ++ ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/security/faillock.conf$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +index 7157b51..df1cb5f 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,ubuntu2204 + + title: 'Set Lockout Time for Failed Password Attempts' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var +index 46c73e4..206b03e 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var +@@ -17,5 +17,6 @@ options: + 604800: 604800 + 86400: 86400 + 900: 900 ++ 300: 300 + default: 0 + never: 0 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +index e67cd88..d5f9746 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 + + title: 'Ensure PAM Enforces Password Requirements - Minimum Digit Characters' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +index d41ca6c..76f0278 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004 ++prodtype: fedora,ol8,ol9,openeuler,openeuler2203,rhel8,rhel9,ubuntu2004 + + title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml +index 198475c..9556a31 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol9,rhel8,rhel9 ++prodtype: fedora,ol9,openeuler,openeuler2203,rhel8,rhel9 + + title: 'Ensure PAM Enforces Password Requirements - Enforce for root User' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +index 5799a7b..efffdcc 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 + + title: 'Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +index 45a8dfa..242c289 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 + + title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +index f05b6e0..9405892 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 + + title: 'Ensure PAM Enforces Password Requirements - Minimum Length' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +index 632aa24..72aa240 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 + + title: 'Ensure PAM Enforces Password Requirements - Minimum Special Characters' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +index df2272b..a1e073a 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +index 6c631ea..8e92116 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 + + title: 'Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml +index bf87c9c..6429c58 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: "Set PAM''s Password Hashing Algorithm - password-auth" + +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +index 5375365..513ec7d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: "Set PAM''s Password Hashing Algorithm" + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml +index fadfa30..7cc8b57 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml +@@ -36,7 +36,7 @@ + + + /usr/lib/systemd/system/emergency.service +- {{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} ++ {{%- if product in ["fedora", "ol8", "ol9", "openeuler", "openeuler2203", "rhel8", "rhel9", "sle12", "sle15"] -%}} + ^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency + {{%- else -%}} + ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +index e3b3c18..e2e8b3b 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Require Authentication for Emergency Systemd Target' + +@@ -86,7 +86,7 @@ fixtext: |- + Configure {{{ full_name }}} to require authentication for system emergency mode. + + Add or edit the following line in "/usr/lib/systemd/system/emergency.service": +- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} ++ {{% if product in ["fedora", "ol8", "ol9", "openeuler", "openeuler2203", "rhel8", "rhel9", "sle12", "sle15"] -%}} + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + {{%- else -%}} + ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" +diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +index f232eb7..ac93b58 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Disable debug-shell SystemD Service' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +index d4b7117..7f21632 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 + + title: 'Assign Expiration Date to Temporary Accounts' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +index 3cda626..805b65c 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure All Accounts on the System Have Unique User IDs' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml +index aa5a69c..796102a 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure All Groups on the System Have Unique Group ID' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml +index 55b2c5e..a2793d9 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,openeuler,openeuler2203,rhel7,rhel8,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure All Groups on the System Have Unique Group Names' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +index 3591fba..41489ff 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +@@ -84,4 +84,3 @@ srg_requirement: |- + {{{ full_name }}} user account passwords for new users or password changes must have a 60 day maximum password lifetime restriction in /etc/login.defs. + + platform: package[shadow-utils] +- +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +index 3cbb4d9..7eaac40 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +@@ -84,4 +84,3 @@ srg_requirement: |- + {{{ full_name }}} passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs. + + platform: package[shadow-utils] +- +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +index c101f11..53f5675 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 ++prodtype: alinux2,alinux3,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 + + title: 'Verify No .forward Files Exist' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +index d0ed1f4..37f8217 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Enforce usage of pam_wheel for su authentication' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +index a660109..51167f4 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Set Interactive Session Timeout' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index e58fb7d..f35812f 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'All Interactive Users Home Directories Must Exist' + +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +index 1795fac..013ceea 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure the Default Bash Umask is Set Correctly' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml +index d3b0186..fe64bd1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Record Successful Permission Changes to Files - chmod' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml +index 241d1d6..49301c0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Ownership Changes to Files - chown' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml +index ce7070e..c611b7c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Permission Changes to Files - fchmod' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml +index 4b6cee0..a5d2ca8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Permission Changes to Files - fchmodat' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml +index 6bc0b95..d42607f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Ownership Changes to Files - fchown' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml +index e882a57..3c853b6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Ownership Changes to Files - fchownat' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml +index ee4ff3a..1e52494 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Permission Changes to Files - fremovexattr' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml +index d40bfde..7277bd1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Permission Changes to Files - fsetxattr' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml +index 90873b1..87381e0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Ownership Changes to Files - lchown' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml +index acbfbc0..13dfb71 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Permission Changes to Files - lremovexattr' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml +index b669f75..44298ab 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Permission Changes to Files - lsetxattr' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml +index 7d7e3eb..19871bc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Permission Changes to Files - removexattr' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml +index 82d103e..bd269b3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Delete Attempts to Files - rename' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml +index 1736c97..a15861b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Delete Attempts to Files - renameat' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml +index 75809f4..f0b0bea 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Permission Changes to Files - setxattr' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml +index 91e8f67..6fb1c6d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Delete Attempts to Files - unlink' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml +index a11b195..8d9d762 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Record Successful Delete Attempts to Files - unlinkat' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +index fe9f1d9..fb03953 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +index 1b476f4..8c7b9c0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Unsuccessful Access Attempts to Files - creat' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +index 398110d..de52159 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Unsuccessful Access Attempts to Files - ftruncate' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +index 8893d52..de9b7df 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Unsuccessful Access Attempts to Files - open' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +index cb615dc..828a35f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +index 1126705..c2ab15f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Unsuccessful Access Attempts to Files - openat' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +index 2884c9d..c3d156c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Unsuccessful Access Attempts to Files - truncate' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +index 90a7173..947078d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +index f8ab574..940441d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +index d63a995..881c52e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +index a1d7d2c..43f44a0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +index 34e160a..aa7fe5c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Attempts to Alter Logon and Logout Events - lastlog' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +index 1086361..63e6b1c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,openeuler,openeuler2203,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - insmod' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +index 19e74ab..4076677 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,openeuler,openeuler2203,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - modprobe' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +index bb5b567..58f9f60 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,openeuler,openeuler2203,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - rmmod' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +index 3d76a1a..3d76763 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +@@ -4,7 +4,7 @@ + + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudo' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml +index 628dc4f..a017f1f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol8,ol9,rhel8,rhel9 ++prodtype: fedora,ol8,ol9,openeuler,openeuler2203,rhel8,rhel9 + + title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +index 46128d8..ecde494 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Events that Modify User/Group Information - /etc/group' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +index 5cfe91d..54c6700 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Events that Modify User/Group Information - /etc/gshadow' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +index d58af4c..c67feb3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Events that Modify User/Group Information - /etc/security/opasswd' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +index d67693e..9ebb3d8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Events that Modify User/Group Information - /etc/passwd' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +index 68a975a..ec1e736 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Record Events that Modify User/Group Information - /etc/shadow' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +index 8ccde19..60a1a5e 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Configure audispd''s Plugin disk_full_action When Disk Is Full' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml +index 01c5df5..ff7cf72 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol8,ol9,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 + + title: 'Configure auditd admin_space_left on Low Disk Space' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +index d9b97fb..e8a7d78 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: ol7,ol8,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Configure auditd space_left on Low Disk Space' + +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +index e81a90b..1f4100e 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' + +diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +index 65132d8..a96a7de 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Extend Audit Backlog Limit for the Audit Daemon' + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +index 9acb58b..022892d 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Set Boot Loader Password in grub2' + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +index 18d5b92..d82f1ae 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Set the UEFI Boot Loader Password' + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +index 8a7b722..052fdf9 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4 + + title: 'Ensure cron Is Logging To Rsyslog' + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +index 76f0e4b..60c43b3 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Ensure logging is configured' + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml +index bea5ed4..84c0338 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol8,ol9,openeuler,openeuler2203,rhel8,rhel9,ubuntu2004,ubuntu2204 + + title: 'Ensure remote access methods are monitored in Rsyslog' + +diff --git a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml +index f37af58..39b8d25 100644 +--- a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 ++prodtype: openeuler,openeuler2203,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 + + title: 'Ensure rsyslog Default File Permissions Configured' + +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +index cd22594..98d64dc 100644 +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Verify firewalld Enabled' + +diff --git a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml +index ae73778..9dca20e 100644 +--- a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,sle15 ++prodtype: rhel7,rhel8,openeuler,openeuler2203,sle15 + + title: 'Ensure network interfaces are assigned to appropriate zone' + +diff --git a/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml b/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml +index 05f7144..608fcc5 100644 +--- a/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle15 ++prodtype: openeuler,openeuler2203,sle15 + + title: 'Ensure Unnecessary Services and Ports Are Not Accepted' + +diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml +index 73e27ed..9b9db6f 100644 +--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml ++++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml +@@ -16,7 +16,11 @@ rationale: |- + + severity: medium + ++{{% if product in ['openeuler','openeuler2203'] %}} ++platform: machine ++{{% else %}} + platform: not package[nftables] and not package[ufw] ++{{% endif %}} + + identifiers: + cce@sle12: CCE-92215-3 +diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml +index 6ab31a4..ef09802 100644 +--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml ++++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml +@@ -16,7 +16,11 @@ rationale: |- + + severity: medium + ++{{% if product in ['openeuler','openeuler2203'] %}} ++platform: machine ++{{% else %}} + platform: not package[nftables] and not package[ufw] ++{{% endif %}} + + identifiers: + cce@sle12: CCE-92214-6 +diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml +index c7ea1c0..100a1ec 100644 +--- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml ++++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml +@@ -18,7 +18,11 @@ rationale: |- + + severity: medium + ++{{% if product in ['openeuler','openeuler2203'] %}} ++platform: machine ++{{% else %}} + platform: not package[nftables] and not package[ufw] ++{{% endif %}} + + identifiers: + cce@rhel7: CCE-86719-2 +diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml +index 88b1b36..f287a6e 100644 +--- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml ++++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle12,sle15 ++prodtype: openeuler,openeuler2203,sle12,sle15 + + title: 'Ensure Outbound and Established Connections are Configured' + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +index 9a69794..6436a1d 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces' + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +index c1f0dc4..08c91b4 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' + +@@ -69,3 +69,6 @@ template: + vars: + sysctlvar: net.ipv6.conf.all.accept_source_route + datatype: int ++{{% if "openeuler" in product %}} ++ missing_parameter_pass: 'true' ++{{% endif %}} +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +index c02cdc4..f7ebdf0 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Kernel Parameter for IPv6 Forwarding' + +@@ -63,3 +63,6 @@ template: + vars: + sysctlvar: net.ipv6.conf.all.forwarding + datatype: int ++{{% if "openeuler" in product %}} ++ missing_parameter_pass: 'true' ++{{% endif %}} +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +index e985040..25dfcad 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default' + +@@ -68,3 +68,6 @@ template: + vars: + sysctlvar: net.ipv6.conf.default.accept_source_route + datatype: int ++{{% if "openeuler" in product %}} ++ missing_parameter_pass: 'true' ++{{% endif %}} +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +index 8756e21..8452042 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +index 2ccc278..d3b3c5b 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +index dfcd0b6..d2034a4 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +index e3b2b18..29ed59f 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +index 849ae47..05520be 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +index 9a54bbc..30a2a52 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +index 9ff43ba..8058dc6 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml +index b688a15..9f4cde4 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +index 90ef90f..85e46c3 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +index 5b12a1b..5d08c84 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +index a5fb5f4..2382465 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +index 31e76dd..aef79a5 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +index e6b948b..6b1339c 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +index fc30851..c332cf9 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +index a485053..cbf5bce 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml +index 7d989f7..6bf22f6 100644 +--- a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml ++++ b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle15,ubuntu2004,ubuntu2204 ++prodtype: openeuler,openeuler2203,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure nftables Default Deny Firewall Policy' + +diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml +index 5be921e..388ef42 100644 +--- a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml ++++ b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,sle15,ubuntu2004,ubuntu2204 ++prodtype: openeuler,openeuler2203,rhel7,rhel8,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify nftables Service is Enabled' + +diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml +index 043c11b..3a6fd18 100644 +--- a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml ++++ b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle15,ubuntu2004,ubuntu2204 ++prodtype: openeuler,openeuler2203,sle15,ubuntu2004,ubuntu2204 + + title: 'Set nftables Configuration for Loopback Traffic' + +diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml +index ae1a369..df5cc53 100644 +--- a/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml ++++ b/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle15 ++prodtype: openeuler,openeuler2203,sle15 + + title: 'Ensure all outbound and established connections are configured for nftables' + +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +index 20eeb3e..78c85d1 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable SCTP Support' + +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +index 02cb56f..3742df9 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Deactivate Wireless Network Interfaces' + +@@ -117,4 +117,8 @@ fixtext: |- + + srg_requirement: '{{{ full_name }}} wireless network adapters must be disabled.' + ++{{% if product in ['openeuler','openeuler2203'] %}} ++platform: machine ++{{% else %}} + platform: wifi-iface ++{{% endif %}} +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +index 5683f30..d5212ac 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'Ensure All SGID Executables Are Authorized' + +-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 ++prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,uos20 + + description: |- + The SGID (set group id) bit should be set only on files that were +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +index 249f971..19fc2ee 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'Ensure All SUID Executables Are Authorized' + +-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 ++prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15,uos20 + + description: |- + The SUID (set user id) bit should be set only on files that were +diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +index 11060d0..712b847 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure All Files Are Owned by a Group' + +diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +index 13650fc..ccd5eef 100644 +--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml ++++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure All Files Are Owned by a User' + +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +index 8cbcf66..88ca5f0 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Modprobe Loading of USB Storage Driver' + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +index d06852d..f627292 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 + + title: 'Add nodev Option to Removable Media Partitions' + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +index 75934b9..09119e7 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 + + title: 'Add noexec Option to Removable Media Partitions' + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +index ed025e4..024eceb 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +@@ -60,6 +60,9 @@ template: + sysctlvar: kernel.randomize_va_space + sysctlval: '2' + datatype: int ++{{% if "openeuler" in product %}} ++ missing_parameter_pass: 'true' ++{{% endif %}} + + fixtext: |- + Configure {{{ full_name }}} to implement virtual address space randomization. +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +index b73d219..1c51955 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Restrict Access to Kernel Message Buffer' + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml +index bf2e143..2701f65 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Disallow magic SysRq key' + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +index e03106c..6df07fb 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Restrict usage of ptrace to descendant processes' + +diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +index 00cc2ff..bb7bf88 100644 +--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Ensure No Daemons are Unconfined by SELinux' + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +index a49219e..47bf130 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Configure SELinux Policy' + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +index e3b95bc..890eace 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 ++prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 + + title: 'Configure System Cryptography Policy' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +index 43e5f16..b43fbc4 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Build and Test AIDE Database' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +index a361171..37a8546 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Install AIDE' + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +index b90f566..b2e4b88 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'The operating system must restrict privilege elevation to authorized personnel' + +-prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15 + + description: |- + The sudo command allows a user to execute programs with elevated +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +index 18c6f48..3e8fc56 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 + + title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration' + +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +index 6428781..b136e6b 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Ensure gpgcheck Enabled for All {{{ pkg_manager }}} Package Repositories' + +diff --git a/products/openeuler/product.yml b/products/openeuler/product.yml +index fd33efe..1b22b09 100644 +--- a/products/openeuler/product.yml ++++ b/products/openeuler/product.yml +@@ -8,6 +8,7 @@ benchmark_root: "../../linux_os/guide" + profiles_root: "./profiles" + + pkg_manager: "dnf" ++pkg_manager_config_file: "/etc/yum.conf" + + init_system: "systemd" + +diff --git a/products/openeuler2203/product.yml b/products/openeuler2203/product.yml +index 89e9f8b..5beaac5 100644 +--- a/products/openeuler2203/product.yml ++++ b/products/openeuler2203/product.yml +@@ -8,6 +8,7 @@ benchmark_root: "../../linux_os/guide" + profiles_root: "./profiles" + + pkg_manager: "dnf" ++pkg_manager_config_file: "/etc/yum.conf" + + init_system: "systemd" + +diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml +index 07f3df9..6c8ad28 100644 +--- a/shared/applicability/package.yml ++++ b/shared/applicability/package.yml +@@ -49,7 +49,7 @@ args: + pkgname: postfix + shadow-utils: + {{% if pkg_system == "rpm" %}} +- {{% if product in ["sle12", "sle15"] %}} ++ {{% if product in ["openeuler", "openeuler2203", "sle12", "sle15"] %}} + pkgname: shadow + {{% else %}} + pkgname: shadow-utils +-- +2.21.0.windows.1 + diff --git a/add-openeuler-support.patch b/add-openeuler-support.patch new file mode 100644 index 0000000..1c8db5c --- /dev/null +++ b/add-openeuler-support.patch @@ -0,0 +1,448 @@ +From 34393e749c834bc08cd1a25f8ac1fd9ff36c7872 Mon Sep 17 00:00:00 2001 +From: "steven.y.gui" +Date: Thu, 17 Aug 2023 21:02:06 +0800 +Subject: [PATCH] add openeuler support + +--- + CMakeLists.txt | 10 ++++++ + controls/std_openeuler.yml | 34 +++++++++++++++++++ + .../services/ftp/package_ftp_removed/rule.yml | 2 +- + .../package_telnet-server_removed/rule.yml | 2 +- + .../telnet/package_telnet_removed/rule.yml | 2 +- + .../tftp/package_tftp-server_removed/rule.yml | 2 +- + .../tftp/package_tftp_removed/rule.yml | 2 +- + products/openeuler/CMakeLists.txt | 6 ++++ + products/openeuler/product.yml | 19 +++++++++++ + products/openeuler/profiles/standard.profile | 14 ++++++++ + products/openeuler/transforms/constants.xslt | 9 +++++ + products/openeuler2203/CMakeLists.txt | 6 ++++ + products/openeuler2203/product.yml | 29 ++++++++++++++++ + .../openeuler2203/profiles/standard.profile | 14 ++++++++ + .../openeuler2203/transforms/constants.xslt | 9 +++++ + .../checks/oval/installed_OS_is_openeuler.xml | 22 ++++++++++++ + .../oval/installed_OS_is_openeuler2203.xml | 26 ++++++++++++++ + .../oval/sysctl_kernel_ipv6_disable.xml | 1 + + ssg/constants.py | 7 ++++ + 19 files changed, 211 insertions(+), 5 deletions(-) + create mode 100644 controls/std_openeuler.yml + create mode 100644 products/openeuler/CMakeLists.txt + create mode 100644 products/openeuler/product.yml + create mode 100644 products/openeuler/profiles/standard.profile + create mode 100644 products/openeuler/transforms/constants.xslt + create mode 100644 products/openeuler2203/CMakeLists.txt + create mode 100644 products/openeuler2203/product.yml + create mode 100644 products/openeuler2203/profiles/standard.profile + create mode 100644 products/openeuler2203/transforms/constants.xslt + create mode 100644 shared/checks/oval/installed_OS_is_openeuler.xml + create mode 100644 shared/checks/oval/installed_OS_is_openeuler2203.xml + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 7d1cffd..b466580 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -83,6 +83,8 @@ option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${ + option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_OL9 "If enabled, the Oracle Linux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) ++option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT}) ++option(SSG_PRODUCT_OPENEULER "If enabled, the openEuler basic version content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +@@ -277,6 +279,8 @@ message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}") + message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}") + message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}") + message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}") ++message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}") ++message(STATUS "openEuler: ${SSG_PRODUCT_OPENEULER}") + message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}") + message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}") + message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}") +@@ -374,6 +378,12 @@ endif() + if (SSG_PRODUCT_OL9) + add_subdirectory("products/ol9" "ol9") + endif() ++if (SSG_PRODUCT_OPENEULER2203) ++ add_subdirectory("products/openeuler2203" "openeuler2203") ++endif() ++if (SSG_PRODUCT_OPENEULER) ++ add_subdirectory("products/openeuler" "openeuler") ++endif() + if (SSG_PRODUCT_OPENSUSE) + add_subdirectory("products/opensuse" "opensuse") + endif() +diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml +new file mode 100644 +index 0000000..5599b04 +--- /dev/null ++++ b/controls/std_openeuler.yml +@@ -0,0 +1,34 @@ ++--- ++policy: 'Standard Benchmark for openEuler' ++title: 'Standard Benchmark for openEuler' ++id: std_openeuler ++version: '1.0' ++levels: ++ - id: base ++ ++controls: ++ - id: 1.2.1_ftp_not_installed ++ title: Ensure FTP is not installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_ftp_removed ++ ++ - id: 1.2.2_tftp_server_not_installed ++ title: Ensure TFTP Server is not installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_tftp_removed ++ - package_tftp-server_removed ++ ++ - id: 1.2.3_telnet_server_not_installed ++ title: Ensure Telnet Server is not installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_telnet_removed ++ - package_telnet-server_removed +diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml +index 1129ce7..c5450ca 100644 +--- a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml ++++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel9 ++prodtype: openeuler,openeuler2203,rhel9 + + title: 'Remove ftp Package' + +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +index 6b59559..fc38a3c 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Uninstall telnet-server Package' + +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +index 2571d50..3638424 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Remove telnet Clients' + +diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +index 93fd712..46ebdb7 100644 +--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Uninstall tftp-server Package' + +diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +index 35e0a2f..f836879 100644 +--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Remove tftp Daemon' + +diff --git a/products/openeuler/CMakeLists.txt b/products/openeuler/CMakeLists.txt +new file mode 100644 +index 0000000..8733082 +--- /dev/null ++++ b/products/openeuler/CMakeLists.txt +@@ -0,0 +1,6 @@ ++# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way. ++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") ++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") ++endif() ++ ++ssg_build_product("openeuler") +diff --git a/products/openeuler/product.yml b/products/openeuler/product.yml +new file mode 100644 +index 0000000..fd33efe +--- /dev/null ++++ b/products/openeuler/product.yml +@@ -0,0 +1,19 @@ ++product: openeuler ++full_name: openEuler ++type: platform ++ ++benchmark_id: OPENEULER ++benchmark_root: "../../linux_os/guide" ++ ++profiles_root: "./profiles" ++ ++pkg_manager: "dnf" ++ ++init_system: "systemd" ++ ++cpes_root: "../../shared/applicability" ++cpes: ++ - openeuler2309: ++ name: "cpe:/o:openEuler:openEuler:23.09:ga:server" ++ title: "openEuler 23.09" ++ check_id: installed_OS_is_openeuler +diff --git a/products/openeuler/profiles/standard.profile b/products/openeuler/profiles/standard.profile +new file mode 100644 +index 0000000..e4e9450 +--- /dev/null ++++ b/products/openeuler/profiles/standard.profile +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0 ++ ++title: 'Standard System Security Profile for openEuler' ++ ++description: |- ++ This profile contains rules to ensure standard security baseline ++ of all openEuler systems. Regardless of your system's workload ++ all of these checks should pass. ++ ++selections: ++ - std_openeuler:all:base +diff --git a/products/openeuler/transforms/constants.xslt b/products/openeuler/transforms/constants.xslt +new file mode 100644 +index 0000000..b0a07a0 +--- /dev/null ++++ b/products/openeuler/transforms/constants.xslt +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++openEuler ++openEuler ++openeuler ++ ++ +diff --git a/products/openeuler2203/CMakeLists.txt b/products/openeuler2203/CMakeLists.txt +new file mode 100644 +index 0000000..258e195 +--- /dev/null ++++ b/products/openeuler2203/CMakeLists.txt +@@ -0,0 +1,6 @@ ++# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way. ++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") ++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") ++endif() ++ ++ssg_build_product("openeuler2203") +diff --git a/products/openeuler2203/product.yml b/products/openeuler2203/product.yml +new file mode 100644 +index 0000000..89e9f8b +--- /dev/null ++++ b/products/openeuler2203/product.yml +@@ -0,0 +1,29 @@ ++product: openeuler2203 ++full_name: openEuler 2203 ++type: platform ++ ++benchmark_id: OPENEULER2203 ++benchmark_root: "../../linux_os/guide" ++ ++profiles_root: "./profiles" ++ ++pkg_manager: "dnf" ++ ++init_system: "systemd" ++ ++cpes_root: "../../shared/applicability" ++cpes: ++ - openeuler2203lts: ++ name: "cpe:/o:openEuler:openEuler:22.03LTS:ga:server" ++ title: "openEuler 22.03 LTS" ++ check_id: installed_OS_is_openeuler2203 ++ ++ - openeuler2203lts-sp1: ++ name: "cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server" ++ title: "openEuler 22.03 LTS SP1" ++ check_id: installed_OS_is_openeuler2203 ++ ++ - openeuler2203lts-sp2: ++ name: "cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server" ++ title: "openEuler 22.03 LTS SP2" ++ check_id: installed_OS_is_openeuler2203 +diff --git a/products/openeuler2203/profiles/standard.profile b/products/openeuler2203/profiles/standard.profile +new file mode 100644 +index 0000000..8a7ae9c +--- /dev/null ++++ b/products/openeuler2203/profiles/standard.profile +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0 ++ ++title: 'Standard System Security Profile for openEuler 22.03 LTS' ++ ++description: |- ++ This profile contains rules to ensure standard security baseline ++ of an openEuler system. Regardless of your system's workload ++ all of these checks should pass. ++ ++selections: ++ - std_openeuler:all:base +diff --git a/products/openeuler2203/transforms/constants.xslt b/products/openeuler2203/transforms/constants.xslt +new file mode 100644 +index 0000000..666c119 +--- /dev/null ++++ b/products/openeuler2203/transforms/constants.xslt +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++openEuler2203 ++openEuler2203 ++openeuler2203 ++ ++ +diff --git a/shared/checks/oval/installed_OS_is_openeuler.xml b/shared/checks/oval/installed_OS_is_openeuler.xml +new file mode 100644 +index 0000000..4835266 +--- /dev/null ++++ b/shared/checks/oval/installed_OS_is_openeuler.xml +@@ -0,0 +1,22 @@ ++ ++ ++ ++ openEuler ++ ++ multi_platform_all ++ ++ The operating system installed on the system is openEuler. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ openEuler-release ++ ++ ++ +diff --git a/shared/checks/oval/installed_OS_is_openeuler2203.xml b/shared/checks/oval/installed_OS_is_openeuler2203.xml +new file mode 100644 +index 0000000..6a1ce97 +--- /dev/null ++++ b/shared/checks/oval/installed_OS_is_openeuler2203.xml +@@ -0,0 +1,26 @@ ++ ++ ++ ++ openEuler 22.03 LTS ++ ++ multi_platform_all ++ ++ The operating system installed on the system is openEuler 22.03 LTS. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^22\.03.*$ ++ ++ ++ openEuler-release ++ ++ ++ +diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +index affb977..593ecda 100644 +--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml ++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +@@ -8,6 +8,7 @@ + multi_platform_debian + multi_platform_example + multi_platform_fedora ++ multi_platform_openeuler + multi_platform_opensuse + multi_platform_ol + multi_platform_rhcos +diff --git a/ssg/constants.py b/ssg/constants.py +index f66ba00..60697df 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -50,6 +50,7 @@ product_directories = [ + 'ocp4', + 'rhcos4', + 'ol7', 'ol8', 'ol9', ++ 'openeuler', 'openeuler2203', + 'opensuse', + 'rhel7', 'rhel8', 'rhel9', + 'rhv4', +@@ -207,6 +208,8 @@ FULL_NAME_TO_PRODUCT_MAPPING = { + "Oracle Linux 7": "ol7", + "Oracle Linux 8": "ol8", + "Oracle Linux 9": "ol9", ++ "openEuler": "openeuler", ++ "openEuler 2203": "openeuler2203", + "openSUSE": "opensuse", + "Red Hat Enterprise Linux 7": "rhel7", + "Red Hat Enterprise Linux 8": "rhel8", +@@ -266,6 +269,7 @@ REFERENCES = dict( + + + MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", ++ "openeuler", + "opensuse", "sle", "ol", "ocp", "rhcos", + "example", "eks", "alinux", "uos", "anolis"] + +@@ -276,6 +280,7 @@ MULTI_PLATFORM_MAPPING = { + "multi_platform_example": ["example"], + "multi_platform_eks": ["eks"], + "multi_platform_fedora": ["fedora"], ++ "multi_platform_openeuler": ["openeuler", "openeuler2203"], + "multi_platform_opensuse": ["opensuse"], + "multi_platform_ol": ["ol7", "ol8", "ol9"], + "multi_platform_ocp": ["ocp4"], +@@ -447,6 +452,8 @@ MAKEFILE_ID_TO_PRODUCT_MAP = { + 'uos': 'UnionTech OS Server', + 'eap': 'JBoss Enterprise Application Platform', + 'fuse': 'JBoss Fuse', ++ 'openeuler': 'openEuler', ++ 'openeuler2203': 'openEuler 2203', + 'opensuse': 'openSUSE', + 'sle': 'SUSE Linux Enterprise', + 'example': 'Example', +-- +2.21.0.windows.1 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index f254c9b..4061c3a 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,11 +1,14 @@ Name: scap-security-guide Version: 0.1.68 -Release: 1 +Release: 2 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +Patch0001: add-openeuler-support.patch +Patch0002: add-openeuler-control-rules.patch + BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML Requires: xml-common, openscap-scanner >= 1.2.5 @@ -60,6 +63,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Mon Oct 9 2023 steven - 0.1.68-2 +- add openeuler supporting and add 100+ control rules + * Tue Jul 18 2023 xu_ping <707078654@qq.com> - 0.1.68-1 - Upgrade to 0.1.68 -- Gitee