From b8c79f79153575b839eb7e0401fb370084e1a66c Mon Sep 17 00:00:00 2001 From: qsw33 Date: Fri, 17 Nov 2023 16:31:34 +0800 Subject: [PATCH] enable 80 rules for openEuler --- add-80-rules-for-openeuler.patch | 2734 ++++++++++++++++++++++++++++++ scap-security-guide.spec | 6 +- 2 files changed, 2739 insertions(+), 1 deletion(-) create mode 100644 add-80-rules-for-openeuler.patch diff --git a/add-80-rules-for-openeuler.patch b/add-80-rules-for-openeuler.patch new file mode 100644 index 0000000..8eac405 --- /dev/null +++ b/add-80-rules-for-openeuler.patch @@ -0,0 +1,2734 @@ +From 941e961d84f0c1610134b367364a0f66b82cc9f9 Mon Sep 17 00:00:00 2001 +From: qsw333 +Date: Thu, 16 Nov 2023 13:50:38 +0800 +Subject: [PATCH] second + +--- + .../base/service_haveged_enabled/rule.yml | 31 +++++++ + .../service_dhcpd_disabled/rule.yml | 2 +- + .../service_named_disabled/rule.yml | 2 +- + .../package_httpd_removed/rule.yml | 2 +- + .../package_openldap-clients_removed/rule.yml | 23 +++++ + .../service_rpcbind_disabled/rule.yml | 2 +- + .../service_nfs-server_disabled/rule.yml | 33 +++++++ + linux_os/guide/services/rsync/group.yml | 9 ++ + .../rsync/service_rsyncd_disabled/rule.yml | 20 ++++ + .../service_smb_disabled/rule.yml | 2 +- + .../oval/shared.xml | 25 +++++ + .../rule.yml | 16 ++++ + .../oval/shared.xml | 25 +++++ + .../rule.yml | 19 ++++ + .../oval/shared.xml | 25 +++++ + .../rule.yml | 18 ++++ + .../oval/shared.xml | 25 +++++ + .../sshd_configure_correct_interface/rule.yml | 18 ++++ + .../oval/shared.xml | 25 +++++ + .../sshd_disable_AllowTcpForwardindg/rule.yml | 18 ++++ + .../oval/shared.xml | 25 +++++ + .../sshd_disable_x11_forwarding/rule.yml | 16 ++++ + .../oval/shared.xml | 25 +++++ + .../rule.yml | 18 ++++ + .../uninstall_software_service/group.yml | 5 + + .../network_sniffing_tools/rule.yml | 24 +++++ + .../rule.yml | 2 +- + .../no_forward_files/oval/shared.xml | 20 ++++ + .../no_forward_files/rule.yml | 17 ++++ + .../rule.yml | 27 ++++++ + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 25 +++++ + .../oval/shared.xml | 25 +++++ + .../audit_rule_admin_privilege/rule.yml | 27 ++++++ + .../oval/shared.xml | 25 +++++ + .../rule.yml | 56 +++++++++++ + .../auditd_data_retention_space_left/rule.yml | 2 +- + .../auditing/grub2_audit_argument/rule.yml | 2 +- + .../rule.yml | 2 +- + .../oval/shared.xml | 25 +++++ + .../configure_dump_journald_log/rule.yml | 22 +++++ + .../rule.yml | 19 ++++ + .../configure_rsyslog_log_rotate/rule.yml | 45 +++++++++ + .../configure_service_logging/rule.yml | 21 +++++ + .../diasable_root_accessing_system/rule.yml | 35 +++++++ + .../rsyslog_files_permissions/oval/shared.xml | 1 + + .../oval/shared.xml | 25 +++++ + .../rule.yml | 24 +++++ + .../rsyslog_remote_loghost/oval/shared.xml | 1 + + .../rule.yml | 28 ++++++ + .../rule.yml | 36 +++++++ + .../rule.yml | 27 ++++++ + .../rule.yml | 36 +++++++ + .../rule.yml | 28 ++++++ + .../wireless_disable_interfaces/rule.yml | 2 +- + .../rule.yml | 26 ++++++ + .../system/network/network_nftables/group.yml | 12 +++ + .../rule.yml | 32 +++++++ + .../rule.yml | 24 +++++ + .../rule.yml | 21 +++++ + .../rule.yml | 23 +++++ + .../rule.yml | 22 +++++ + .../service_nftables_enabled/rule.yml | 22 +++++ + .../define_ld_lib_path_correctly/rule.yml | 25 +++++ + .../files/define_path_strictly/rule.yml | 31 +++++++ + .../no_files_globally_writable_files/rule.yml | 34 +++++++ + .../rule.yml | 28 ++++++ + .../partitions_mounted_nodev_mode/rule.yml | 48 ++++++++++ + .../partitions_mounted_noexec_mode/rule.yml | 19 ++++ + .../partitions_mounted_nosuid_mode/rule.yml | 27 ++++++ + .../rule.yml | 28 ++++++ + .../read_only_partitions_no_modified/rule.yml | 19 ++++ + .../rule.yml | 29 ++++++ + .../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +- + .../rule.yml | 28 ++++++ + .../system/software/enabled_seccomp/rule.yml | 35 +++++++ + .../crypto/configure_crypto_policy/rule.yml | 2 +- + .../aide/aide_build_database/oval/shared.xml | 1 + + .../aide/enable_aide_detection/rule.yml | 29 ++++++ + .../ima_verification/rule.yml | 47 ++++++++++ + .../rule.yml | 18 ++++ + .../disabled_SysRq/oval/shared.xml | 25 +++++ + .../system-tools/disabled_SysRq/rule.yml | 20 ++++ + .../uninstall_debugging_tools/rule.yml | 23 +++++ + .../rule.yml | 26 ++++++ + openeuler2203/profiles/standard.profile | 93 +++++++++++++++++++ + 89 files changed, 1869 insertions(+), 16 deletions(-) + create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml + create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml + create mode 100644 linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml + create mode 100644 linux_os/guide/services/rsync/group.yml + create mode 100644 linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml + create mode 100644 linux_os/guide/services/uninstall_software_service/group.yml + create mode 100644 linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml + create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/rule.yml + create mode 100644 linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml + create mode 100644 linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml + create mode 100644 linux_os/guide/system/logging/configure_service_logging/rule.yml + create mode 100644 linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml + create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml + create mode 100644 linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_interface_binding_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/group.yml + create mode 100644 linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/define_path_strictly/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml + create mode 100644 linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml + create mode 100644 linux_os/guide/system/software/enabled_seccomp/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml + create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml + create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml + create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml + create mode 100644 linux_os/guide/system/software/uninstall_debugging_tools/rule.yml + create mode 100644 linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml + +diff --git a/linux_os/guide/services/base/service_haveged_enabled/rule.yml b/linux_os/guide/services/base/service_haveged_enabled/rule.yml +new file mode 100644 +index 0000000..a2e373a +--- /dev/null ++++ b/linux_os/guide/services/base/service_haveged_enabled/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Enable haveged service' ++ ++description: |- ++ The haveged service provides an easy-to-use, unpredictable random number ++ generator. The generated random numbers are used to supplement the system ++ entropy pool, which can solve the problem of low system entropy in some ++ cases. It is recommended to enable this service in scenarios where encryption, ++ decryption or key generation is required (such as using openssl and gnutls). ++ ++ If the haveged service is not turned on, when the process that needs to ++ generate strong pseudo-random numbers gets values from /dev/random, it will ++ be stuck in waiting because it cannot get enough values, and will not return ++ until new random bytes are obtained. ++ ++severity: low ++ ++rationale: |- ++ none. ++ ++ocil: '{{{ ocil_service_disabled(service="haveged") }}}' ++ ++platform: machine ++ ++template: ++ name: service_enabled ++ vars: ++ servicename: haveged +\ No newline at end of file +diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +index efe3519..4d41613 100644 +--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml ++++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,openeuler2203 + + title: 'Disable DHCP Service' + +diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +index 62c1bf0..7add584 100644 +--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml ++++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,openeuler2203 + + title: 'Disable named Service' + +diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +index b9a6437..8156243 100644 +--- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml ++++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,openeuler2203 + + title: 'Uninstall httpd Package' + +diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +new file mode 100644 +index 0000000..717c04b +--- /dev/null ++++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Remove LDAP Client' ++ ++description: |- ++ LDAP (Lightweight Directory Access Protocol) is a lightweight directory ++ access protocol that provides access control and maintains distributed ++ directory information. ++ ++rationale: |- ++ Providing an LDAP client (openldap-clients) in the system can cause ++ waste of system resources and expand the scope of attacks. If the business ++ scenario does not require the use of LDAP services, it is prohibited to ++ install the LDAP client. ++ ++severity: high ++ ++template: ++ name: package_removed ++ vars: ++ pkgname: openldap-clients +\ No newline at end of file +diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +index 902117f..9bd2182 100644 +--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,openeuler2203 + + title: 'Disable rpcbind Service' + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml +new file mode 100644 +index 0000000..32a4889 +--- /dev/null ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel6,rhel7,rhel8,openeuler2203 ++ ++title: 'Disable Network File System (nfs) Service' ++ ++description: |- ++ Network File System (NFS) is one of the oldest and most widely distributed ++ file systems in UNIX environments. It provides the system with the ability ++ to mount other servers' file systems over the network. If the system does ++ not export NFS shares, it is recommended to disable NFS to reduce the remote ++ attack surface.. ++ {{{ describe_service_disable(service="nfs-server") }}} ++ ++rationale: |- ++ 'Disabling NFS affects services and applications on the system that rely on NFS, ++ as well as existing NFS mount points. Before disabling NFS, you should make sure ++ you understand the usage on your system and consider whether there are alternatives ++ to meet your file sharing and data access needs.' ++ ++severity: low ++ ++ocil_clause: 'it does not' ++ ++ocil: '{{{ ocil_service_disabled(service="nfs") }}}' ++ ++platform: machine ++ ++template: ++ name: service_disabled ++ vars: ++ servicename: nfs-server ++ packagename: nfs-utils +diff --git a/linux_os/guide/services/rsync/group.yml b/linux_os/guide/services/rsync/group.yml +new file mode 100644 +index 0000000..0482394 +--- /dev/null ++++ b/linux_os/guide/services/rsync/group.yml +@@ -0,0 +1,9 @@ ++documentation_complete: true ++ ++title: 'Rsync Server' ++ ++description: |- ++ The rsync service can be used to synchronize data between ++ servers or between different Disk partitioning on the server, ++ but because rsync uses an unencrypted transmission protocol, ++ there is a risk of information disclosure. +\ No newline at end of file +diff --git a/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml +new file mode 100644 +index 0000000..5afaa7c +--- /dev/null ++++ b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml +@@ -0,0 +1,20 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Disable Rsync Server Software' ++ ++description: '{{{ describe_service_disable(service="rsync-daemon") }}}' ++ ++rationale: |- ++ If the rsync service is enabled and data is transmitted between ++ different servers through the network, attackers can steal data ++ by listening to server ports, routers, and switch data packets. ++ ++severity: high ++ ++template: ++ name: service_disabled ++ vars: ++ servicename: rsyncd ++ packagename: rsync +\ No newline at end of file +diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +index aec5800..c13311f 100644 +--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml ++++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,openeuler2203 + + title: 'Disable Samba' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml +new file mode 100644 +index 0000000..e6c1a0e +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ SSH concurrent unauthenticated connections should be configured correctly ++ ++ multi_platform_openeuler ++ ++ Configure the specified IP address for SSH connection. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^maxstartups\s+\d+:\d+:\d+$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml +new file mode 100644 +index 0000000..60d2ccd +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml +@@ -0,0 +1,16 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'SSH concurrent unauthenticated connections should be configured correctly' ++ ++description: |- ++ Attackers can consume system resources by establishing a large number of ++ concurrent connections with incomplete authentication without knowing the ++ password. ++ ++rationale: |- ++ The MaxStartups setting specifies the maximum number of concurrent unauthenticated ++ connections to the SSH daemon. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml +new file mode 100644 +index 0000000..d30df39 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ The allowed number of concurrent sessions for a single SSH connection should be configured correctly ++ ++ multi_platform_openeuler ++ ++ Configure the allowed number of concurrent sessions. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^MaxSessions\s+\d+$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml +new file mode 100644 +index 0000000..2517850 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'The allowed number of concurrent sessions for a single SSH connection should be configured correctly' ++ ++description: |- ++ SSH allows clients that support multiplexing to establish multiple sessions ++ based on a single network connection. MaxSessions limits the number of SSH ++ concurrent sessions allowed for each network connection, which can prevent ++ system resources from being unlimited occupied by a single or a few connections, ++ leading to denial of service attacks. ++ ++rationale: |- ++ Setting MaxSessions to 1 will disable session multiplexing, meaning that only ++ one session is allowed for a connection, while setting it to 0 will block all ++ connected sessions. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml +new file mode 100644 +index 0000000..fb79aff +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ LoginGraceTime should be configured correctly ++ ++ multi_platform_openeuler ++ ++ Configure the LoginGraceTime for SSH connection. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^LoginGraceTime\s+\d+$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml +new file mode 100644 +index 0000000..2c97751 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml +@@ -0,0 +1,18 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'LoginGraceTime should be configured correctly' ++ ++description: |- ++ LoginGraceTime is used to limit the user's login time. If the user ++ fails to complete the login action within the time limit specified ++ by LoginGraceTime, the connection will be automatically disconnected. ++ ++rationale: |- ++ It is recommended to set this value to less than or equal to 60 seconds. ++ If the value is set too high, attackers can utilize a large number of ++ incomplete login actions to consume server resources, resulting in normal ++ administrator login failures. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml +new file mode 100644 +index 0000000..47510c8 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ SSH service interface should be configured correctly ++ ++ multi_platform_openeuler ++ ++ Configure the specified IP address for SSH connection. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^ListenAddress\s+((?:\d{1,3}\.){3}\d{1,3})$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml +new file mode 100644 +index 0000000..0e1cb5c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml +@@ -0,0 +1,18 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'SSH service interface should be configured correctly' ++ ++description: |- ++ Generally, the server has multiple network cards and multiple ++ IP addresses. IP addresses should be planned for business and ++ management. Therefore, not every IP address needs to listen for ++ SSH connections. You can configure to limit SSH connections to ++ only specified IP addresses to reduce the attack surface. ++ ++rationale: |- ++ Unconfigured IP addresses cannot connect to the server through SSH. ++ It is recommended to plan and configure according to the actual situation. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml +new file mode 100644 +index 0000000..9146f4c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Does not allow the use of AllowTcpForwarding ++ ++ multi_platform_openeuler ++ ++ Sshd does not allow the use of AllowTcpForwarding. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^AllowTcpForwarding\s+no$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml +new file mode 100644 +index 0000000..1cdfb4e +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml +@@ -0,0 +1,18 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Does not allow the use of AllowTcpForwarding' ++ ++description: |- ++ AllowTcpForwarding allows the SSH server to act as a proxy to forward TCP requests from ++ clients, similar to establishing an SSH tunnel between the server and the client. This ++ feature may cause the client to attack other servers from the external network through ++ the SSH channel. ++ ++rationale: |- ++ If AllowTcpForwarding is configured as yes, attackers can bypass firewall monitoring on ++ the client through the SSH channel and send attack commands to the intranet server where ++ the SSH server is located, thereby attacking it. So AllowTcpForwarding must be closed. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml +new file mode 100644 +index 0000000..5f4d777 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Does not allow the use of X11 Forwarding ++ ++ multi_platform_openeuler ++ ++ Sshd does not allow the use of X11 Forwarding. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^X11Forwarding\s+no$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +new file mode 100644 +index 0000000..bc5f1fe +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -0,0 +1,16 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Does not allow the use of X11 Forwarding' ++ ++description: |- ++ The X11 Forwarding feature of SSH allows for the execution of GUI programs for remote ++ hosts on the local host. If not required in the business scenario, this feature must ++ be disabled. ++ ++rationale: |- ++ Enabling the X11 Forwarding function expands the scope of attacks and poses a possibility ++ of being attacked by other users on the X11 server. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml +new file mode 100644 +index 0000000..3edae48 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Prohibit SSH service pre setting authorized_Keys ++ ++ multi_platform_openeuler ++ ++ SSH service prohibits preset authorized_Keys. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^LoginGraceTime\s+\d+$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml +new file mode 100644 +index 0000000..1c139fa +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml +@@ -0,0 +1,18 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Prohibit SSH service pre setting authorized_Keys' ++ ++description: |- ++ Authorized_ Keys is the public key of the remote host, which users can ++ store in their home directory $HOME/. ssh/authorized_ In the keys file, ++ for public key authentication, you can directly log in to the system. ++ ++rationale: |- ++ If authorized is preset in the system_ Keys, and the server has enabled ++ the login method of public and private key authentication, allowing ++ attackers to bypass authentication and directly log in to the specified ++ system to attack it. So authorized cannot be preset in the system_ Keys. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/services/uninstall_software_service/group.yml b/linux_os/guide/services/uninstall_software_service/group.yml +new file mode 100644 +index 0000000..0a269ba +--- /dev/null ++++ b/linux_os/guide/services/uninstall_software_service/group.yml +@@ -0,0 +1,5 @@ ++documentation_complete: true ++ ++title: 'Do not install some software packages.' ++ ++description: |- +\ No newline at end of file +diff --git a/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml +new file mode 100644 +index 0000000..b41c210 +--- /dev/null ++++ b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Uninstall network sniffing Package' ++ ++description: |- ++ If the production environment contains network sniffing tools, attackers ++ can easily use these tools to conduct network analysis and assist network ++ attacks. Therefore, installation of various network sniffing and packet ++ capture analysis tools, such as tcpdump, ethereal, wireshark, etc., should ++ be prohibited in the production environment. ++ ++

It can not be scanned automatically,please check it manually.

++

check the network_sniffing_tools,such as wireshark,netcat,tcpdump,namp,ethereal:

++ ++ ++rationale: |- ++ There is no need to install various network sniffing and packet capture ++ analysis tools in the production environment. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +index 84a64db..625f15d 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Remove the X Windows Package Group' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml +new file mode 100644 +index 0000000..eab54dd +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml +@@ -0,0 +1,20 @@ ++ ++ ++ ++ Verify No forward Files Exist ++ {{{- oval_affected(products) }}} ++ If there are no related email forwarding scenarios, it is recommended to delete the .forward file. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /home ++ ^\.forward$ ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +new file mode 100644 +index 0000000..318131a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +@@ -0,0 +1,17 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Verify No forward Files Exist' ++ ++description: |- ++ The .forward file can be configured with an email address, which ++ will be automatically forwarded to when users receive emails. If there are ++ no related email forwarding scenarios, it is recommended to delete the ++ .forward file. ++ ++rationale: |- ++ If there is a .forward file, it may cause user emails carrying ++ sensitive information to be automatically forwarded to high-risk mailboxes. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml +new file mode 100644 +index 0000000..b01dad4 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure the network interface is bound to the correct area' ++ ++description: |- ++ File access permission control is the basic permission management in Linux. Different users ++ are authorized to access different files, preventing the leakage of sensitive information ++ between users or the tampering of file data. It can also prevent ordinary users from ++ unauthorized access to high-privilege files or configurations in the system. ++ ++ It is recommended to audit and monitor system calls that modify file permissions and file ++ owners in the operating system. If relevant auditing is not configured, if illegal ++ modification occurs, it will not be conducive to traceability. ++ ++ openEuler does not configure file access control permission audit rules by default. It is ++ recommended that users configure corresponding rules based on actual business scenarios. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ Configuring auditing, because audit logs need to be recorded when file permissions and owners ++ are modified, will have a slight impact on performance. However, since such operations should ++ not be performed frequently, it is actually not perceptible to users. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +index ebd52e2..2e7f907 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 + + title: 'Record Unsuccessful Access Attempts to Files - creat' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +index 3634935..cac6a0d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 + + title: 'Record Unsuccessful Access Attempts to Files - ftruncate' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +index 8d813fa..425ecb7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 + + title: 'Record Unsuccessful Access Attempts to Files - open' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +index e8ec755..20b4d42 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 + + title: 'Record Unsuccessful Access Attempts to Files - openat' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml +new file mode 100644 +index 0000000..6cebb2c +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure to remove unnecessary file system mount support' ++ ++description: |- ++ Ordinary users can obtain super administrator privileges by calling privilege ++ escalation commands (with SUID/SGID set), so the use of privilege escalation ++ commands carries high risks and is often used by attackers to attack the system. ++ ++ It is recommended to audit and monitor privilege escalation commands to facilitate ++ traceability afterwards. ++ ++ openEuler does not configure audit rules for privilege escalation commands by ++ default. It is recommended that users configure corresponding rules based on actual ++ business scenarios. ++ ++rationale: |- ++ Configuring auditing requires audit logging when using privilege escalation ++ commands, which has a slight impact on performance. If the user business has ++ a large number of scenarios where privilege escalation commands are frequently ++ called, there may be a cumulative effect. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml +new file mode 100644 +index 0000000..b70b4d9 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Audit rules for administrator privileged operations should be configured ++ ++ multi_platform_openeuler ++ ++ Configure audit rules for administrator privileged operations ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml +new file mode 100644 +index 0000000..8d548e5 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Audit rules for administrator privileged operations should be configured' ++ ++description: |- ++ ++ The sudo extraction command operation log in the openEuler system is recorded ++ in the /var/log/secure log file by default. Other authentication-related security ++ logs are also recorded in this file. If the user wants to audit the sudo extraction ++ command, it is recommended that the sudo related logs be Record separately and ++ output to /var/log/sudo.log, and then audit and monitor the sudo log file. Sudo ++ privilege escalation is a high-risk operation and is relatively common in attacks. It ++ is recommended to configure audit rules for later tracing. ++ ++ openEuler does not configure audit rules for administrator privileged operations ++ by default. It is recommended that users configure corresponding rules based on ++ actual business scenarios. ++ ++rationale: |- ++ Configure auditing. Since audit logging is required for any sudo privilege escalation ++ operation, it will have a slight impact on performance. If there are a large number ++ of frequent sudo operations in the user's business scenario, the impact on performance ++ will have a cumulative effect. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml +new file mode 100644 +index 0000000..bf0b651 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ auditd data retention admin space left ++ ++ multi_platform_openeuler ++ ++ auditd data retention admin space left. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ^[\s]*admin_space_left[\s]+=[\s]+(\d+)[\s]*$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml +new file mode 100644 +index 0000000..2c9273d +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml +@@ -0,0 +1,56 @@ ++documentation_complete: true ++ ++title: 'Configure auditd admin_space_left on Low Disk Space' ++ ++description: |- ++ The auditd service can be configured to take an action ++ when disk space is running low but prior to running out of space completely. ++ Edit the file /etc/audit/auditd.conf. Add or modify the following line, ++ substituting ACTION appropriately: ++ 
admin_space_left_action = ACTION
++ Set this value to single to cause the system to switch to single user ++ mode for corrective action. Acceptable values also include suspend and ++ halt. For certain systems, the need for availability ++ outweighs the need to log all actions, and a different setting should be ++ determined. Details regarding all possible values for ACTION are described in the ++ auditd.conf man page. ++ ++rationale: |- ++ Administrators should be made aware of an inability to record ++ audit records. If a separate partition or logical volume of adequate size ++ is used, running low on space for audit records should never occur. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel6: 27239-3 ++ cce@rhel7: 27370-6 ++ cce@rhel8: 80679-4 ++ cce@ocp4: 82677-6 ++ ++references: ++ stigid@rhel6: "000163" ++ srg@rhel6: SRG-OS-999999 ++ cis: 5.2.1.2 ++ cjis: 5.4.1.1 ++ cui: 3.3.1 ++ disa: 140,1343 ++ hipaa: 164.312(a)(2)(ii) ++ iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 ++ nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) ++ nist-csf: DE.AE-3,DE.AE-5,PR.DS-4,PR.PT-1,RS.AN-1,RS.AN-4 ++ pcidss: Req-10.7 ++ stigid@rhel7: "030340" ++ isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 7.1,SR 7.2' ++ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 ++ cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 ++ cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 ++ ++ocil_clause: 'the system is not configured to switch to single user mode for corrective action' ++ ++ocil: |- ++ Inspect /etc/audit/auditd.conf and locate the following line to ++ determine if the system is configured to either suspend, switch to single user mode, ++ or halt when disk space has run low: ++ 
admin_space_left_action single
++ +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +index cb1ff1d..080e1ee 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 + + title: 'Configure auditd space_left on Low Disk Space' + +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +index 2c17ee1..0f4cdf0 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' + +diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +index 36f3200..34ca8aa 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8 ++prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,openeuler2203 + + title: 'Extend Audit Backlog Limit for the Audit Daemon' + +diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml +new file mode 100644 +index 0000000..1e95b34 +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Make sure rsyslog dump journald log is configured ++ ++ multi_platform_openeuler ++ ++ Configure rsyslog dump journald log. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^[^#]*imjournal ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +new file mode 100644 +index 0000000..7247e27 +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure rsyslog dump journald log is configured' ++ ++description: |- ++ ++ The system uses journald to collect logs. The logs may be stored on ++ volatile storage devices or on persistent storage devices. If there ++ are problems such as log loss or logs filling up the disk, the logs ++ must be dumped in a timely manner to ensure that the logs are more ++ consistent with the system. Safety. ++ ++rationale: |- ++ If there is a volatile storage device for the log, failure to dump ++ the log in time may result in log loss. If there is a persistent ++ storage device, the amount of logs may be very large. If the logs ++ are not dumped in time, the logs may fill up the current partition, ++ causing the risk of other processes or system failures. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml +new file mode 100644 +index 0000000..16c62e7 +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the account is forced to change the password when logging in for the first time' ++ ++description: |- ++ Passwords that are not set by users themselves, such as passwords reset by ++ administrators, if not modified in a timely manner in the business environment, ++ can easily cause low-cost attacks. Therefore, users are required to forcibly change ++ their passwords when logging in to their accounts for the first time. Except for ++ the root password. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml +new file mode 100644 +index 0000000..4257677 +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml +@@ -0,0 +1,45 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables input and output association policies configuration is correct' ++ ++description: |- ++ rsyslog is responsible for collecting log records from the system into files, and logrotate ++ is responsible for regularly or quantitatively copying and compressing log files to ensure ++ that excessive hard disk resources are not occupied due to excessive log file size, or that ++ the log files are even unmaintainable. ++ ++ If the rotate policy is not configured, the log file will continue to grow, which may ++ eventually lead to the exhaustion of space on the hard disk partition where the log is ++ located, which may affect log recording at best, or may cause the system and business to be ++ unable to continue to execute normally. ++ ++ By default, openEuler has configured the rsyslog rotate policy in the /etc/logrotate.d/rsyslog ++ file as follows:. ++ ++ rotate log file: ++ /var/log/cron ++ ++ /var/log/maillog ++ ++ /var/log/messages ++ ++ /var/log/secure ++ ++ /var/log/spooler ++ ++ The maximum retention period of log files is 365 days; ++ ++ A maximum of 30 log files can be retained; ++ ++ Log files are retained in a compressed manner; ++ ++ The log file reaches 4MB, perform rotate operation. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: high +diff --git a/linux_os/guide/system/logging/configure_service_logging/rule.yml b/linux_os/guide/system/logging/configure_service_logging/rule.yml +new file mode 100644 +index 0000000..c15d25b +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_service_logging/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Each service logging should be configured correctly' ++ ++description: |- ++ Configure logging so that important system behaviors and security-related information will ++ be recorded using rsyslog. The configuration files /etc/rsyslog.conf and /etc/rsyslog.d/*.conf ++ can specify logging rules and which files will be used to record specific types of logs. ++ ++ If logging is not configured, system behavior cannot be recorded, and problem location and ++ auditing cannot be performed when problems occur. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ After logging is configured, if the logs are not cleared in time, the logs may fill up the current partition, causing the ++ risk of other processes or system failures. ++ ++severity: low +diff --git a/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml +new file mode 100644 +index 0000000..b235f0e +--- /dev/null ++++ b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Prevent root users from accessing the system locally' ++ ++description: |- ++ Root is a super-privileged user in a Linux system and has access to all ++ Linux system resources. If you are allowed to directly use the root account ++ to log in to the Linux system to operate the system, it will bring many ++ potential security risks. In order to avoid the risks caused by this, it ++ should be prohibited to directly use the root account to log in to the ++ operating system, and only use other technologies when necessary. Methods ++ (such as: sudo or su) indirectly use the root account. ++ ++ Since the root account has the highest authority, logging in directly with ++ root has the following risks: ++ ++ High-risk misoperations may directly cause server paralysis, such as accidentally ++ deleting or modifying key system files; ++ ++ If multiple people need root privileges to operate, the root password will be ++ kept by multiple people, which can easily lead to password leakage and increase ++ password maintenance costs. ++ ++ openEuler is not configured by default. If there is no need to log in locally using ++ the root account in actual scenarios, it is recommended to disable local login ++ with the root account. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ The root account cannot access the system locally. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +index a78cd69..3bd9887 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +@@ -9,6 +9,7 @@ + multi_platform_ol + multi_platform_rhel + multi_platform_ubuntu ++ multi_platform_openeuler + + File permissions for all syslog log files should be set correctly. + +diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml +new file mode 100644 +index 0000000..63bce75 +--- /dev/null ++++ b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Ensure that system authentication related event logs are recorded ++ ++ multi_platform_openeuler ++ ++ Configure the System to Record Authentication-related Event. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^[^#]*auth ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml +new file mode 100644 +index 0000000..1a52982 +--- /dev/null ++++ b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that system authentication related event logs are recorded' ++ ++description: |- ++ ++ Events related to system authentication must be recorded to help ++ analyze user logins, use of root privileges, and monitor suspicious ++ system actions. ++ Failure to record system authentication-related event logs will ++ result in the inability to analyze suspicious attack actions from ++ the logs, such as login actions performed by attackers trying to ++ guess administrator passwords. ++ ++rationale: |- ++ If there is a volatile storage device for the log, failure to ++ dump the log in time may result in log loss. If there is a persistent ++ storage device, the amount of logs may be very large. If the logs ++ are not dumped in time, the logs may fill up the current partition, ++ causing the risk of other processes or system failures. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml +index 22307d4..c3e2752 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml +@@ -10,6 +10,7 @@ + multi_platform_rhel + multi_platform_ubuntu + multi_platform_wrlinux ++ multi_platform_openeuler + + Syslog logs should be sent to a remote loghost + +diff --git a/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml +new file mode 100644 +index 0000000..d5d2335 +--- /dev/null ++++ b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure Warning Banners contain reasonable information' ++ ++description: |- ++ Warning Banners include warning information added to the system login ++ interface, which identifies the system's security warnings for all ++ users who log in to the system. Security warnings can include the ++ organization to which the system belongs, monitoring or recording of ++ login behaviors, and unauthorized logins based on business scenarios. Or ++ the legal sanctions that will be imposed upon intrusion. Inappropriate ++ security warning information may increase the risk of system attacks ++ or violate local laws and regulations. ++ ++ Warning Banners should not expose the system version, application server ++ type, functions, etc. to users to prevent attackers from obtaining system ++ information and carrying out attacks. In addition to this, file ownership ++ needs to be configured correctly, otherwise unauthorized users may modify ++ files with incorrect or misleading information. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..278556e +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables input and output association policies configuration is correct' ++ ++description: |- ++ Although it is possible to configure packet policies for incoming and outgoing servers to the ++ Input and OUTPUT chains by configuring protocols, IP, and ports, in some cases it may be more ++ complex. For example, if the client accesses the server through a certain port, the server may ++ not necessarily return the response packet from the original port, and may use a random source ++ port. In this case, it is difficult to configure accurate policies through the sport parameter. ++ ++ At this point, it is necessary to consider using association links to configure the strategy. ++ If an outgoing message belongs to an existing network link, it will be directly released; If a ++ received message belongs to an existing network link, it is also directly released. Because ++ these existing links must have been filtered and checked by other policies, otherwise they cannot ++ be established. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the input and output chains are configured with associated policies.

++ ++ ++rationale: |- ++ If the policy is not configured through associated links, it is necessary to analyze all possible ++ link situations and configure corresponding policies. If the configuration is too loose, it may ++ cause security risks, and if the configuration is too strict, it may cause business interruption. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..0f7e91a +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables input policy configuration is correct' ++ ++description: |- ++ The function of the Input chain is to filter packets received from external sources. Any ++ externally provided service requires configuring the corresponding Input policy and opening ++ the relevant port, so that external clients can access the service through that port. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the policy configured for the input chain meets business needs.

++ ++ ++rationale: |- ++ If not configured, all external attempts to access related services will be discarded due to ++ the default policy configuration being DROP. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..9d8bafe +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables loopback policy configuration is correct' ++ ++description: |- ++ The loopback address is a special address on the server, represented by 127.0.0.0/8,which is ++ not related to the network card and is mainly used for communication between local processes. ++ Messages with a source address of 127.0.0.0/8 should not be received from the network card, ++ and such messages should be discarded. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the loopback address policy has been correctly configured.

++ ++ ++rationale: |- ++ If the loopback address policy is not set correctly, it may cause communication failure between ++ local processes or receive spoofing messages from the network card. The server needs to set ++ policies that allow receiving and processing loopback address messages from the lo interface, ++ but reject messages received from the network card. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..c10cd44 +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables output policy configuration is correct' ++ ++description: |- ++ There are two main situations for server outgoing messages: one is when the host process ++ actively connects to an external server, such as HTTP access, or sends data to a log server, ++ etc.; the other is when the host process accesses the local service externally and the local ++ machine responds to the message. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the policy configured for the output chain meets business needs.

++ ++ ++rationale: |- ++ If the OUTPUT policy is not configured, all outgoing messages from the server will be discarded ++ due to the default policy being DROP. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +index bbea345..19cc6f5 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Deactivate Wireless Network Interfaces' + +diff --git a/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml +new file mode 100644 +index 0000000..ee66dd7 +--- /dev/null ++++ b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure the network interface is bound to the correct area' ++ ++description: |- ++ Different firewall regions can develop different filtering strategies. If the server network ++ is complex and has multiple interfaces, and different interfaces undertake different business ++ functions, it is recommended to configure the interfaces to different regions and develop ++ different firewall strategies. For example, the external network business interface does not ++ allow SSH access, while the internal network management interface can open SSH access. ++ ++

It can not be scanned automatically, please check it manually.

++

Check the interface configuration of each region:

++ ++ ++rationale: |- ++ If all interfaces are configured in one area, firewall policies are not conducive to configuring ++ different interfaces differently, increasing management complexity, and reducing the filtering ++ efficiency of firewall security protection. Due to configuration issues, messages that should ++ not be received may not be rejected or discarded. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/group.yml b/linux_os/guide/system/network/network_nftables/group.yml +new file mode 100644 +index 0000000..68ecddd +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/group.yml +@@ -0,0 +1,12 @@ ++documentation_complete: true ++ ++title: 'nftables' ++ ++description: |- ++ nftables is a subsystem of the Linux kernel that provides filtering ++ and classification of network packets. nftables replaces the iptables ++ part of Netfilter. Compared with iptables, nftable is easier to extend ++ to new protocols, and nftables will replace iptables in the future. ++ In addition, nftables is different from firewalld and iptables. The ++ operating system does not configure any policies by default and ++ requires manual configuration by the administrator. +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..73b0e5e +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml +@@ -0,0 +1,32 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Configure nftables input strategy' ++ ++description: |- ++ Although you can configure the policy of packets in and out of the server to ++ the input and output chains by configuring the protocol, IP and port, etc, ++ it is more complicated in some cases. For example, the client accesses the ++ server through a certain port, but when the server returns a response message ++ It does not necessarily return from the original port, but may use a random ++ source port. In this case, it is difficult to configure an accurate policy ++ through the sport parameter. ++ ++ At this time, you need to consider using the associated link method to configure ++ the policy. If an outgoing packet belongs to an existing network link, it is ++ directly allowed; if a received packet belongs to an existing network link, it ++ is also directly allowed. Because these existing links must have been filtered ++ and checked by other policies, otherwise they cannot be established. ++ ++ If you do not configure policies through associated links, you need to analyze ++ all possible link situations and configure corresponding policies. If the ++ configuration is too loose, it may lead to security risks. If the configuration ++ is too strict, it may cause business interruption.lll ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml +new file mode 100644 +index 0000000..9a95f50 +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Configure nftables default deny policy' ++ ++description: |- ++ From a security perspective, the nftables basic chain is similar to ++ iptables. (Input, output, forward) you need to configure the rejection ++ policy for all packets, and then add the allow policy to the basic ++ chain to open related services and ports. ++ ++ If the basic chain is not configured, or the hook rules of the basic ++ chain are not specified, the packet will not be captured by nftables, ++ and filtering will not be possible. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ If the basic chain is not configured with a DROP or REJECT policy, the ++ packets will be ACCEPT by default, which may easily lead to security ++ risks due to omission of the rejection policy. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..a1fb377 +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Configure nftables input strategy' ++ ++description: |- ++ The function of the input chain is to filter messages received from the ++ outside. Any externally provided service needs to configure the ++ corresponding input policy and open the relevant port so that external ++ clients can access the service through the port. ++ ++ If not configured, since the default policy is configured as DROP, all ++ external packets trying to access related services will be dropped. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..c71aabe +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Configure nftables loopback policy' ++ ++description: |- ++ The loopback address is a special address on the server, represented by 127.0.0.0/8. It ++ has nothing to do with the network card. It is mainly used for inter-process communication ++ on this machine. Packets with the source address 127.0.0.0/8 should not be received from ++ the network card. Such messages should be discarded. If the loopback address policy is ++ set incorrectly, inter-process communication on the local machine may fail, or spoofed ++ packets may be received from the network card. ++ ++ The server needs to set a policy to allow receiving and processing the loopback address ++ packets of the lo interface, but reject the packets received from the network card. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..b3a795f +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Configure nftables input strategy' ++ ++description: |- ++ There are two main situations when the server sends outbound messages. One ++ is when the host process actively connects to an external server, such as ++ http access, or sends outgoing data to a log server, etc. The other is when ++ the host process externally accesses local services and the local machine ++ responds arts. ++ ++ If no output policy is configured, all outgoing packets from the server will ++ be discarded because the default policy is DROP. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml +new file mode 100644 +index 0000000..ddc0939 +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Verify nftables Enabled' ++ ++description: '{{{ describe_service_enable(service="docker") }}}' ++ ++rationale: |- ++ If multiple firewall services are enabled, business ++ interruption may occur due to inconsistent policy configurations. ++ ++severity: low ++ ++ocil: '{{{ ocil_service_enabled(service="nftables") }}}' ++ ++platform: machine ++ ++template: ++ name: service_enabled ++ vars: ++ servicename: nftables +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml +new file mode 100644 +index 0000000..b5a1142 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly' ++ ++description: |- ++ LD_LIBRARY_PATH is a Linux environment variable. When a program loads a ++ dynamic link library, it will first obtain it from the path specified by ++ this environment variable. Normally, this environment variable should ++ not be set. If it is maliciously set to an incorrect value, the program ++ may be linked to an incorrect dynamic library when running, resulting in ++ security risks. Note: The configuration in /etc/ld.so.conf.d will also ++ affect dynamic library loading, so you need to ensure correct configuration. ++ ++ openEuler does not set this variable by default. According to the actual ++ scenario, if LD_LIBRARY_PATH must be set, you need to ensure that the ++ value is correct in all user contexts. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml +new file mode 100644 +index 0000000..68adae3 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly' ++ ++description: |- ++ The PATH variable under Linux defines the search path for executable files ++ in the current user context. For example, if the user uses the ls command ++ in any directory, the system will search for the ls command in the directory ++ specified by the PATH variable and execute it after finding it. The PATH ++ variable in all user contexts cannot contain the current directory "." .The ++ directory must be a path that actually exists in the file system and meets ++ the design expectations of the system. The correct PATH value can effectively ++ prevent system commands from being replaced by malicious instructions and ++ ensure that system commands can be executed safely. ++ ++ So the PATH variable should be defined to the correct value, and the openEuler ++ system default setting is: ++ ++ /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin ++ ++ PATH can be modified according to the actual scenario, but be sure to make sure ++ it is correct. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml +new file mode 100644 +index 0000000..e4fa75f +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Disallow globally writable files' ++ ++description: |- ++ Globally writable means that all users can write to the file, but usually this ++ permission is not necessary. If a file is unreasonably set with globally writable ++ permissions, it can easily be tampered with by attackers, leading to security risks. ++ Therefore, if the file must have globally writable permissions, the security risks ++ need to be analyzed based on actual scenarios to ensure that attackers cannot use ++ this file to carry out attacks. ++ ++ You can search for globally writable files in the root directory. The exceptions ++ are: There are a large number of globally writable files in the two system directories ++ "/sys" and "/proc" when Linux is running, so these two should be excluded when checking ++ directory to avoid confusion. ++ ++

It can not be scanned automatically, please check it manually.

++

Check globally writable files(directories "/sys" and "/proc" have been excluded).

++ ++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml +new file mode 100644 +index 0000000..a80fe6a +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Hard drive data should be managed in partitions' ++ ++description: |- ++ When installing the operating system, the operating system data and business data ++ partitions should be managed according to the characteristics of the actual scenario ++ to avoid placing all data on one hard disk or partition. Proper planning of hard disk ++ partitions can avoid or reduce the following risks: ++ ++ The log file is too large, causing the business or system data disk to become full; ++ The home directory of ordinary accounts is too large, causing the system or business disk to become full; ++ The system partition is not independent, causing the basic service of the operating system to fail when the disk is full, causing a full-scale DOS attack; ++ It is not conducive to minimizing permissions and encrypting data disks; ++ It is not conducive to system or data recovery after the disk is damaged. ++ ++ As a general operating system, openEuler installs separate partitions "/boot, /tmp, ++ /home, /" by default. It is recommended to determine the partition mounting and size ++ of other directories based on the actual scenario. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml +new file mode 100644 +index 0000000..86766f1 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml +@@ -0,0 +1,48 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Partitions that do not need to be mounted are mounted in nodev mode' ++ ++description: |- ++ nodev means that device files are not allowed to be mounted, which is used ++ to reduce the attack surface and increase security. When the directory is ++ mounted, if the nodev option is set, all block devices, character devices ++ and other device files in the directory will be parsed into ordinary files ++ and cannot be operated on device files. If nodev is not set when mounting, ++ it will lead to security risks. For example, an attacker creates a file system ++ on the USB flash drive and creates a block device file in it (his own USB flash ++ drive, with corresponding permissions), and this block The device actually ++ points to the server hard disk or partition such as /dev/sda. If an attacker ++ has the opportunity to insert a USB flash drive into the server and the server ++ loads the USB flash drive, the attacker can access the corresponding file through ++ this block device file. Hard drive data. If the U disk in the above case is changed ++ to another hard disk or partition, a similar problem will exist. As long as there ++ is a maliciously constructed device file on the hard disk or partition, an attack ++ can be formed. ++ ++ The following directories are mounted by nodev by default in the openEuler system: ++ ++ /sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、 ++ /sys/fs/pstore、/sys/fs/bpf、/sys/fs/cgroup/files、/sys/fs/cgroup/net_cls,net_prio、 ++ /sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/cpu,cpuacct、/sys/fs/cgroup/perf_event、 ++ /sys/fs/cgroup/pids、/sys/fs/cgroup/hugetlb、/sys/fs/cgroup/memory、/sys/fs/cgroup/blkio、 ++ /sys/fs/cgroup/cpuset、/sys/fs/cgroup/rdma、/sys/kernel/config、/sys/kernel/debug、/dev/mqueue、 ++ /tmp、/run/user/0 ++ ++ openEuler has the following directories (some directories vary depending on hard disk partitions ++ and deployment platforms). These directories are not mounted by nodev by default: ++ ++ /dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、 ++ /var/lib/nfs/rpc_pipefs、/boot/efi、/home ++ ++ In actual scenarios, based on business needs, the nodev method is used to mount partitions ++ that do not require device mounting. ++ ++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml +new file mode 100644 +index 0000000..21a7390 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure to remove unnecessary file system mount support' ++ ++description: |- ++ The data disk is only used to save data during system operation. There ++ is no need to execute relevant commands on the data disk. In this case, ++ the hard disk or partition must be mounted in noexec mode to improve security ++ and reduce the attack surface. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ If the hard disk or partition is mounted in noexec mode, the executable ++ file in the mount point directory cannot be run directly. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml +new file mode 100644 +index 0000000..ddbe5c6 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure partitions that do not require SUID/SGID are mounted in nosuid mode' ++ ++description: |- ++ After the SUID bit is set on an executable file, even if the user executing the file ++ is not the owner of the file, the process will be temporarily granted the permissions ++ of the file owner during execution. For example, the ordinary user test executes a ++ program with permissions 755 and owner root. If the program does not set the SUID bit, ++ the process only has the permissions of the test user; if the SUID is set, the process ++ has root permissions during execution. . SGID has a similar function, but it only has ++ the permissions of the group to which the file belongs. For partitions that do not ++ need SUID/SGID, use the nosuid method to mount them. This can invalidate the S bit of ++ files with SUID/SGID in the partition, prevent privilege escalation through the ++ executable files of the partition, and strengthen the security of the partition. ++ ++ Users need to plan each mounted hard drive and partition and set nosuid mounting items ++ based on actual scenarios. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml +new file mode 100644 +index 0000000..512d8c1 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure to remove unnecessary file system mount support' ++ ++description: |- ++ Removable devices themselves are uncertain, and their origin, past usage, ++ and transportation processes cannot guarantee absolute safety. Therefore, ++ removable devices are often the main host devices for virus transmission. ++ Therefore, for removable devices, it is required to mount them in noexec ++ or nodev mode to improve security and reduce the attack surface. ++ ++ noexec can prevent files on removable devices from being directly executed, ++ such as virus files, attack scripts, etc.; ++ ++ nodev prevents incorrect device files on removable devices from being linked ++ to real devices on the server, leading to attacks; ++ ++ Common removable devices such as: CD/DVD/USB, etc. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ If a removable device is mounted in noexec mode, the executable file ++ in the mount point directory cannot be run directly. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml +new file mode 100644 +index 0000000..b54202f +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Partitions that do not need to be modified are mounted read-only.' ++ ++description: |- ++ Mounting file systems that do not require data modification in read-only mode can ++ avoid unintentional or malicious data tampering and reduce the attack surface. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ Once the file system is mounted in read-only mode, files and directories cannot ++ be created, modified, or deleted. Users need to configure it according to the actual ++ scenario. This requirement can be ignored for file mounting necessary for the ++ operation of the operating system. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml +new file mode 100644 +index 0000000..8c4eff8 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml +@@ -0,0 +1,29 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure to remove unnecessary file system mount support' ++ ++description: |- ++ The Linux system supports a variety of file systems, which are ++ loaded into the kernel through ko mode. As a general operating ++ system platform, openEuler will provide various file systems ko, ++ which are stored in the /lib/modules/(kernel version)/kernel/fs/ ++ directory and can be loaded through the insmod/modprobe command. ++ Disabling mount support for unnecessary file systems can reduce ++ the attack surface and prevent attackers from attacking the system ++ by exploiting vulnerabilities in some uncommon file systems. ++ ++ Users should determine which file systems do not need to be supported ++ based on actual scenarios, and prohibit these file systems from being ++ mounted through configuration. These file systems usually include: ++ ++ cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs ++ ++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ The removed file system is no longer supported. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +index cd07fd0..ce86997 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8 ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,openeuler2203 + + title: 'Restrict usage of ptrace to descendant processes' + +diff --git a/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml +new file mode 100644 +index 0000000..cb8f534 +--- /dev/null ++++ b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Avoid using programms labeled unconfined_service_t' ++ ++description: |- ++ The purpose of SELinux setting the unconfined_service_t label ++ is to enable some third-party service processes that are not ++ configured with SELinux policies to run unfettered. By default, ++ when systemd runs a third-party application with the label bin_t ++ or usr_t (generally located in /usr/bin, /opt, etc. directories), ++ the generated process label is unconfined_service_t. ++ ++ The difference from other high-privilege labels (such as unconfined_t, ++ initrc_t, etc.) is that unconfined_service_t has very few domain ++ conversion rules, which means that even if the process runs applications ++ that have been configured with SELinux policies, the label of the ++ new process will still be unconfined_service_t. The SELinux policy ++ configured for the process will not take effect. If it is attacked, ++ it will have a greater impact on the system. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ Programs labeled unconfined_service_t are restricted from running. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/software/enabled_seccomp/rule.yml b/linux_os/guide/system/software/enabled_seccomp/rule.yml +new file mode 100644 +index 0000000..3e68100 +--- /dev/null ++++ b/linux_os/guide/system/software/enabled_seccomp/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'seccomp should be enabled' ++ ++description: |- ++ seccomp (full name: secure computing mode), when it was first introduced into the ++ Linux kernel, limited the system calls available to the process to four types: read, ++ write, _exit, sigreturn. In the original whitelisting method, in addition to the ++ four system calls allowed by the open file descriptor, if other system calls are ++ attempted, the kernel will use SIGKILL or SIGSYS to terminate the process. ++ ++ The whitelist method is too restrictive and has little practical effect. In practical ++ applications, more precise restrictions are needed. In order to solve this problem, ++ BPF was introduced. The combination of seccomp and BPF rules allows users to filter ++ system calls using configurable policies. The policy is implemented using Berkeley ++ Packet Filter rules, which can filter any system calls and their parameters. ++ ++ The openEuler kernel already provides seccomp function support by default, and also ++ provides the libseccomp peripheral package to help user-mode programs conveniently ++ set seccomp rules. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ seccomp cannot set the opening, closing or rules globally, but is specific to each ++ process. That is, the process can set and enable seccomp by itself, which affects ++ itself and all child threads, but does not affect other processes. ++ ++ If seccomp is enabled in a process, there will be a performance loss when making ++ system calls. Users need to determine whether the performance loss is acceptable ++ based on actual business scenarios. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +index 787d897..6d9c09d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol8,rhel8 ++prodtype: fedora,ocp4,ol8,rhel8,openeuler2203 + + title: 'Configure System Cryptography Policy' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +index f9835af..4fb6a78 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +@@ -7,6 +7,7 @@ + multi_platform_fedora + multi_platform_ol + multi_platform_rhel ++ multi_platform_openeuler + + The aide database must be initialized. + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml +new file mode 100644 +index 0000000..d2e80fa +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml +@@ -0,0 +1,29 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'aide intrusion detection should be enabled' ++ ++description: |- ++ aide (advanced intrusion detection environment) is an intrusion detection tool that ++ can be used to check the integrity of files and directories in the system and identify ++ files or directories that have been maliciously tampered with. The principle of the ++ integrity check is to first construct a baseline database, which contains some attributes ++ of the file or directory such as permissions, users, etc. When performing the integrity ++ check, the current system status is compared with the baseline database to obtain the ++ check results. Finally, the file or directory changes of the current system are reported, ++ that is, the inspection report. ++ ++ Enabling aide intrusion detection can effectively identify malicious tampering with files ++ or directories, thereby improving system integrity and security. The files or directories ++ that need to be checked can be configured as needed, which is highly flexible. Users only ++ need to query the check report to determine whether there is malicious tampering. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ The more files that need to be checked, the longer the checking process will take. If users ++ enable aide, they should configure the inspection strategy appropriately based on their own ++ business scenarios. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml +new file mode 100644 +index 0000000..426be91 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml +@@ -0,0 +1,47 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'IMA metrics should be enabled' ++ ++description: |- ++ IMA (Integrity Measurement Architecture) is an integrity protection function provided ++ by the kernel. When IMA is turned on, it can provide integrity measurements for ++ important files in the system based on user-defined policies. The measurement results ++ can be used locally and remotely. Proof of integrity. ++ ++ When the IMA measurement function is not enabled in the system, summary information ++ of key files cannot be recorded in real time, and tampering with file contents or ++ attributes cannot be identified. Functions such as local attestation and remote ++ attestation that protect system integrity rely on the summary value provided by IMA ++ metrics, so they cannot be used, or the integrity protection is incomplete. ++ ++ IMA global policy configuration is related to the specific environment. Normally, ++ integrity protection is only targeted at immutable files (such as executable files, ++ dynamic libraries, etc.). If the policy is improperly configured, it may lead to ++ excessive performance and memory overhead. It is recommended that users use their ++ own The situation determines whether to enable IMA and configure the correct policy. ++ ++ Note: Since IMA is only the measurement part of the global integrity protection ++ mechanism, complete use requires TPM 2.0 and remote attestation services. This ++ specification only explains and recommends the measurement part of IMA. If the ++ system does not integrate TPM 2.0 and remote attestation services, the IMA measurement ++ function should not be enabled. ++ ++ IMA measurement does not support container environments and virtual machine ++ environments, requires UEFI startup, and does not support Legacy mode. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ Turning on IMA metrics will cause a slight increase in system startup time and file ++ access time. ++ If the policy is improperly configured (such as measuring real-time changing log files, ++ temporary files, etc.), the measurement log may grow too fast and occupy too much system ++ memory, and the memory occupied by the measurement log will not be released before the ++ next restart of the system. , thus affecting the normal operation of the business. In ++ addition, because the measured files are constantly changing, the measurement value changes, ++ and the remote certification baseline value cannot be updated synchronously, causing the ++ remote certification to fail and losing the meaning of integrity protection. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml +new file mode 100644 +index 0000000..788eab7 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml +@@ -0,0 +1,18 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure sudoers cannot configure scripts writable by low-privileged users' ++ ++description: |- ++ sudo can enable the set ordinary user to execute certain specific programs with root privileges, ++ and the corresponding configuration file is /etc/sudoers. Administrator users can configure ++ corresponding rules to make certain scripts or binary files run with root permissions. Therefore, ++ the scripts configured by sudo should only be writable by root. Scripts that can be written by ++ low-privilege users cannot be configured. If low-privilege users are configured, they can be written ++ by root. script, the user can perform privilege escalation operations by modifying the script. ++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml +new file mode 100644 +index 0000000..ea4e9cf +--- /dev/null ++++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Disable use of SysRq key ++ ++ multi_platform_openeuler ++ ++ Disable SysRq. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /proc/sys/kernel/sysrq ++ 0 ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml +new file mode 100644 +index 0000000..ce7e977 +--- /dev/null ++++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml +@@ -0,0 +1,20 @@ ++ ++prodtype: openeuler2203 ++ ++title: 'Disable use of SysRq key' ++ ++description: |- ++ ++ SysRq allows users with physical access to access dangerous system-level commands ++ in the computer, and the use of SysRq functions needs to be restricted. ++ ++ If the SysRq key is not disabled, the SysRq call can be triggered through the ++ keyboard, which may cause commands to be sent directly to the kernel, affecting ++ the system. ++ ++ openEuler prohibits the use of SysRq keys by default. ++ ++rationale: |- ++ SysRq related commands cannot be used in the system. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml +new file mode 100644 +index 0000000..c537c20 +--- /dev/null ++++ b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure to remove unnecessary file system mount support' ++ ++description: |- ++ If the business environment contains debugging scripts and tools, they can ++ easily be exploited and attacked by attackers. Therefore, it is strictly ++ prohibited to install various debugging tools and files in the production ++ environment, including but not limited to: code debugging tools, privilege ++ escalation commands, scripts, and tools used for debugging functions, certificates, ++ and keys used in the debugging phase. Perf tools, point management and piling ++ tools for performance testing, attack scripts and tool scripts for verifying ++ security issues such as CVE, etc. Common open source third-party debugging tools ++ include: strace, gdb, readelf, perf, etc. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml +new file mode 100644 +index 0000000..f3bfd27 +--- /dev/null ++++ b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure to remove unnecessary file system mount support' ++ ++description: |- ++ If the business environment contains compilation tools, they can ++ easily be used by attackers to edit, tamper with, and reverse analyze ++ key files in the environment to carry out attacks. Therefore, it is ++ strictly prohibited to install various compilation, decompilation, ++ and binary analysis tools in the production environment, including ++ but not limited to: compilation tools, decompilation tools, compilation ++ environments, etc. Common third-party development and compilation tools ++ include: gcc, cpp, mcpp, flex, cmake, make, rpm-build, ld, ar, etc. ++ ++ If the business environment relies on interpreters such as python, lua, ++ and perl during deployment or operation, the interpreter running ++ environment can be retained. ++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile +index de6890c..543712a 100644 +--- a/openeuler2203/profiles/standard.profile ++++ b/openeuler2203/profiles/standard.profile +@@ -164,3 +164,96 @@ selections: + - file_permissions_unauthorized_world_writable + - file_permissions_unauthorized_suid + - file_permissions_unauthorized_sgid ++ - network_sniffing_tools ++ - service_rsyncd_disabled ++ - package_openldap-clients_removed ++ - no_forward_files ++ - sshd_configure_correct_interface ++ - sshd_concurrent_unauthenticated_connections ++ - sshd_configure_concurrent_sessions ++ - sshd_disable_x11_forwarding ++ - sshd_configure_correct_LoginGraceTime ++ - sshd_disable_AllowTcpForwardindg ++ - sshd_prohibit_preset_authorized_keys ++ - network_interface_binding_corrently ++ - iptables_loopback_policy_configured_corrently ++ - iptables_input_policy_configured_corrently ++ - iptables_output_policy_configured_corrently ++ - iptables_association_policy_configured_corrently ++ - service_nftables_enabled ++ - nftables_configure_default_deny_policy ++ - nftables_loopback_policy_configured_corrently ++ - nftables_input_policy_configured_corrently ++ - nftables_output_policy_configured_corrently ++ - nftables_association_policy_configured_corrently ++ - sudoers_disable_low_privileged_configure ++ - no_files_globally_writable_files ++ - removed_unnecessary_file_mount_support ++ - read_only_partitions_no_modified ++ - partitions_mounted_nodev_mode ++ - partitions_mounted_noexec_mode ++ - partitoin_mounted_noexec_or_nodev ++ - partitions_mounted_nosuid_mode ++ - audit_privilege_escalation_command ++ - audit_rule_admin_privilege ++ - recorded_authentication_related_event ++ - rsyslog_files_permissions ++ - uninstall_debugging_tools ++ - uninstall_development_and_compliation_tools ++ - package_xorg-x11-server-common_removed ++ - package_httpd_removed ++ - service_smb_disabled ++ - service_named_disabled ++ - service_nfs-server_disabled ++ - service_rpcbind_disabled ++ - service_dhcpd_disabled ++ - configure_first_logging_change_password ++ - sshd_disable_root_login ++ - diasable_root_accessing_system ++ - wireless_disable_interfaces ++ - sshd_enable_warning_banner ++ - disabled_SysRq ++ - sysctl_kernel_yama_ptrace_scope ++ - disabled_unconfined_service_t_programs ++ - enabled_seccomp ++ - define_ld_lib_path_correctly ++ - define_path_strictly ++ - grub2_audit_argument ++ - grub2_audit_backlog_limit_argument ++ - audit_rules_immutable ++ - auditd_data_retention_max_log_file ++ - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_space_left ++ - auditd_data_retention_space_left_action ++ - auditd_data_retention_admin_space_left ++ - auditd_data_retention_admin_space_left_action ++ - auditd_data_disk_error_action ++ - auditd_data_disk_full_action ++ - audit_rules_sysadmin_actions ++ - audit_rules_session_events ++ - audit_rules_time_adjtimex ++ - audit_rules_time_clock_settime ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_time_watch_localtime ++ - audit_rules_mac_modification ++ - audit_rules_networkconfig_modification ++ - audit_rules_successful_file_modification ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_renameat ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlinkat ++ - audit_rules_media_export ++ - configure_service_logging ++ - configure_dump_journald_log ++ - configure_rsyslog_log_rotate ++ - rsyslog_remote_loghost ++ - rsyslog_accept_remote_messages_tcp ++ - rsyslog_accept_remote_messages_udp ++ - enable_aide_detection ++ - service_haveged_enabled ++ - configure_crypto_policy +-- +2.42.0.windows.2 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 9f05ae5..13c82a4 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.49 -Release: 8 +Release: 9 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -15,6 +15,7 @@ Patch0006:init-openEuler-ssg-project.patch Patch0007:enable-76-rules-for-openEuler.patch Patch0008:enable-54-rules-for-openEuler.patch Patch0009:add-15-rules-for-openeuler.patch +Patch0010:add-80-rules-for-openeuler.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML @@ -69,6 +70,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Fri Nov 17 2023 wangqingsan - 0.1.49-9 +- enable 80 rules for openEuler + * Fri Aug 11 2023 steven - 0.1.49-8 - enable 15 rules for openEuler -- Gitee