diff --git a/add-80-rules-for-openeuler.patch b/optimize-80-rules-for-openEuler.patch similarity index 68% rename from add-80-rules-for-openeuler.patch rename to optimize-80-rules-for-openEuler.patch index 8eac405aaffe270f05e11bcd35e6d37289e3ebab..9957fa02114ece497bc5a1bfbdb9c2da6bc091f6 100644 --- a/add-80-rules-for-openeuler.patch +++ b/optimize-80-rules-for-openEuler.patch @@ -1,99 +1,101 @@ -From 941e961d84f0c1610134b367364a0f66b82cc9f9 Mon Sep 17 00:00:00 2001 +From a7932d8cba91edbc359c520cd67361b3bb6680aa Mon Sep 17 00:00:00 2001 From: qsw333 Date: Thu, 16 Nov 2023 13:50:38 +0800 Subject: [PATCH] second --- - .../base/service_haveged_enabled/rule.yml | 31 +++++++ - .../service_dhcpd_disabled/rule.yml | 2 +- - .../service_named_disabled/rule.yml | 2 +- - .../package_httpd_removed/rule.yml | 2 +- - .../package_openldap-clients_removed/rule.yml | 23 +++++ - .../service_rpcbind_disabled/rule.yml | 2 +- - .../service_nfs-server_disabled/rule.yml | 33 +++++++ - linux_os/guide/services/rsync/group.yml | 9 ++ - .../rsync/service_rsyncd_disabled/rule.yml | 20 ++++ - .../service_smb_disabled/rule.yml | 2 +- - .../oval/shared.xml | 25 +++++ - .../rule.yml | 16 ++++ - .../oval/shared.xml | 25 +++++ - .../rule.yml | 19 ++++ - .../oval/shared.xml | 25 +++++ - .../rule.yml | 18 ++++ - .../oval/shared.xml | 25 +++++ - .../sshd_configure_correct_interface/rule.yml | 18 ++++ - .../oval/shared.xml | 25 +++++ - .../sshd_disable_AllowTcpForwardindg/rule.yml | 18 ++++ - .../oval/shared.xml | 25 +++++ - .../sshd_disable_x11_forwarding/rule.yml | 16 ++++ - .../oval/shared.xml | 25 +++++ - .../rule.yml | 18 ++++ - .../uninstall_software_service/group.yml | 5 + - .../network_sniffing_tools/rule.yml | 24 +++++ - .../rule.yml | 2 +- - .../no_forward_files/oval/shared.xml | 20 ++++ - .../no_forward_files/rule.yml | 17 ++++ - .../rule.yml | 27 ++++++ - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 25 +++++ - .../oval/shared.xml | 25 +++++ - .../audit_rule_admin_privilege/rule.yml | 27 ++++++ - .../oval/shared.xml | 25 +++++ - .../rule.yml | 56 +++++++++++ - .../auditd_data_retention_space_left/rule.yml | 2 +- - .../auditing/grub2_audit_argument/rule.yml | 2 +- - .../rule.yml | 2 +- - .../oval/shared.xml | 25 +++++ - .../configure_dump_journald_log/rule.yml | 22 +++++ - .../rule.yml | 19 ++++ - .../configure_rsyslog_log_rotate/rule.yml | 45 +++++++++ - .../configure_service_logging/rule.yml | 21 +++++ - .../diasable_root_accessing_system/rule.yml | 35 +++++++ - .../rsyslog_files_permissions/oval/shared.xml | 1 + - .../oval/shared.xml | 25 +++++ - .../rule.yml | 24 +++++ - .../rsyslog_remote_loghost/oval/shared.xml | 1 + - .../rule.yml | 28 ++++++ - .../rule.yml | 36 +++++++ - .../rule.yml | 27 ++++++ - .../rule.yml | 36 +++++++ - .../rule.yml | 28 ++++++ - .../wireless_disable_interfaces/rule.yml | 2 +- - .../rule.yml | 26 ++++++ - .../system/network/network_nftables/group.yml | 12 +++ - .../rule.yml | 32 +++++++ - .../rule.yml | 24 +++++ - .../rule.yml | 21 +++++ - .../rule.yml | 23 +++++ - .../rule.yml | 22 +++++ - .../service_nftables_enabled/rule.yml | 22 +++++ - .../define_ld_lib_path_correctly/rule.yml | 25 +++++ - .../files/define_path_strictly/rule.yml | 31 +++++++ - .../no_files_globally_writable_files/rule.yml | 34 +++++++ - .../rule.yml | 28 ++++++ - .../partitions_mounted_nodev_mode/rule.yml | 48 ++++++++++ - .../partitions_mounted_noexec_mode/rule.yml | 19 ++++ - .../partitions_mounted_nosuid_mode/rule.yml | 27 ++++++ - .../rule.yml | 28 ++++++ - .../read_only_partitions_no_modified/rule.yml | 19 ++++ - .../rule.yml | 29 ++++++ - .../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +- - .../rule.yml | 28 ++++++ - .../system/software/enabled_seccomp/rule.yml | 35 +++++++ - .../crypto/configure_crypto_policy/rule.yml | 2 +- - .../aide/aide_build_database/oval/shared.xml | 1 + - .../aide/enable_aide_detection/rule.yml | 29 ++++++ - .../ima_verification/rule.yml | 47 ++++++++++ - .../rule.yml | 18 ++++ - .../disabled_SysRq/oval/shared.xml | 25 +++++ - .../system-tools/disabled_SysRq/rule.yml | 20 ++++ - .../uninstall_debugging_tools/rule.yml | 23 +++++ - .../rule.yml | 26 ++++++ - openeuler2203/profiles/standard.profile | 93 +++++++++++++++++++ - 89 files changed, 1869 insertions(+), 16 deletions(-) + .../base/service_haveged_enabled/rule.yml | 31 ++ + .../service_dhcpd_disabled/rule.yml | 2 +- + .../service_named_disabled/rule.yml | 2 +- + .../package_httpd_removed/rule.yml | 2 +- + .../package_openldap-clients_removed/rule.yml | 23 ++ + .../service_rpcbind_disabled/rule.yml | 2 +- + .../service_nfs-server_disabled/rule.yml | 33 ++ + linux_os/guide/services/rsync/group.yml | 9 + + .../rsync/service_rsyncd_disabled/rule.yml | 20 ++ + .../service_smb_disabled/rule.yml | 2 +- + .../oval/shared.xml | 25 ++ + .../rule.yml | 23 ++ + .../oval/shared.xml | 25 ++ + .../rule.yml | 26 ++ + .../oval/shared.xml | 25 ++ + .../rule.yml | 25 ++ + .../oval/shared.xml | 25 ++ + .../sshd_configure_correct_interface/rule.yml | 26 ++ + .../oval/shared.xml | 25 ++ + .../sshd_disable_AllowTcpForwardindg/rule.yml | 28 ++ + .../oval/shared.xml | 25 ++ + .../sshd_disable_x11_forwarding/rule.yml | 23 ++ + .../oval/shared.xml | 54 +++ + .../rule.yml | 25 ++ + .../uninstall_software_service/group.yml | 5 + + .../network_sniffing_tools/rule.yml | 24 ++ + .../rule.yml | 2 +- + .../no_forward_files/oval/shared.xml | 20 ++ + .../no_forward_files/rule.yml | 31 ++ + .../rule.yml | 31 ++ + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 39 ++ + .../oval/shared.xml | 44 +++ + .../audit_rules_admin_privilege/rule.yml | 28 ++ + .../oval/shared.xml | 25 ++ + .../rule.yml | 56 +++ + .../auditd_data_retention_space_left/rule.yml | 2 +- + .../auditing/grub2_audit_argument/rule.yml | 2 +- + .../rule.yml | 2 +- + .../oval/shared.xml | 25 ++ + .../configure_dump_journald_log/rule.yml | 25 ++ + .../rule.yml | 24 ++ + .../configure_rsyslog_log_rotate/rule.yml | 48 +++ + .../configure_service_logging/rule.yml | 26 ++ + .../diasable_root_accessing_system/rule.yml | 50 +++ + .../rsyslog_files_permissions/oval/shared.xml | 1 + + .../oval/shared.xml | 25 ++ + .../rule.yml | 22 ++ + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rsyslog_remote_loghost/oval/shared.xml | 1 + + .../rule.yml | 36 ++ + .../rule.yml | 36 ++ + .../rule.yml | 27 ++ + .../rule.yml | 36 ++ + .../rule.yml | 28 ++ + .../wireless_disable_interfaces/rule.yml | 2 +- + .../rule.yml | 26 ++ + .../system/network/network_nftables/group.yml | 12 + + .../rule.yml | 31 ++ + .../rule.yml | 29 ++ + .../rule.yml | 24 ++ + .../rule.yml | 28 ++ + .../rule.yml | 25 ++ + .../service_nftables_enabled/rule.yml | 22 ++ + .../define_ld_lib_path_correctly/rule.yml | 41 +++ + .../files/define_path_strictly/rule.yml | 44 +++ + .../no_files_globally_writable_files/rule.yml | 34 ++ + .../rule.yml | 38 ++ + .../rule.yml | 33 ++ + .../partitions_mounted_nodev_mode/rule.yml | 47 +++ + .../partitions_mounted_noexec_mode/rule.yml | 23 ++ + .../partitions_mounted_nosuid_mode/rule.yml | 31 ++ + .../rule.yml | 29 ++ + .../read_only_partitions_no_modified/rule.yml | 21 ++ + .../sysctl_kernel_yama_ptrace_scope/rule.yml | 3 +- + .../rule.yml | 33 ++ + .../system/software/enabled_seccomp/rule.yml | 47 +++ + .../crypto/configure_crypto_policy/rule.yml | 2 +- + .../aide/aide_build_database/oval/shared.xml | 1 + + .../aide/enable_aide_detection/rule.yml | 40 +++ + .../ima_verification/rule.yml | 55 +++ + .../rule.yml | 33 ++ + .../disabled_SysRq/oval/shared.xml | 25 ++ + .../system-tools/disabled_SysRq/rule.yml | 30 ++ + .../uninstall_debugging_tools/rule.yml | 35 ++ + .../rule.yml | 39 ++ + openeuler2203/profiles/standard.profile | 340 +++++++++++++++++- + 91 files changed, 2443 insertions(+), 17 deletions(-) create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml create mode 100644 linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml @@ -119,8 +121,8 @@ Subject: [PATCH] second create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml @@ -147,13 +149,13 @@ Subject: [PATCH] second create mode 100644 linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml create mode 100644 linux_os/guide/system/permissions/files/define_path_strictly/rule.yml create mode 100644 linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml + create mode 100644 linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml create mode 100644 linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml create mode 100644 linux_os/guide/system/software/enabled_seccomp/rule.yml create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml @@ -337,7 +339,7 @@ index 0000000..0482394 \ No newline at end of file diff --git a/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml new file mode 100644 -index 0000000..5afaa7c +index 0000000..09a17a9 --- /dev/null +++ b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml @@ -0,0 +1,20 @@ @@ -347,7 +349,7 @@ index 0000000..5afaa7c + +title: 'Disable Rsync Server Software' + -+description: '{{{ describe_service_disable(service="rsync-daemon") }}}' ++description: '{{{ describe_service_disable(service="rsync") }}}' + +rationale: |- + If the rsync service is enabled and data is transmitted between @@ -408,10 +410,10 @@ index 0000000..e6c1a0e \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml new file mode 100644 -index 0000000..60d2ccd +index 0000000..cba25f2 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml -@@ -0,0 +1,16 @@ +@@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -423,6 +425,13 @@ index 0000000..60d2ccd + concurrent connections with incomplete authentication without knowing the + password. + ++

Use the grep command to view the configuration.

++ ++ +rationale: |- + The MaxStartups setting specifies the maximum number of concurrent unauthenticated + connections to the SSH daemon. @@ -431,12 +440,12 @@ index 0000000..60d2ccd \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml new file mode 100644 -index 0000000..d30df39 +index 0000000..916fe29 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml @@ -0,0 +1,25 @@ + -+ ++ + + The allowed number of concurrent sessions for a single SSH connection should be configured correctly + @@ -463,10 +472,10 @@ index 0000000..d30df39 \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml new file mode 100644 -index 0000000..2517850 +index 0000000..e7daae7 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml -@@ -0,0 +1,19 @@ +@@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -480,6 +489,13 @@ index 0000000..2517850 + system resources from being unlimited occupied by a single or a few connections, + leading to denial of service attacks. + ++

Use the grep command to view the configuration.

++
    ++
  • ++ 
    $ grep -i "^MaxSessions" /etc/ssh/sshd_config
    ++
    • ++
++ +rationale: |- + Setting MaxSessions to 1 will disable session multiplexing, meaning that only + one session is allowed for a connection, while setting it to 0 will block all @@ -521,10 +537,10 @@ index 0000000..fb79aff \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml new file mode 100644 -index 0000000..2c97751 +index 0000000..b02eb1f --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -536,6 +552,13 @@ index 0000000..2c97751 + fails to complete the login action within the time limit specified + by LoginGraceTime, the connection will be automatically disconnected. + ++

Use the grep command to view the configuration.

++
    ++
  • ++ 
    $ grep -i "^LoginGraceTime" /etc/ssh/sshd_config
    ++
    • ++
++ +rationale: |- + It is recommended to set this value to less than or equal to 60 seconds. + If the value is set too high, attackers can utilize a large number of @@ -578,10 +601,10 @@ index 0000000..47510c8 \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml new file mode 100644 -index 0000000..0e1cb5c +index 0000000..3f4490b --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -595,6 +618,14 @@ index 0000000..0e1cb5c + SSH connections. You can configure to limit SSH connections to + only specified IP addresses to reduce the attack surface. + ++

If the listening address has been configured, you can query the corresponding configuration through the grep command.

++
    ++
  • ++ 
    $ grep -i "^ListenAddress" /etc/ssh/sshd_config
    ++
    • ++
++ ++ +rationale: |- + Unconfigured IP addresses cannot connect to the server through SSH. + It is recommended to plan and configure according to the actual situation. @@ -635,10 +666,10 @@ index 0000000..9146f4c \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml new file mode 100644 -index 0000000..1cdfb4e +index 0000000..eebb3b2 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -651,6 +682,16 @@ index 0000000..1cdfb4e + feature may cause the client to attack other servers from the external network through + the SSH channel. + ++

Make sure SSH's AllowTcpForwarding parameter is configured correctly.

++
    ++
  • Execute the following command to verify whether the allowtcpforwarding configuration of SSH is correct (it also meets the following two command line checks): ++ 
    $ sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep allowtcpforwarding
    ++
    • ++
  • ++ 
    $ grep -Ei '^\s*AllowTcpForwarding\s+yes\b' /etc/ssh/sshd_config
    ++
    • ++
++ +rationale: |- + If AllowTcpForwarding is configured as yes, attackers can bypass firewall monitoring on + the client through the SSH channel and send attack commands to the intranet server where @@ -692,10 +733,10 @@ index 0000000..5f4d777 \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml new file mode 100644 -index 0000000..bc5f1fe +index 0000000..c301259 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -0,0 +1,16 @@ +@@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -707,6 +748,13 @@ index 0000000..bc5f1fe + hosts on the local host. If not required in the business scenario, this feature must + be disabled. + ++

Use the grep command to view the configuration.

++
    ++
  • ++ 
    $ grep -i "^X11Forwarding" /etc/ssh/sshd_config
    ++
    • ++
++ +rationale: |- + Enabling the X11 Forwarding function expands the scope of attacks and poses a possibility + of being attacked by other users on the X11 server. @@ -715,10 +763,10 @@ index 0000000..bc5f1fe \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml new file mode 100644 -index 0000000..3edae48 +index 0000000..e451290 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml -@@ -0,0 +1,25 @@ +@@ -0,0 +1,54 @@ + + + @@ -726,31 +774,59 @@ index 0000000..3edae48 + + multi_platform_openeuler + -+ SSH service prohibits preset authorized_Keys. ++ Prohibit SSH service shuold setting authorized_Keys + -+ -+ ++ ++ ++ + + -+ -+ ++ ++ ++ ++ ++ ++ + -+ -+ /etc/ssh/sshd_config -+ ^LoginGraceTime\s+\d+$ ++ ++ ++ ++ ++ ++ ++ /root ++ authorized_keys ++ .* ++ 1 ++ ++ ++ ++ /home ++ authorized_keys ++ .* + 1 + ++ + -\ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml new file mode 100644 -index 0000000..1c139fa +index 0000000..145f45d --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -762,6 +838,13 @@ index 0000000..1c139fa + store in their home directory $HOME/. ssh/authorized_ In the keys file, + for public key authentication, you can directly log in to the system. + ++

Use the grep command to view the configuration. If the return value is empty, it means authorized_keys is not preset:

++
    ++
  • ++ 
    $ find /home/ /root/ -name authorized_keys
    ++
    • ++
++ +rationale: |- + If authorized is preset in the system_ Keys, and the server has enabled + the login method of public and private key authentication, allowing @@ -784,7 +867,7 @@ index 0000000..0a269ba \ No newline at end of file diff --git a/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml new file mode 100644 -index 0000000..b41c210 +index 0000000..3afd602 --- /dev/null +++ b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml @@ -0,0 +1,24 @@ @@ -804,7 +887,7 @@ index 0000000..b41c210 +

It can not be scanned automatically,please check it manually.

+

check the network_sniffing_tools,such as wireshark,netcat,tcpdump,namp,ethereal:

+
    -+ 
     rpm -qa | grep -iE "^(wireshark-|netcat-|tcpdump-|nmap-|ethereal-)"
    ++ 
    $ rpm -qa | grep -iE "^(wireshark-|netcat-|tcpdump-|nmap-|ethereal-)"
    +
+ +rationale: |- @@ -854,10 +937,10 @@ index 0000000..eab54dd \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml new file mode 100644 -index 0000000..318131a +index 0000000..92ca05a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml -@@ -0,0 +1,17 @@ +@@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -870,7 +953,21 @@ index 0000000..318131a + no related email forwarding scenarios, it is recommended to delete the + .forward file. + -+rationale: |- ++

Use the following script to check:

++
    ++
  • If there is no return output, it means that there is no ".forward" file in all Home directories: ++ 
    #!/bin/bash
++    
++    grep -E -v '^(halt|sync|shutdown)' "/etc/passwd" | awk -F ":" '($7 != "/bin/false" && $7 != "/sbin/nologin") {print $6}' | while read home;
++    do
++        if [ -d "$home" ]; then
++            find $home -name ".forward"
++        fi
++    done
    ++
    • ++
++ ++rationale: |- + If there is a .forward file, it may cause user emails carrying + sensitive information to be automatically forwarded to high-risk mailboxes. + @@ -878,15 +975,15 @@ index 0000000..318131a \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml new file mode 100644 -index 0000000..b01dad4 +index 0000000..6ba68e8 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml -@@ -0,0 +1,27 @@ +@@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Ensure the network interface is bound to the correct area' ++title: 'Configure file access permissions audit rules' + +description: |- + File access permission control is the basic permission management in Linux. Different users @@ -901,8 +998,12 @@ index 0000000..b01dad4 + openEuler does not configure file access control permission audit rules by default. It is + recommended that users configure corresponding rules based on actual business scenarios. + -+

It can not be scanned automatically, please check it manually.

-+ ++

Check the configuration with the following command:

++
    ++
  • ++ 
    $ auditctl -l | grep -iE "chmod|chown|setxattr|exattr"
    ++
    • ++
+rationale: |- + Configuring auditing, because audit logs need to be recorded when file permissions and owners + are modified, will have a slight impact on performance. However, since such operations should @@ -960,78 +1061,108 @@ index e8ec755..20b4d42 100644 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml new file mode 100644 -index 0000000..6cebb2c +index 0000000..1e4f780 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml -@@ -0,0 +1,25 @@ +@@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure to remove unnecessary file system mount support' ++title: 'Privilege escalation command audit rules should be configured' + +description: |- + Ordinary users can obtain super administrator privileges by calling privilege -+ escalation commands (with SUID/SGID set), so the use of privilege escalation -+ commands carries high risks and is often used by attackers to attack the system. -+ -+ It is recommended to audit and monitor privilege escalation commands to facilitate -+ traceability afterwards. ++ escalation commands (with SUID/SGID set). + -+ openEuler does not configure audit rules for privilege escalation commands by ++

It is recommended to audit and monitor privilege escalation commands to facilitate ++ traceability afterwards.

++

openEuler does not configure audit rules for privilege escalation commands by + default. It is recommended that users configure corresponding rules based on actual -+ business scenarios. ++ business scenarios.

++

It can not be scanned automatically, please check it manually.

++
    ++
  • You can use below cli command to check the audit rules for privilege escalation commands: ++ 
    #!/bin/bash
++    
++    array=`find / -xdev -type f \( -perm -4000 -o -perm -2000 \) | awk '{print $1}'`
++    
++    for element in ${array[@]}
++    do
++        ret=`auditctl -l | grep "$element "`
++        if [ $? -ne 0 ]; then
++            echo "$element not set"
++        else
++            echo $ret
++        fi
++    done
    ++
    • ++
+ +rationale: |- -+ Configuring auditing requires audit logging when using privilege escalation -+ commands, which has a slight impact on performance. If the user business has -+ a large number of scenarios where privilege escalation commands are frequently -+ called, there may be a cumulative effect. ++ The use of privilege escalation ++ commands carries high risks and is often used by attackers to attack the system. + +severity: low \ No newline at end of file -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml new file mode 100644 -index 0000000..b70b4d9 +index 0000000..55af169 --- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml -@@ -0,0 +1,25 @@ ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml +@@ -0,0 +1,44 @@ + -+ ++ + + Audit rules for administrator privileged operations should be configured -+ -+ multi_platform_openeuler -+ ++ {{{- oval_affected(products) }}} + Configure audit rules for administrator privileged operations + -+ -+ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + -+ -+ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ ++ ++ + -+ ++ + /etc/audit/audit.rules + ^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + ++ + -\ No newline at end of file -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml new file mode 100644 -index 0000000..8d548e5 +index 0000000..63304a8 --- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml -@@ -0,0 +1,27 @@ ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml +@@ -0,0 +1,28 @@ +documentation_complete: true + -+prodtype: openeuler2203 -+ +title: 'Audit rules for administrator privileged operations should be configured' + +description: |- @@ -1040,19 +1171,22 @@ index 0000000..8d548e5 + in the /var/log/secure log file by default. Other authentication-related security + logs are also recorded in this file. If the user wants to audit the sudo extraction + command, it is recommended that the sudo related logs be Record separately and -+ output to /var/log/sudo.log, and then audit and monitor the sudo log file. Sudo -+ privilege escalation is a high-risk operation and is relatively common in attacks. It -+ is recommended to configure audit rules for later tracing. ++ output to /var/log/sudo.log, and then audit and monitor the sudo log file. + + openEuler does not configure audit rules for administrator privileged operations + by default. It is recommended that users configure corresponding rules based on + actual business scenarios. + ++

Check the audit rules for administrator privileged operations by running the following command.

++
    ++
  • ++ 
    $ auditctl -l | grep -iE "sudo\.log"
    ++
    • ++
+rationale: |- -+ Configure auditing. Since audit logging is required for any sudo privilege escalation -+ operation, it will have a slight impact on performance. If there are a large number -+ of frequent sudo operations in the user's business scenario, the impact on performance -+ will have a cumulative effect. ++ Sudo ++ privilege escalation is a high-risk operation and is relatively common in attacks. It ++ is recommended to configure audit rules for later tracing. + +severity: high \ No newline at end of file @@ -1220,10 +1354,10 @@ index 0000000..1e95b34 \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml new file mode 100644 -index 0000000..7247e27 +index 0000000..34e511b --- /dev/null +++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml -@@ -0,0 +1,22 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1238,6 +1372,9 @@ index 0000000..7247e27 + must be dumped in a timely manner to ensure that the logs are more + consistent with the system. Safety. + ++

Check whether the relevant fields have been configured in the /etc/rsyslog.conf file:

++ 
$ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*
++ +rationale: |- + If there is a volatile storage device for the log, failure to dump + the log in time may result in log loss. If there is a persistent @@ -1249,10 +1386,10 @@ index 0000000..7247e27 \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml new file mode 100644 -index 0000000..16c62e7 +index 0000000..ec95d20 --- /dev/null +++ b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml -@@ -0,0 +1,19 @@ +@@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1267,6 +1404,11 @@ index 0000000..16c62e7 + the root password. + +

It can not be scanned automatically, please check it manually.

++
    ++
  • Check whether the configuration of the specified account in the /etc/shadow file is correct: ++ 
    $ grep ^test: /etc/shadow
    ++
    • ++
+ +rationale: |- + none. @@ -1275,15 +1417,15 @@ index 0000000..16c62e7 \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml new file mode 100644 -index 0000000..4257677 +index 0000000..e45ebb7 --- /dev/null +++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml -@@ -0,0 +1,45 @@ +@@ -0,0 +1,48 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Ensure that the iptables input and output association policies configuration is correct' ++title: 'Ensure that Rsyslog log rotate is configured' + +description: |- + rsyslog is responsible for collecting log records from the system into files, and logrotate @@ -1291,11 +1433,6 @@ index 0000000..4257677 + that excessive hard disk resources are not occupied due to excessive log file size, or that + the log files are even unmaintainable. + -+ If the rotate policy is not configured, the log file will continue to grow, which may -+ eventually lead to the exhaustion of space on the hard disk partition where the log is -+ located, which may affect log recording at best, or may cause the system and business to be -+ unable to continue to execute normally. -+ + By default, openEuler has configured the rsyslog rotate policy in the /etc/logrotate.d/rsyslog + file as follows:. + @@ -1319,17 +1456,25 @@ index 0000000..4257677 + The log file reaches 4MB, perform rotate operation. + +

It can not be scanned automatically, please check it manually.

++
    ++
  • Check whether the relevant fields have been configured in the /etc/logrotate.d/rsyslog file: ++ 
    $ cat /etc/logrotate.d/rsyslog | grep -iE "\/var\/log|maxage|\<rotate\>|compress|size"
    ++
    • ++
+ +rationale: |- -+ none. ++ If the rotate policy is not configured, the log file will continue to grow, which may ++ eventually lead to the exhaustion of space on the hard disk partition where the log is ++ located, which may affect log recording at best, or may cause the system and business to be ++ unable to continue to execute normally. + +severity: high diff --git a/linux_os/guide/system/logging/configure_service_logging/rule.yml b/linux_os/guide/system/logging/configure_service_logging/rule.yml new file mode 100644 -index 0000000..c15d25b +index 0000000..4eccadf --- /dev/null +++ b/linux_os/guide/system/logging/configure_service_logging/rule.yml -@@ -0,0 +1,21 @@ +@@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1345,6 +1490,11 @@ index 0000000..c15d25b + auditing cannot be performed when problems occur. + +

It can not be scanned automatically, please check it manually.

++
    ++
  • For example: Check whether reasonable logging rules are configured in /etc/rsyslog.conf and /etc/rsyslog.d/*.conf: ++ 
    # grep \/var\/log /etc/rsyslog.conf /etc/rsyslog.d/*.conf
    ++
    • ++
+ +rationale: |- + After logging is configured, if the logs are not cleared in time, the logs may fill up the current partition, causing the @@ -1353,10 +1503,10 @@ index 0000000..c15d25b +severity: low diff --git a/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml new file mode 100644 -index 0000000..b235f0e +index 0000000..763f023 --- /dev/null +++ b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml -@@ -0,0 +1,35 @@ +@@ -0,0 +1,50 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1386,7 +1536,22 @@ index 0000000..b235f0e + the root account in actual scenarios, it is recommended to disable local login + with the root account. + -+

It can not be scanned automatically, please check it manually.

++

The checking method is as follows:

++
    ++
  • Check whether the account type pam_access.so module is added to the /etc/pam.d/system-auth file, and the module must be loaded before the sufficient control line: ++ 
    $ cat /etc/pam.d/system-auth
    ++
    • ++
  • Then, check whether restrictions on root user login to tty1 are set in the /etc/security/access.conf file: ++ 
    $ grep "^\-:root" /etc/security/access.conf
    ++
    • ++
  • Finally, use the serial port to try to log in to the root account and confirm whether the login is denied. If login is refused, the serial port prints the following information: ++ 
    Authorized users only. All activities may be monitored and reported.
++    localhost login: root
++    Password:
++    
++    Permission denied
    ++
    • ++
+ +rationale: |- + The root account cannot access the system locally. @@ -1439,10 +1604,10 @@ index 0000000..63bce75 \ No newline at end of file diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml new file mode 100644 -index 0000000..1a52982 +index 0000000..26abd58 --- /dev/null +++ b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml -@@ -0,0 +1,24 @@ +@@ -0,0 +1,22 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1454,20 +1619,42 @@ index 0000000..1a52982 + Events related to system authentication must be recorded to help + analyze user logins, use of root privileges, and monitor suspicious + system actions. ++ |- ++ Check whether auth-related fields have been configured in the /etc/rsyslog.conf file: ++

$ grep auth /etc/rsyslog.conf | grep -v "^#"

++ ++rationale: |- + Failure to record system authentication-related event logs will + result in the inability to analyze suspicious attack actions from + the logs, such as login actions performed by attackers trying to + guess administrator passwords. + -+rationale: |- -+ If there is a volatile storage device for the log, failure to -+ dump the log in time may result in log loss. If there is a persistent -+ storage device, the amount of logs may be very large. If the logs -+ are not dumped in time, the logs may fill up the current partition, -+ causing the risk of other processes or system failures. -+ +severity: high \ No newline at end of file +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml +index ec1256d..e42fd58 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml +@@ -9,6 +9,7 @@ description: |- + /etc/rsyslog.conf to enable reception of messages over TCP: + 
$ModLoad imtcp
+     $InputTCPServerRun 514
++

It can not be scanned automatically, please check it manually.

+ + rationale: |- + If the system needs to act as a log server, this ensures that it can receive +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml +index b42ba95..8c08059 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml +@@ -9,6 +9,7 @@ description: |- + /etc/rsyslog.conf to enable reception of messages over UDP: + 
$ModLoad imudp
+     $UDPServerRun 514
++

It can not be scanned automatically, please check it manually.

+ + rationale: |- + Many devices, such as switches, routers, and other Unix-like systems, may only support diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml index 22307d4..c3e2752 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml @@ -1482,10 +1669,10 @@ index 22307d4..c3e2752 100644 diff --git a/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml new file mode 100644 -index 0000000..d5d2335 +index 0000000..7148507 --- /dev/null +++ b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml -@@ -0,0 +1,28 @@ +@@ -0,0 +1,36 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1508,7 +1695,15 @@ index 0000000..d5d2335 + needs to be configured correctly, otherwise unauthorized users may modify + files with incorrect or misleading information. + -+

It can not be scanned automatically, please check it manually.

++

It can not be scanned automatically, please check it manually.

++
    ++
  • You can check it by the following method: ++ 
    Use the cat command to check whether the warning information in the three files /etc/motd, /etc/issue, and /etc/issue.net is reasonable, and whether there is system version, application server type, function and other information;
    ++
    • ++
  • or: ++ 
    Use the ll command to check whether the permissions of the three files /etc/motd, /etc/issue, and /etc/issue.net are 644;
    ++
    • ++
+ +rationale: |- + none. @@ -1517,7 +1712,7 @@ index 0000000..d5d2335 \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..278556e +index 0000000..2f405be --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml @@ -0,0 +1,36 @@ @@ -1544,10 +1739,10 @@ index 0000000..278556e +

Check if the input and output chains are configured with associated policies.

+
    +
  • You can use below cli command to check if the input and output chains of IPv4 are configured with associated policies: -+ 
    # iptables -L
    ++ 
    $ iptables -L
    +
    • +
  • You can use below cli command to check if the input and output chains of IPv6 are configured with associated policies: -+ 
    # ip6tables -L
    ++ 
    $ ip6tables -L
    +
    • +
+ @@ -1560,7 +1755,7 @@ index 0000000..278556e \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..0f7e91a +index 0000000..28f7f5d --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml @@ -0,0 +1,27 @@ @@ -1579,10 +1774,10 @@ index 0000000..0f7e91a +

Check if the policy configured for the input chain meets business needs.

+
    +
  • You can use below cli command to check the input chain of IPv4: -+ 
    # iptables -L INPUT -v -n
    ++ 
    $ iptables -L INPUT -v -n
    +
    • +
  • Or check the input chain of IPv6: -+ 
    # ip6tables -L INPUT -v -n
    ++ 
    $ ip6tables -L INPUT -v -n
    +
    • +
+ @@ -1594,7 +1789,7 @@ index 0000000..0f7e91a \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..9d8bafe +index 0000000..ddee908 --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml @@ -0,0 +1,36 @@ @@ -1614,16 +1809,16 @@ index 0000000..9d8bafe +

Check if the loopback address policy has been correctly configured.

+
    +
  • You can use below cli command to check the input chain of IPv4: -+ 
    # iptables -L INPUT -v -n
    ++ 
    $ iptables -L INPUT -v -n
    +
    • +
  • Or check the output chain of IPv4: -+ 
    # iptables -L OUTPUT -v -n
    ++ 
    $ iptables -L OUTPUT -v -n
    +
    • +
  • Or check the input chain of IPv6: -+ 
    # ip6tables -L INPUT -v -n
    ++ 
    $ ip6tables -L INPUT -v -n
    +
    • +
  • Or check the output chain of IPv6: -+ 
    # ip6tables -L OUTPUT -v -n
    ++ 
    $ ip6tables -L OUTPUT -v -n
    +
    • +
+ @@ -1637,7 +1832,7 @@ index 0000000..9d8bafe \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..c10cd44 +index 0000000..ea672eb --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml @@ -0,0 +1,28 @@ @@ -1657,10 +1852,10 @@ index 0000000..c10cd44 +

Check if the policy configured for the output chain meets business needs.

+
    +
  • You can use below cli command to check the output chain of IPv4: -+ 
    # iptables -L OUTPUT -v -n
    ++ 
    $ iptables -L OUTPUT -v -n
    +
    • +
  • Or check the input chain of IPv6: -+ 
    # ip6tables -L OUTPUT -v -n
    ++ 
    $ ip6tables -L OUTPUT -v -n
    +
    • +
+ @@ -1684,7 +1879,7 @@ index bbea345..19cc6f5 100644 diff --git a/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml new file mode 100644 -index 0000000..ee66dd7 +index 0000000..c918fd8 --- /dev/null +++ b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml @@ -0,0 +1,26 @@ @@ -1704,7 +1899,7 @@ index 0000000..ee66dd7 +

It can not be scanned automatically, please check it manually.

+

Check the interface configuration of each region:

+
    -+ 
    # find ./ -type l -follow
    ++ 
    $ firewall-cmd --get-active-zones
    +
+ +rationale: |- @@ -1736,49 +1931,48 @@ index 0000000..68ecddd \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..73b0e5e +index 0000000..fb45bfe --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml -@@ -0,0 +1,32 @@ +@@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Configure nftables input strategy' ++title: 'Ensure that the nftables input and output association policies configuration is correct' + +description: |- -+ Although you can configure the policy of packets in and out of the server to -+ the input and output chains by configuring the protocol, IP and port, etc, -+ it is more complicated in some cases. For example, the client accesses the -+ server through a certain port, but when the server returns a response message -+ It does not necessarily return from the original port, but may use a random -+ source port. In this case, it is difficult to configure an accurate policy -+ through the sport parameter. -+ -+ At this time, you need to consider using the associated link method to configure -+ the policy. If an outgoing packet belongs to an existing network link, it is -+ directly allowed; if a received packet belongs to an existing network link, it -+ is also directly allowed. Because these existing links must have been filtered -+ and checked by other policies, otherwise they cannot be established. -+ -+ If you do not configure policies through associated links, you need to analyze -+ all possible link situations and configure corresponding policies. If the -+ configuration is too loose, it may lead to security risks. If the configuration -+ is too strict, it may cause business interruption.lll ++ Although it is possible to configure packet policies for incoming and outgoing servers to the ++ input and output chains by configuring protocols, IPs, and ports, in some cases it may be more ++ complex. For example, if the client accesses the server through a certain port, the server may ++ not necessarily return the response message from the original port, and may use a random source ++ port. In this case, it is difficult to configure accurate policies through the sport parameter. + ++

At this point, it is necessary to consider using association links to configure the strategy. ++ If an outgoing message belongs to an existing network link, it will be directly released; If a ++ received message belongs to an existing network link, it is also directly released. Because ++ these existing links must have been filtered and checked by other policies, otherwise they ++ cannot be established.

+

It can not be scanned automatically, please check it manually.

++
    ++
  • You can use below cli command to check if the input and output chains are configured with associated policies: ++ 
    $ nft list ruleset
    ++
    • ++
+ +rationale: |- -+ none. ++ If the policy is not configured through associated links, it is necessary to analyze all possible ++ link situations and configure corresponding policies. If the configuration is too loose, it may ++ cause security risks, and if the configuration is too strict, it may cause business interruption. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml new file mode 100644 -index 0000000..9a95f50 +index 0000000..804c3b5 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml -@@ -0,0 +1,24 @@ +@@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1791,11 +1985,16 @@ index 0000000..9a95f50 + policy for all packets, and then add the allow policy to the basic + chain to open related services and ports. + -+ If the basic chain is not configured, or the hook rules of the basic ++

If the basic chain is not configured, or the hook rules of the basic + chain are not specified, the packet will not be captured by nftables, -+ and filtering will not be possible. ++ and filtering will not be possible.

+ +

It can not be scanned automatically, please check it manually.

++
    ++
  • You can use below cli command to check whether the DROP policy of input, output and forward is configured: ++ 
    $ nft list ruleset
    ++
    • ++
+ +rationale: |- + If the basic chain is not configured with a DROP or REJECT policy, the @@ -1806,10 +2005,10 @@ index 0000000..9a95f50 \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..a1fb377 +index 0000000..a4c1563 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml -@@ -0,0 +1,21 @@ +@@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1822,22 +2021,25 @@ index 0000000..a1fb377 + corresponding input policy and open the relevant port so that external + clients can access the service through the port. + -+ If not configured, since the default policy is configured as DROP, all -+ external packets trying to access related services will be dropped. -+ +

It can not be scanned automatically, please check it manually.

++
    ++
  • You can use below cli command to check whether the input chain configuration strategy meets business needs: ++ 
    $ nft list chain inet test input
    ++
    • ++
+ +rationale: |- -+ none. ++ If not configured, since the default policy is configured as DROP, all ++ external packets trying to access related services will be dropped. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..c71aabe +index 0000000..b3ca58a --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml -@@ -0,0 +1,23 @@ +@@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1848,31 +2050,36 @@ index 0000000..c71aabe + The loopback address is a special address on the server, represented by 127.0.0.0/8. It + has nothing to do with the network card. It is mainly used for inter-process communication + on this machine. Packets with the source address 127.0.0.0/8 should not be received from -+ the network card. Such messages should be discarded. If the loopback address policy is -+ set incorrectly, inter-process communication on the local machine may fail, or spoofed -+ packets may be received from the network card. ++ the network card. Such messages should be discarded. + -+ The server needs to set a policy to allow receiving and processing the loopback address -+ packets of the lo interface, but reject the packets received from the network card. ++

The server needs to set a policy to allow receiving and processing the loopback address ++ packets of the lo interface, but reject the packets received from the network card.

+ +

It can not be scanned automatically, please check it manually.

-+ ++
    ++
  • You can use below cli command to check whether the loopback address policy has been configured: ++ 
    $ nft list ruleset
    ++
    • ++
++ +rationale: |- -+ none. ++ If the loopback address policy is ++ set incorrectly, inter-process communication on the local machine may fail, or spoofed ++ packets may be received from the network card. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..b3a795f +index 0000000..6c4cdc6 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml -@@ -0,0 +1,22 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Configure nftables input strategy' ++title: 'Configure nftables output strategy' + +description: |- + There are two main situations when the server sends outbound messages. One @@ -1881,19 +2088,22 @@ index 0000000..b3a795f + the host process externally accesses local services and the local machine + responds arts. + -+ If no output policy is configured, all outgoing packets from the server will -+ be discarded because the default policy is DROP. -+ +

It can not be scanned automatically, please check it manually.

++
    ++
  • You can use below cli command to check whether the policy configured in the output chain meets business needs: ++ 
    $ nft list chain inet test output
    ++
    • ++
+ +rationale: |- -+ none. ++ If no output policy is configured, all outgoing packets from the server will ++ be discarded because the default policy is DROP. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml new file mode 100644 -index 0000000..ddc0939 +index 0000000..9f37bdf --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml @@ -0,0 +1,22 @@ @@ -1903,7 +2113,7 @@ index 0000000..ddc0939 + +title: 'Verify nftables Enabled' + -+description: '{{{ describe_service_enable(service="docker") }}}' ++description: '{{{ describe_service_enable(service="nftables") }}}' + +rationale: |- + If multiple firewall services are enabled, business @@ -1922,10 +2132,10 @@ index 0000000..ddc0939 \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml new file mode 100644 -index 0000000..b5a1142 +index 0000000..175fa9c --- /dev/null +++ b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml -@@ -0,0 +1,25 @@ +@@ -0,0 +1,41 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1946,6 +2156,22 @@ index 0000000..b5a1142 + value is correct in all user contexts. + +

It can not be scanned automatically, please check it manually.

++

There are multiple configuration files that can permanently set the LD_LIBRARY_PATH ++ value, which need to be investigated. These files include: /etc/profile, ~/.bashrc, ~/.bash_profile. ++ The latter two files are files in the user's home directory. Each user Yes, be ++ sure not to miss it during inspection.

++
    ++
  • First, Use the grep command to check. In the example, it is found that the LD_LIBRARY_PATH value is set in the /etc/profile file: ++ 
    ++    $ grep "LD_LIBRARY_PATH" /etc/profile ~/.bashrc ~/.bash_profile
++
    ++
    • ++
  • Check if LD_LIBRARY_PATH value exists in current user context: ++ 
    ++    $ echo $LD_LIBRARY_PATH
++
    ++
    • ++
+ +rationale: |- + none. @@ -1954,15 +2180,15 @@ index 0000000..b5a1142 \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml new file mode 100644 -index 0000000..68adae3 +index 0000000..0d9cfeb --- /dev/null +++ b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml -@@ -0,0 +1,31 @@ +@@ -0,0 +1,44 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly' ++title: 'Ensure the user PATH variable is strictly defined' + +description: |- + The PATH variable under Linux defines the search path for executable files @@ -1984,6 +2210,19 @@ index 0000000..68adae3 + it is correct. + +

It can not be scanned automatically, please check it manually.

++

Use the echo command to print out the value of PATH in the current user context and check whether it is correct.

++
    ++
  • The PATH value in the openEuler root user context is as follows: ++ 
    ++    $ echo $PATH
++
    ++
    • ++
  • The PATH value in the openEuler ordinary user test context is as follows: ++ 
    ++    $ echo $PATH
++
    ++
    • ++
+ +rationale: |- + none. @@ -1992,7 +2231,7 @@ index 0000000..68adae3 \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml new file mode 100644 -index 0000000..e4fa75f +index 0000000..a2c3208 --- /dev/null +++ b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml @@ -0,0 +1,34 @@ @@ -2019,10 +2258,10 @@ index 0000000..e4fa75f +

Check globally writable files(directories "/sys" and "/proc" have been excluded).

+
    +
  • You can use below command to check : -+ 
    find / -path /proc -prune -o -path /sys -prune -o -type f -perm -0002 -exec ls -lg {} \;
    ++ 
    $ find / -path /proc -prune -o -path /sys -prune -o -type f -perm -0002 -exec ls -lg {} \;
    +
    • +
  • or: -+ 
    find / -xdev -type f -perm -0002 -exec ls -lg {} \;
    ++ 
    $ find / -xdev -type f -perm -0002 -exec ls -lg {} \;
    +
    • +
+ @@ -2031,12 +2270,57 @@ index 0000000..e4fa75f + +severity: low \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml +diff --git a/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml new file mode 100644 -index 0000000..a80fe6a +index 0000000..9a3535e --- /dev/null -+++ b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml -@@ -0,0 +1,28 @@ ++++ b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that unneeded file system mount is removed' ++ ++description: |- ++ The Linux system supports a variety of file systems, which are ++ loaded into the kernel through ko mode. As a general operating ++ system platform, openEuler will provide various file systems ko, ++ which are stored in the /lib/modules/(kernel version)/kernel/fs/ ++ directory and can be loaded through the insmod/modprobe command. ++ ++

Users should determine which file systems do not need to be supported ++ based on actual scenarios, and prohibit these file systems from being ++ mounted through configuration. These file systems usually include:

++

cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs

++

It can not be scanned automatically, please check it manually.

++

Use the following command to check the file system mounting status, such as cramfs.

++
    ++
  • First, Check the directory where "ko" is located: ++ 
    ++    $ modprobe -n -v cramfs | grep -E "(cramfs|install)"
++
    ++
    • ++
  • If there is no echo from the above command, execute the following command. If there is output, it means that the file has been mounted by the system: ++ 
    ++    $ lsmod | grep cramfs
++
    ++
    • ++
++ ++rationale: |- ++ Disabling mount support for unnecessary file systems can reduce ++ the attack surface and prevent attackers from attacking the system ++ by exploiting vulnerabilities in some uncommon file systems. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml +new file mode 100644 +index 0000000..545a238 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml +@@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2060,23 +2344,28 @@ index 0000000..a80fe6a + of other directories based on the actual scenario. + +

It can not be scanned automatically, please check it manually.

++
    ++
  • Check the sudo configuration file /etc/sudoers: ++ 
    $ df | grep -iE "/boot|/tmp|/home|/var|/usr"
    ++
    • ++
+ +rationale: |- + none. + +severity: low \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml +diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml new file mode 100644 -index 0000000..86766f1 +index 0000000..c3008b4 --- /dev/null -+++ b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml -@@ -0,0 +1,48 @@ ++++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml +@@ -0,0 +1,47 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Partitions that do not need to be mounted are mounted in nodev mode' ++title: 'Mounting in nodev mode does not require mounting the device' + +description: |- + nodev means that device files are not allowed to be mounted, which is used @@ -2095,43 +2384,42 @@ index 0000000..86766f1 + is a maliciously constructed device file on the hard disk or partition, an attack + can be formed. + -+ The following directories are mounted by nodev by default in the openEuler system: -+ -+ /sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、 ++

The following directories are mounted by nodev by default in the openEuler system:

++

/sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、 + /sys/fs/pstore、/sys/fs/bpf、/sys/fs/cgroup/files、/sys/fs/cgroup/net_cls,net_prio、 + /sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/cpu,cpuacct、/sys/fs/cgroup/perf_event、 + /sys/fs/cgroup/pids、/sys/fs/cgroup/hugetlb、/sys/fs/cgroup/memory、/sys/fs/cgroup/blkio、 + /sys/fs/cgroup/cpuset、/sys/fs/cgroup/rdma、/sys/kernel/config、/sys/kernel/debug、/dev/mqueue、 -+ /tmp、/run/user/0 -+ -+ openEuler has the following directories (some directories vary depending on hard disk partitions -+ and deployment platforms). These directories are not mounted by nodev by default: -+ -+ /dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、 -+ /var/lib/nfs/rpc_pipefs、/boot/efi、/home -+ -+ In actual scenarios, based on business needs, the nodev method is used to mount partitions -+ that do not require device mounting. -+ -+

It can not be scanned automatically, please check it manually.

++ /tmp、/run/user/0

++

penEuler has the following directories (some directories vary depending on hard disk partitions ++ and deployment platforms). These directories are not mounted by nodev by default:

++

/dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、 ++ /var/lib/nfs/rpc_pipefs、/boot/efi、/home

++

In actual scenarios, based on business needs, the nodev method is used to mount partitions ++ that do not require device mounting.

+ -+ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • Use the mount command to check whether there is a mount point that needs to be set to nodev but has not been set. Analyze the returned data to confirm whether the mount point for which nodev is not set is correct. ++ 
    $ mount | grep -v "nodev" | awk -F " " '{print $3}'
    ++
    • ++
+rationale: |- -+ none. ++ + +severity: high \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml +diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml new file mode 100644 -index 0000000..21a7390 +index 0000000..c7900b9 --- /dev/null -+++ b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml -@@ -0,0 +1,19 @@ ++++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml +@@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure to remove unnecessary file system mount support' ++title: 'Mount a partition without executable files in noexec mode' + +description: |- + The data disk is only used to save data during system operation. There @@ -2140,19 +2428,23 @@ index 0000000..21a7390 + and reduce the attack surface. + +

It can not be scanned automatically, please check it manually.

++
    ++
  • Use the mount command to check whether the specified mount point directory is mounted in noexec mode: ++ 
    $ mount | grep "\/root\/noexec" | grep "noexec"
    ++
    • ++
+ +rationale: |- -+ If the hard disk or partition is mounted in noexec mode, the executable -+ file in the mount point directory cannot be run directly. ++ + +severity: high \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml +diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml new file mode 100644 -index 0000000..ddbe5c6 +index 0000000..16f795d --- /dev/null -+++ b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml -@@ -0,0 +1,27 @@ ++++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml +@@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2169,29 +2461,33 @@ index 0000000..ddbe5c6 + the permissions of the group to which the file belongs. For partitions that do not + need SUID/SGID, use the nosuid method to mount them. This can invalidate the S bit of + files with SUID/SGID in the partition, prevent privilege escalation through the -+ executable files of the partition, and strengthen the security of the partition. -+ -+ Users need to plan each mounted hard drive and partition and set nosuid mounting items -+ based on actual scenarios. ++ executable files of the partition, and strengthen the security of the partition. + ++

Users need to plan each mounted hard drive and partition and set nosuid mounting items ++ based on actual scenarios.

++ +

It can not be scanned automatically, please check it manually.

++
    ++
  • Check whether the file system is mounted in nosuid mode through the mount command: ++ 
    $ mount | grep -v "nosuid"
    ++
    • ++
+ +rationale: |- -+ none. -+ ++ +severity: high \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml +diff --git a/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml new file mode 100644 -index 0000000..512d8c1 +index 0000000..848fed1 --- /dev/null -+++ b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml -@@ -0,0 +1,28 @@ ++++ b/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml +@@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure to remove unnecessary file system mount support' ++title: 'Make sure the removable partition is mounted in noexec/nodev mode' + +description: |- + Removable devices themselves are uncertain, and their origin, past usage, @@ -2200,28 +2496,29 @@ index 0000000..512d8c1 + Therefore, for removable devices, it is required to mount them in noexec + or nodev mode to improve security and reduce the attack surface. + -+ noexec can prevent files on removable devices from being directly executed, -+ such as virus files, attack scripts, etc.; -+ -+ nodev prevents incorrect device files on removable devices from being linked -+ to real devices on the server, leading to attacks; -+ -+ Common removable devices such as: CD/DVD/USB, etc. -+ ++

noexec can prevent files on removable devices from being directly executed, ++ such as virus files, attack scripts, etc;

++

nodev prevents incorrect device files on removable devices from being linked ++ to real devices on the server, leading to attacks;

++

Common removable devices such as: CD/DVD/USB, etc.

++ +

It can not be scanned automatically, please check it manually.

++
    ++
  • Use the mount command to check whether the specified mount point directory is mounted in noexec or nodev mode: ++ 
    $ mount | grep "\/dev\/vda"
    ++
    • ++
+ +rationale: |- -+ If a removable device is mounted in noexec mode, the executable file -+ in the mount point directory cannot be run directly. + +severity: high \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml +diff --git a/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml new file mode 100644 -index 0000000..b54202f +index 0000000..b63d688 --- /dev/null -+++ b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml -@@ -0,0 +1,19 @@ ++++ b/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml +@@ -0,0 +1,21 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2233,53 +2530,19 @@ index 0000000..b54202f + avoid unintentional or malicious data tampering and reduce the attack surface. + +

It can not be scanned automatically, please check it manually.

++
    ++
  • Use the mount command to check whether the mounted file system meets the requirements: ++ 
    $ mount | grep "/root/readonly" | grep "\<ro\>"
    ++
    • ++
+ +rationale: |- -+ Once the file system is mounted in read-only mode, files and directories cannot -+ be created, modified, or deleted. Users need to configure it according to the actual -+ scenario. This requirement can be ignored for file mounting necessary for the -+ operation of the operating system. -+ -+severity: high -\ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml -new file mode 100644 -index 0000000..8c4eff8 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml -@@ -0,0 +1,29 @@ -+documentation_complete: true -+ -+prodtype: openeuler2203 -+ -+title: 'Make sure to remove unnecessary file system mount support' -+ -+description: |- -+ The Linux system supports a variety of file systems, which are -+ loaded into the kernel through ko mode. As a general operating -+ system platform, openEuler will provide various file systems ko, -+ which are stored in the /lib/modules/(kernel version)/kernel/fs/ -+ directory and can be loaded through the insmod/modprobe command. -+ Disabling mount support for unnecessary file systems can reduce -+ the attack surface and prevent attackers from attacking the system -+ by exploiting vulnerabilities in some uncommon file systems. -+ -+ Users should determine which file systems do not need to be supported -+ based on actual scenarios, and prohibit these file systems from being -+ mounted through configuration. These file systems usually include: -+ -+ cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs -+ -+

It can not be scanned automatically, please check it manually.

+ + -+rationale: |- -+ The removed file system is no longer supported. -+ +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml -index cd07fd0..ce86997 100644 +index cd07fd0..cd68dad 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -1,6 +1,6 @@ @@ -2290,12 +2553,18 @@ index cd07fd0..ce86997 100644 title: 'Restrict usage of ptrace to descendant processes' +@@ -33,4 +33,5 @@ template: + vars: + sysctlvar: kernel.yama.ptrace_scope + sysctlval: '1' ++ sysctlval@openeuler2203: '0' + datatype: int diff --git a/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml new file mode 100644 -index 0000000..cb8f534 +index 0000000..dc1881b --- /dev/null +++ b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml -@@ -0,0 +1,28 @@ +@@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2318,7 +2587,12 @@ index 0000000..cb8f534 + configured for the process will not take effect. If it is attacked, + it will have a greater impact on the system. + -+

It can not be scanned automatically, please check it manually.

++

It can not be scanned automatically, please check it manually.

++
    ++
  • Run the following command. If the return value is empty, it means that there is no process with the label unconfined_service_t in the current system: ++ 
    $ ps -eZ | grep unconfined_service_t
    ++
    • ++
+ +rationale: |- + Programs labeled unconfined_service_t are restricted from running. @@ -2327,10 +2601,10 @@ index 0000000..cb8f534 \ No newline at end of file diff --git a/linux_os/guide/system/software/enabled_seccomp/rule.yml b/linux_os/guide/system/software/enabled_seccomp/rule.yml new file mode 100644 -index 0000000..3e68100 +index 0000000..82d0734 --- /dev/null +++ b/linux_os/guide/system/software/enabled_seccomp/rule.yml -@@ -0,0 +1,35 @@ +@@ -0,0 +1,47 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2355,7 +2629,19 @@ index 0000000..3e68100 + set seccomp rules. + +

It can not be scanned automatically, please check it manually.

-+ ++

Check whether the target process has seccomp mode enabled. Here we take checking the test_seccomp process as an example.

++
    ++
  • First, determine process number: ++ 
    ++    $ ps -aux | grep "test_seccomp"
++
    ++
    • ++
  • Then,query whether the seccomp function is enabled in the process based on the obtained pid number: ++ 
    ++    $ cat /proc/[pid]/status | grep "Seccomp"
++
    ++
    • ++
+rationale: |- + seccomp cannot set the opening, closing or rules globally, but is specific to each + process. That is, the process can set and enable seccomp by itself, which affects @@ -2393,10 +2679,10 @@ index f9835af..4fb6a78 100644 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml new file mode 100644 -index 0000000..d2e80fa +index 0000000..bd51174 --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml -@@ -0,0 +1,29 @@ +@@ -0,0 +1,40 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2419,7 +2705,18 @@ index 0000000..d2e80fa + need to query the check report to determine whether there is malicious tampering. + +

It can not be scanned automatically, please check it manually.

-+ ++

Check if the loopback address policy has been correctly configured.

++
    ++
  • Check if aide package is installed: ++ 
    $ aide --version
    ++
    • ++
  • Then,check whether the files or directories that need to be monitored have been configured in the /etc/aide.conf file. The example only shows the /boot directory in the default configuration monitoring directory: ++ 
    $ grep boot /etc/aide.conf | grep NORMAL
    ++
    • ++
  • Finally,check if the baseline database exists: ++ 
    $ ls /var/lib/aide/aide.db.gz
    ++
    • ++
+rationale: |- + The more files that need to be checked, the longer the checking process will take. If users + enable aide, they should configure the inspection strategy appropriately based on their own @@ -2429,10 +2726,10 @@ index 0000000..d2e80fa \ No newline at end of file diff --git a/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml new file mode 100644 -index 0000000..426be91 +index 0000000..8437388 --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml -@@ -0,0 +1,47 @@ +@@ -0,0 +1,55 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2466,7 +2763,15 @@ index 0000000..426be91 + IMA measurement does not support container environments and virtual machine + environments, requires UEFI startup, and does not support Legacy mode. + -+

It can not be scanned automatically, please check it manually.

++

Use the following command to check whether the current system has IMA measurement enabled.

++
    ++
  • First, confirm whether integrity=1 is configured in the current kernel startup parameters: ++ 
    $ cat /proc/cmdline | grep integrity=1
    ++
    • ++
  • Then confirming that IMA is turned on, check the number of measurement records stored in the /sys/kernel/security/ima/runtime_measurement_count file: ++ 
    $ cat /sys/kernel/security/ima/runtime_measurements_count
    ++
    • ++
+ +rationale: |- + Turning on IMA metrics will cause a slight increase in system startup time and file @@ -2483,10 +2788,10 @@ index 0000000..426be91 \ No newline at end of file diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml new file mode 100644 -index 0000000..788eab7 +index 0000000..cd59e60 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2501,6 +2806,21 @@ index 0000000..788eab7 + low-privilege users cannot be configured. If low-privilege users are configured, they can be written + by root. script, the user can perform privilege escalation operations by modifying the script. + ++

It can not be scanned automatically, please check it manually.

++

Check related configuration.

++
    ++
  • First, check the sudo configuration file /etc/sudoers: ++ 
    ++    $ grep "(root)" /etc/sudoers
++
    ++
    • ++
  • Then,check whether privileged programs are writable by low-privileged users: ++ 
    ++    $ ll /bin/xxx.sh
++
    ++
    • ++
++ +rationale: |- + none. + @@ -2540,10 +2860,10 @@ index 0000000..ea4e9cf \ No newline at end of file diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml new file mode 100644 -index 0000000..ce7e977 +index 0000000..75f55a9 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml -@@ -0,0 +1,20 @@ +@@ -0,0 +1,30 @@ + +prodtype: openeuler2203 + @@ -2560,6 +2880,16 @@ index 0000000..ce7e977 + + openEuler prohibits the use of SysRq keys by default. + ++

Check whether the system prohibits the use of the SysRq key:

++
    ++
  • First, check the current system kernel parameter settings. ++ 
    $ cat /proc/sys/kernel/sysrq
    ++
    • ++
  • Secondly, execute the following command. If the return value is not 0, it means the configuration is incorrect. ++ 
    $ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*
    ++
    • ++
++ +rationale: |- + SysRq related commands cannot be used in the system. + @@ -2567,15 +2897,15 @@ index 0000000..ce7e977 \ No newline at end of file diff --git a/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml new file mode 100644 -index 0000000..c537c20 +index 0000000..1b92235 --- /dev/null +++ b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml -@@ -0,0 +1,23 @@ +@@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure to remove unnecessary file system mount support' ++title: 'uninstall debugging tools' + +description: |- + If the business environment contains debugging scripts and tools, they can @@ -2589,7 +2919,19 @@ index 0000000..c537c20 + include: strace, gdb, readelf, perf, etc. + +

It can not be scanned automatically, please check it manually.

-+ ++

Use keyword scanning to determine whether debugging tools exist in the business environment or mirror environment.

++
    ++
  • First, check whether the relevant rpm package is installed: ++ 
    ++    $ rpm -qa | grep -iE "^strace-|^gdb-|^perf-|^binutils-extra|^appict|^kmem_analyzer_tools"
++
    ++
    • ++
  • Then,check whether the relevant commands are installed: ++ 
    ++    $ find / -type f \( -name "gdb" -o -name  "perf" -o -name "strace" -o -name "readelf" \)
++
    ++
    • ++
+rationale: |- + none. + @@ -2597,15 +2939,15 @@ index 0000000..c537c20 \ No newline at end of file diff --git a/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml new file mode 100644 -index 0000000..f3bfd27 +index 0000000..69b0c59 --- /dev/null +++ b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml -@@ -0,0 +1,26 @@ +@@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure to remove unnecessary file system mount support' ++title: 'Uninstall development and compilation tools' + +description: |- + If the business environment contains compilation tools, they can @@ -2622,6 +2964,19 @@ index 0000000..f3bfd27 + environment can be retained. + +

It can not be scanned automatically, please check it manually.

++

Use keyword scanning to determine whether debugging tools exist in the business environment or mirror environment.

++
    ++
  • First, check whether the relevant rpm package is installed: ++ 
    ++    $ rpm -qa | grep -iE "^(gcc-|cpp-|mcpp-|flex-|cmake-|make-|rpm-build-|binutils-extra|elfutils-extra|llvm-|rpcgen-|gcc-c++)"; rpm -qa libtool
++
    ++
    • ++
  • Then,check whether the relevant commands are installed: ++ 
    ++    $ files=`find / -type f \( -name "gcc" -o -name "g++" -o -name "c++" -o -name  "cpp" -o -name "mcpp" -o -name "flex" -o -name "lex" -o -name  "cmake" -o -name "make" -o -name "rpmbuild" -o  -name "ld" -o -name "ar" -o -name "llc" -o -name "rpcgen" -o -name "libtool" -o -name "javac" -o -name "objdump" -o -name "eu-objdump" -o -name "eu-readelf" -o -name "nm" \) 2> /dev/null`; for f in $files; do if [ -n "$f" ]; then file $f | grep -i "ELF"; fi; done
++
    ++
    • ++
+ +rationale: |- + none. @@ -2629,106 +2984,507 @@ index 0000000..f3bfd27 +severity: high \ No newline at end of file diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile -index de6890c..543712a 100644 +index de6890c..1f4de10 100644 --- a/openeuler2203/profiles/standard.profile +++ b/openeuler2203/profiles/standard.profile -@@ -164,3 +164,96 @@ selections: +@@ -9,158 +9,496 @@ description: |- + + selections: + - package_telnet_removed ++ - package_telnet_removed.severity=high + - package_tftp-server_removed ++ - package_tftp-server_removed.severity=high + - package_tftp_removed ++ - package_tftp_removed.severity=high + - package_net-snmp_removed ++ - package_net-snmp_removed.severity=high + - accounts_no_uid_except_zero ++ - accounts_no_uid_except_zero.severity=high + - file_owner_etc_passwd ++ - file_owner_etc_passwd.severity=high + - file_groupowner_etc_passwd ++ - file_groupowner_etc_passwd.severity=high + - file_permissions_etc_passwd ++ - file_permissions_etc_passwd.severity=high + - file_owner_etc_shadow ++ - file_owner_etc_shadow.severity=high + - file_groupowner_etc_shadow ++ - file_groupowner_etc_shadow.severity=high + - file_permissions_etc_shadow ++ - file_permissions_etc_shadow.severity=high + - file_owner_etc_group ++ - file_owner_etc_group.severity=high + - file_groupowner_etc_group ++ - file_groupowner_etc_group.severity=high + - file_permissions_etc_group ++ - file_permissions_etc_group.severity=high + - file_owner_etc_gshadow ++ - file_owner_etc_gshadow.severity=high + - file_groupowner_etc_gshadow ++ - file_groupowner_etc_gshadow.severity=high + - file_permissions_etc_gshadow ++ - file_permissions_etc_gshadow.severity=high + - accounts_user_interactive_home_directory_exists ++ - accounts_user_interactive_home_directory_exists.severity=high + - gid_passwd_group_same ++ - gid_passwd_group_same.severity=high + - var_password_pam_minlen=8 + - accounts_password_pam_minlen ++ - accounts_password_pam_minlen.severity=high + - accounts_password_pam_minclass ++ - accounts_password_pam_minclass.severity=high + - var_password_pam_ucredit=0 + - accounts_password_pam_ucredit ++ - accounts_password_pam_ucredit.severity=high + - var_password_pam_lcredit=0 + - accounts_password_pam_lcredit ++ - accounts_password_pam_lcredit.severity=high + - var_password_pam_dcredit=0 + - accounts_password_pam_dcredit ++ - accounts_password_pam_dcredit.severity=high + - var_password_pam_ocredit=0 + - accounts_password_pam_ocredit ++ - accounts_password_pam_ocredit.severity=high + - accounts_password_pam_retry ++ - accounts_password_pam_retry.severity=high + - accounts_password_pam_unix_remember ++ - accounts_password_pam_unix_remember.severity=high + - set_password_hashing_algorithm_systemauth ++ - set_password_hashing_algorithm_systemauth.severity=high + - accounts_maximum_age_login_defs +- - var_accounts_minimum_age_login_defs=0 ++ - accounts_maximum_age_login_defs.severity=high ++ - var_accounts_maximum_age_login_defs=90 + - accounts_minimum_age_login_defs ++ - accounts_minimum_age_login_defs.severity=high ++ - var_accounts_minimum_age_login_defs=0 + - accounts_password_warn_age_login_defs ++ - accounts_password_warn_age_login_defs.severity=high + - sshd_disable_empty_passwords ++ - sshd_disable_empty_passwords.severity=high + - grub2_uefi_password ++ - grub2_uefi_password.severity=high + - require_singleuser_auth ++ - require_singleuser_auth.severity=high + - accounts_passwords_pam_faillock_deny ++ - accounts_passwords_pam_faillock_deny.severity=high + - accounts_passwords_pam_faillock_deny_root ++ - accounts_passwords_pam_faillock_deny_root.severity=high + - var_accounts_passwords_pam_faillock_unlock_time=300 + - accounts_passwords_pam_faillock_unlock_time ++ - accounts_passwords_pam_faillock_unlock_time.severity=high + - var_accounts_tmout=5_min + - accounts_tmout ++ - accounts_tmout.severity=high + - sshd_allow_only_protocol2 ++ - sshd_allow_only_protocol2.severity=high + - sshd_disable_rhosts ++ - sshd_disable_rhosts.severity=high + - disable_host_auth ++ - disable_host_auth.severity=high + - configure_ssh_crypto_policy ++ - configure_ssh_crypto_policy.severity=high + - sysctl_kernel_randomize_va_space ++ - sysctl_kernel_randomize_va_space.severity=high + - sysctl_kernel_dmesg_restrict ++ - sysctl_kernel_dmesg_restrict.severity=high + - sysctl_kernel_kptr_restrict ++ - sysctl_kernel_kptr_restrict.severity=high + - no_files_unowned_by_user ++ - no_files_unowned_by_user.severity=high + - file_permissions_ungroupowned ++ - file_permissions_ungroupowned.severity=high + - dir_perms_world_writable_sticky_bits ++ - dir_perms_world_writable_sticky_bits.severity=high + - var_accounts_user_umask=077 + - accounts_umask_etc_bashrc ++ - accounts_umask_etc_bashrc.severity=high + - service_auditd_enabled ++ - service_auditd_enabled.severity=high + - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_max_log_file_action.severity=high + - auditd_data_retention_num_logs ++ - auditd_data_retention_num_logs.severity=high + - service_rsyslog_enabled ++ - service_rsyslog_enabled.severity=high + - package_python2_removed ++ - package_python2_removed.severity=high + - ensure_gpgcheck_never_disabled ++ - ensure_gpgcheck_never_disabled.severity=high + - login_accounts_are_necessary ++ - login_accounts_are_necessary.severity=high + - accounts_are_necessary ++ - accounts_are_necessary.severity=high + - group_unique_id ++ - group_unique_id.severity=high + - account_unique_id ++ - account_unique_id.severity=high + - account_unique_group_id ++ - account_unique_group_id.severity=high + - account_unique_name ++ - account_unique_name.severity=high + - group_unique_name ++ - group_unique_name.severity=high + - accounts_password_pam_dictcheck ++ - accounts_password_pam_dictcheck.severity=high + - verify_owner_password ++ - verify_owner_password.severity=high + - no_name_contained_in_password ++ - no_name_contained_in_password.severity=high + - sshd_strong_kex=standard_openeuler2203 + - sshd_use_strong_kex ++ - sshd_use_strong_kex.severity=high + - sshd_use_strong_pubkey ++ - sshd_use_strong_pubkey.severity=high + - sshd_enable_pam ++ - sshd_enable_pam.severity=high + - sshd_use_strong_macs ++ - sshd_use_strong_macs.severity=high + - sshd_use_strong_ciphers ++ - sshd_use_strong_ciphers.severity=high + - grub2_nosmap_argument_absent ++ - grub2_nosmap_argument_absent.severity=high + - grub2_nosmep_argument_absent ++ - grub2_nosmep_argument_absent.severity=high + - package_ftp_removed ++ - package_ftp_removed.severity=high + - no_empty_symlink_files ++ - no_empty_symlink_files.severity=high + - no_hide_exec_files ++ - no_hide_exec_files.severity=high + - no_lowprivilege_users_writeable_cmds_in_crontab_file ++ - no_lowprivilege_users_writeable_cmds_in_crontab_file.severity=high + - service_debug-shell_disabled ++ - service_debug-shell_disabled.severity=high + - service_avahi-daemon_disabled ++ - service_avahi-daemon_disabled.severity=high + - package_openldap-servers_removed ++ - package_openldap-servers_removed.severity=high + - service_cups_disabled ++ - service_cups_disabled.severity=high + - package_ypserv_removed ++ - package_ypserv_removed.severity=high + - package_ypbind_removed ++ - package_ypbind_removed.severity=high + - account_temp_expire_date ++ - account_temp_expire_date.severity=low + - no_netrc_files ++ - no_netrc_files.severity=low + - service_chronyd_or_ntpd_enabled ++ - service_chronyd_or_ntpd_enabled.severity=low + - chronyd_or_ntpd_specify_remote_server ++ - chronyd_or_ntpd_specify_remote_server.severity=low + - kernel_module_sctp_disabled ++ - kernel_module_sctp_disabled.severity=low + - kernel_module_tipc_disabled ++ - kernel_module_tipc_disabled.severity=low + - sshd_set_loglevel_verbose ++ - sshd_set_loglevel_verbose.severity=low + - sshd_set_max_auth_tries ++ - sshd_set_max_auth_tries.severity=low + - sshd_max_auth_tries_value=3 + - sshd_do_not_permit_user_env ++ - sshd_do_not_permit_user_env.severity=high + - sshd_disable_user_known_hosts_ex ++ - sshd_disable_user_known_hosts_ex.severity=high + - sshd_disable_rhosts_rsa ++ - sshd_disable_rhosts_rsa.severity=high + - service_firewalld_enabled ++ - service_firewalld_enabled.severity=low + - set_firewalld_default_zone ++ - set_firewalld_default_zone.severity=low + - disable_unnecessary_service_and_ports ++ - disable_unnecessary_service_and_ports.severity=low + - service_iptables_enabled ++ - service_iptables_enabled.severity=low + - service_ip6tables_enabled ++ - service_ip6tables_enabled.severity=low + - set_iptables_default_rule ++ - set_iptables_default_rule.severity=low + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high + - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects.severity=high + - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects.severity=high + - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects.severity=high + - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects.severity=high + - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_all_send_redirects.severity=high + - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects.severity=high + - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_all_rp_filter.severity=high + - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv4_ip_forward.severity=high + - sysctl_net_ipv6_conf_all_forwarding ++ - sysctl_net_ipv6_conf_all_forwarding.severity=high + - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_accept_source_route.severity=high + - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route.severity=high + - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_tcp_syncookies.severity=high + - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_all_log_martians.severity=low + - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians.severity=low + - sysctl_fs_suid_dumpable ++ - sysctl_fs_suid_dumpable.severity=high + - selinux_state ++ - selinux_state.severity=low + - selinux_policytype ++ - selinux_policytype.severity=low + - sysctl_fs_protected_symlinks ++ - sysctl_fs_protected_symlinks.severity=high + - sysctl_fs_protected_hardlinks ++ - sysctl_fs_protected_hardlinks.severity=high + - kernel_module_usb-storage_disabled ++ - kernel_module_usb-storage_disabled.severity=low + - service_crond_enabled ++ - service_crond_enabled.severity=high + - cron_and_at_config ++ - cron_and_at_config.severity=high + - audit_rules_login_events ++ - audit_rules_login_events.severity=low + - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_group.severity=low + - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_gshadow.severity=low + - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_opasswd.severity=low + - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_passwd.severity=low + - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_shadow.severity=low + - audit_rules_kernel_module_install_and_remove ++ - audit_rules_kernel_module_install_and_remove.severity=low + - rsyslog_cron_logging ++ - rsyslog_cron_logging.severity=high + - ensure_minimum_permission ++ - ensure_minimum_permission.severity=high + - opened_files_count_limited ++ - opened_files_count_limited.severity=high + - sysctl_net_ipv4_tcp_timestamps ++ - sysctl_net_ipv4_tcp_timestamps.severity=low + - sysctl_net_ipv4_tcp_fin_timeout ++ - sysctl_net_ipv4_tcp_fin_timeout.severity=high + - sysctl_net_ipv4_tcp_max_syn_backlog ++ - sysctl_net_ipv4_tcp_max_syn_backlog.severity=low + - sysctl_net_ipv4_disable_arp_proxy ++ - sysctl_net_ipv4_disable_arp_proxy.severity=high + - sysctl_net_ipv4_icmp_echo_ignore_all ++ - sysctl_net_ipv4_icmp_echo_ignore_all.severity=low + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high + - su_only_for_wheel ++ - su_only_for_wheel.severity=high + - sudo_not_for_all_users ++ - sudo_not_for_all_users.severity=high + - only_root_can_run_pkexec ++ - only_root_can_run_pkexec.severity=high + - su_always_set_path ++ - su_always_set_path.severity=high - file_permissions_unauthorized_world_writable ++ - file_permissions_unauthorized_world_writable.severity=low - file_permissions_unauthorized_suid ++ - file_permissions_unauthorized_suid.severity=high - file_permissions_unauthorized_sgid ++ - file_permissions_unauthorized_sgid.severity=high + - network_sniffing_tools ++ - network_sniffing_tools.severity=high + - service_rsyncd_disabled ++ - service_rsyncd_disabled.severity=high + - package_openldap-clients_removed ++ - package_openldap-clients_removed.severity=high + - no_forward_files ++ - no_forward_files.severity=low + - sshd_configure_correct_interface ++ - sshd_configure_correct_interface.severity=low + - sshd_concurrent_unauthenticated_connections ++ - sshd_concurrent_unauthenticated_connections.severity=low + - sshd_configure_concurrent_sessions ++ - sshd_configure_concurrent_sessions.severity=low + - sshd_disable_x11_forwarding ++ - sshd_disable_x11_forwarding.severity=high + - sshd_configure_correct_LoginGraceTime ++ - sshd_configure_correct_LoginGraceTime.severity=low + - sshd_disable_AllowTcpForwardindg ++ - sshd_disable_AllowTcpForwardindg.severity=high + - sshd_prohibit_preset_authorized_keys ++ - sshd_prohibit_preset_authorized_keys.severity=high + - network_interface_binding_corrently ++ - network_interface_binding_corrently.severity=low + - iptables_loopback_policy_configured_corrently ++ - iptables_loopback_policy_configured_corrently.severity=low + - iptables_input_policy_configured_corrently ++ - iptables_input_policy_configured_corrently.severity=low + - iptables_output_policy_configured_corrently ++ - iptables_output_policy_configured_corrently.severity=low + - iptables_association_policy_configured_corrently ++ - iptables_association_policy_configured_corrently.severity=low + - service_nftables_enabled ++ - service_nftables_enabled.severity=low + - nftables_configure_default_deny_policy ++ - nftables_configure_default_deny_policy.severity=low + - nftables_loopback_policy_configured_corrently ++ - nftables_loopback_policy_configured_corrently.severity=low + - nftables_input_policy_configured_corrently ++ - nftables_input_policy_configured_corrently.severity=low + - nftables_output_policy_configured_corrently ++ - nftables_output_policy_configured_corrently.severity=low + - nftables_association_policy_configured_corrently ++ - nftables_association_policy_configured_corrently.severity=low + - sudoers_disable_low_privileged_configure ++ - sudoers_disable_low_privileged_configure.severity=high + - no_files_globally_writable_files ++ - no_files_globally_writable_files.severity=high + - removed_unnecessary_file_mount_support ++ - removed_unnecessary_file_mount_support.severity=high + - read_only_partitions_no_modified ++ - read_only_partitions_no_modified.severity=high + - partitions_mounted_nodev_mode ++ - partitions_mounted_nodev_mode.severity=high + - partitions_mounted_noexec_mode ++ - partitions_mounted_noexec_mode.severity=high + - partitoin_mounted_noexec_or_nodev ++ - partitoin_mounted_noexec_or_nodev.severity=high + - partitions_mounted_nosuid_mode ++ - partitions_mounted_nosuid_mode.severity=high + - audit_privilege_escalation_command -+ - audit_rule_admin_privilege ++ - audit_privilege_escalation_command.severity=low ++ - audit_rules_admin_privilege ++ - audit_rules_admin_privilege.severity=low + - recorded_authentication_related_event ++ - recorded_authentication_related_event.severity=high + - rsyslog_files_permissions ++ - rsyslog_files_permissions.severity=low ++ - partitions_manage_hard_drive_data ++ - partitions_manage_hard_drive_data.severity=low + - uninstall_debugging_tools ++ - uninstall_debugging_tools.severity=high + - uninstall_development_and_compliation_tools ++ - uninstall_development_and_compliation_tools.severity=high + - package_xorg-x11-server-common_removed ++ - package_xorg-x11-server-common_removed.severity=high + - package_httpd_removed ++ - package_httpd_removed.severity=low + - service_smb_disabled ++ - service_smb_disabled.severity=low + - service_named_disabled ++ - service_named_disabled.severity=high + - service_nfs-server_disabled ++ - service_nfs-server_disabled.severity=low + - service_rpcbind_disabled ++ - service_rpcbind_disabled.severity=low + - service_dhcpd_disabled ++ - service_dhcpd_disabled.severity=low + - configure_first_logging_change_password ++ - configure_first_logging_change_password.severity=high + - sshd_disable_root_login ++ - sshd_disable_root_login.severity=high ++ - warning_banners_contain_reasonable_information ++ - warning_banners_contain_reasonable_information.severity=high + - diasable_root_accessing_system ++ - diasable_root_accessing_system.severity=low + - wireless_disable_interfaces ++ - wireless_disable_interfaces.severity=low + - sshd_enable_warning_banner ++ - sshd_enable_warning_banner.severity=low + - disabled_SysRq ++ - disabled_SysRq.severity=high + - sysctl_kernel_yama_ptrace_scope ++ - sysctl_kernel_yama_ptrace_scope.severity=low + - disabled_unconfined_service_t_programs ++ - disabled_unconfined_service_t_programs.severity=low + - enabled_seccomp ++ - enabled_seccomp.severity=low + - define_ld_lib_path_correctly ++ - define_ld_lib_path_correctly.severity=high + - define_path_strictly ++ - define_path_strictly.severity=low + - grub2_audit_argument ++ - grub2_audit_argument.severity=low + - grub2_audit_backlog_limit_argument ++ - grub2_audit_backlog_limit_argument.severity=low + - audit_rules_immutable ++ - audit_rules_immutable.severity=low + - auditd_data_retention_max_log_file ++ - auditd_data_retention_max_log_file.severity=high + - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_max_log_file_action.severity=high + - auditd_data_retention_space_left ++ - auditd_data_retention_space_left.severity=low + - auditd_data_retention_space_left_action ++ - auditd_data_retention_space_left_action.severity=low + - auditd_data_retention_admin_space_left ++ - auditd_data_retention_admin_space_left.severity=low + - auditd_data_retention_admin_space_left_action ++ - auditd_data_retention_admin_space_left_action.severity=low + - auditd_data_disk_error_action ++ - auditd_data_disk_error_action.severity=low + - auditd_data_disk_full_action ++ - auditd_data_disk_full_action.severity=low + - audit_rules_sysadmin_actions ++ - audit_rules_sysadmin_actions.severity=low + - audit_rules_session_events ++ - audit_rules_session_events.severity=low + - audit_rules_time_adjtimex ++ - audit_rules_time_adjtimex.severity=low + - audit_rules_time_clock_settime ++ - audit_rules_time_clock_settime.severity=low + - audit_rules_time_settimeofday ++ - audit_rules_time_settimeofday.severity=low + - audit_rules_time_stime ++ - audit_rules_time_stime.severity=low + - audit_rules_time_watch_localtime ++ - audit_rules_time_watch_localtime.severity=low + - audit_rules_mac_modification ++ - audit_rules_mac_modification.severity=low + - audit_rules_networkconfig_modification ++ - audit_rules_networkconfig_modification.severity=low + - audit_rules_successful_file_modification ++ - audit_rules_successful_file_modification.severity=low + - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_open.severity=low + - audit_rules_unsuccessful_file_modification_ftruncate ++ - audit_rules_unsuccessful_file_modification_ftruncate.severity=low + - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_creat.severity=low + - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_openat.severity=low + - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_rename.severity=low + - audit_rules_file_deletion_events_renameat ++ - audit_rules_file_deletion_events_renameat.severity=low + - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlink.severity=low + - audit_rules_file_deletion_events_unlinkat ++ - audit_rules_file_deletion_events_unlinkat.severity=low + - audit_rules_media_export ++ - audit_rules_media_export.severity=low + - configure_service_logging ++ - configure_service_logging.severity=low + - configure_dump_journald_log ++ - configure_dump_journald_log.severity=high + - configure_rsyslog_log_rotate ++ - configure_rsyslog_log_rotate.severity=high + - rsyslog_remote_loghost ++ - rsyslog_remote_loghost.severity=low + - rsyslog_accept_remote_messages_tcp ++ - rsyslog_accept_remote_messages_tcp.severity=low + - rsyslog_accept_remote_messages_udp ++ - rsyslog_accept_remote_messages_udp.severity=low ++ - ima_verification ++ - ima_verification.severity=low + - enable_aide_detection ++ - enable_aide_detection.severity=low + - service_haveged_enabled ++ - service_haveged_enabled.severity=low + - configure_crypto_policy ++ - configure_crypto_policy.severity=low -- 2.42.0.windows.2 diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 13c82a4f8b29e379547df68f423bcc51546231e5..6867da03a54ffd7637e4f453386538f679d1f8f4 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.49 -Release: 9 +Release: 10 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -15,7 +15,7 @@ Patch0006:init-openEuler-ssg-project.patch Patch0007:enable-76-rules-for-openEuler.patch Patch0008:enable-54-rules-for-openEuler.patch Patch0009:add-15-rules-for-openeuler.patch -Patch0010:add-80-rules-for-openeuler.patch +Patch0010:optimize-80-rules-for-openEuler.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML @@ -70,6 +70,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Fri Dec 8 2023 wangqingsan - 0.1.49-10 +- enable 80 rules for openEuler + * Fri Nov 17 2023 wangqingsan - 0.1.49-9 - enable 80 rules for openEuler