From a33b06c2af78224f12ef9cad0b9c7370961c7a16 Mon Sep 17 00:00:00 2001 From: qsw33 Date: Fri, 22 Dec 2023 16:58:10 +0800 Subject: [PATCH] Improve the code --- optimize-80-rules-for-openEuler.patch | 1681 ++++++++++++++++++++++++- scap-security-guide.spec | 5 +- 2 files changed, 1663 insertions(+), 23 deletions(-) diff --git a/optimize-80-rules-for-openEuler.patch b/optimize-80-rules-for-openEuler.patch index 9957fa0..a9b4e20 100644 --- a/optimize-80-rules-for-openEuler.patch +++ b/optimize-80-rules-for-openEuler.patch @@ -1,4 +1,4 @@ -From a7932d8cba91edbc359c520cd67361b3bb6680aa Mon Sep 17 00:00:00 2001 +From 1c41f3fe392f3e57459d2d54be0fda862ab06d69 Mon Sep 17 00:00:00 2001 From: qsw333 Date: Thu, 16 Nov 2023 13:50:38 +0800 Subject: [PATCH] second @@ -11,8 +11,10 @@ Subject: [PATCH] second .../package_openldap-clients_removed/rule.yml | 23 ++ .../service_rpcbind_disabled/rule.yml | 2 +- .../service_nfs-server_disabled/rule.yml | 33 ++ + .../rule.yml | 2 +- + .../ntpd_service_configure_correctly/rule.yml | 51 +++ linux_os/guide/services/rsync/group.yml | 9 + - .../rsync/service_rsyncd_disabled/rule.yml | 20 ++ + .../rsync/service_rsyncd_disabled/rule.yml | 20 + .../service_smb_disabled/rule.yml | 2 +- .../oval/shared.xml | 25 ++ .../rule.yml | 23 ++ @@ -26,24 +28,54 @@ Subject: [PATCH] second .../sshd_disable_AllowTcpForwardindg/rule.yml | 28 ++ .../oval/shared.xml | 25 ++ .../sshd_disable_x11_forwarding/rule.yml | 23 ++ + .../sshd_enable_warning_banner/rule.yml | 1 + .../oval/shared.xml | 54 +++ .../rule.yml | 25 ++ .../uninstall_software_service/group.yml | 5 + .../network_sniffing_tools/rule.yml | 24 ++ .../rule.yml | 2 +- - .../no_forward_files/oval/shared.xml | 20 ++ + .../oval/shared.xml | 53 ++- + .../oval/shared.xml | 50 +++ + .../no_forward_files/oval/shared.xml | 20 + .../no_forward_files/rule.yml | 31 ++ + .../accounts_tmout/oval/shared.xml | 2 +- + .../accounts_umask_etc_bashrc/oval/shared.xml | 38 ++ .../rule.yml | 31 ++ .../rule.yml | 2 +- + .../rule.yml | 3 +- + .../rule.yml | 5 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 1 - + .../rule.yml | 1 - + .../rule.yml | 2 +- + .../rule.yml | 1 - + .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 39 ++ - .../oval/shared.xml | 44 +++ + .../oval/shared.xml | 89 +++++ .../audit_rules_admin_privilege/rule.yml | 28 ++ + .../oval/shared.xml | 35 ++ + .../audit_rules_media_export/oval/shared.xml | 61 +++ + .../oval/shared.xml | 124 +++++-- + .../oval/shared.xml | 65 ++++ + .../oval/shared.xml | 18 + + .../oval/shared.xml | 18 + .../oval/shared.xml | 25 ++ .../rule.yml | 56 +++ + .../oval/shared.xml | 17 + + .../oval/shared.xml | 19 +- .../auditd_data_retention_space_left/rule.yml | 2 +- + .../oval/shared.xml | 18 + .../auditing/grub2_audit_argument/rule.yml | 2 +- .../rule.yml | 2 +- .../oval/shared.xml | 25 ++ @@ -63,6 +95,7 @@ Subject: [PATCH] second .../rule.yml | 27 ++ .../rule.yml | 36 ++ .../rule.yml | 28 ++ + .../configure_ipatbles_rule_refuse/rule.yml | 27 ++ .../wireless_disable_interfaces/rule.yml | 2 +- .../rule.yml | 26 ++ .../system/network/network_nftables/group.yml | 12 + @@ -87,18 +120,23 @@ Subject: [PATCH] second .../system/software/enabled_seccomp/rule.yml | 47 +++ .../crypto/configure_crypto_policy/rule.yml | 2 +- .../aide/aide_build_database/oval/shared.xml | 1 + - .../aide/enable_aide_detection/rule.yml | 40 +++ + .../aide/enable_aide_detection/rule.yml | 40 ++ .../ima_verification/rule.yml | 55 +++ .../rule.yml | 33 ++ .../disabled_SysRq/oval/shared.xml | 25 ++ .../system-tools/disabled_SysRq/rule.yml | 30 ++ .../uninstall_debugging_tools/rule.yml | 35 ++ .../rule.yml | 39 ++ - openeuler2203/profiles/standard.profile | 340 +++++++++++++++++- - 91 files changed, 2443 insertions(+), 17 deletions(-) + openeuler2203/profiles/standard.profile | 346 +++++++++++++++++- + ...late_OVAL_audit_rules_file_deletion_events | 109 ++++-- + ...audit_rules_unsuccessful_file_modification | 167 +++++++-- + .../template_OVAL_grub2_bootloader_argument | 47 +++ + .../templates/template_OVAL_service_enabled | 7 + + 128 files changed, 3356 insertions(+), 126 deletions(-) create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml create mode 100644 linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml + create mode 100644 linux_os/guide/services/ntp/ntpd_service_configure_correctly/rule.yml create mode 100644 linux_os/guide/services/rsync/group.yml create mode 100644 linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml @@ -138,6 +176,7 @@ Subject: [PATCH] second create mode 100644 linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/configure_ipatbles_rule_refuse/rule.yml create mode 100644 linux_os/guide/system/network/network_interface_binding_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/group.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml @@ -321,6 +360,76 @@ index 0000000..32a4889 + vars: + servicename: nfs-server + packagename: nfs-utils +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +index 1381b06..437d72a 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 + + title: 'Specify a Remote NTP Server' + +diff --git a/linux_os/guide/services/ntp/ntpd_service_configure_correctly/rule.yml b/linux_os/guide/services/ntp/ntpd_service_configure_correctly/rule.yml +new file mode 100644 +index 0000000..c354f5b +--- /dev/null ++++ b/linux_os/guide/services/ntp/ntpd_service_configure_correctly/rule.yml +@@ -0,0 +1,51 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Correctly configure the ntpd service' ++ ++description: |- ++

In a cluster scenario, it is critical that the server time is accurate and ++ consistent. For example, when the time is inconsistent, the data generated ++ between different servers may produce inaccurate results when sorted or ++ compared based on time.

++ ++

If a Linux server has been running for a long time, time errors will occur. ++ Therefore, even if we use the date command to configure all server times to ++ be consistent initially, as time goes by, the server time will still be ++ inaccurate and inconsistent. Therefore, in order to ensure that the time of ++ all machines in the environment is synchronized and accurate, there must be ++ a time server that can be synchronized, and other servers in the network ++ will synchronize time to this server.

++ ++

It can not be scanned automatically, please check it manually.

++

Check ntpd configure use below command.

++ ++rationale: |- ++

When using the ntpd service to achieve time synchronization, if the ntpd ++ service is not configured correctly, the server time may be inaccurate, ++ resulting in inconsistent times between different servers.

++ ++

When the server time is inaccurate, there will be big problems for time-sensitive ++ data such as finance and orders. For example, time inaccuracies may cause a ++ piece of accounting data to fall into the wrong financial period, resulting in ++ an uneven balance sheet at the end of the period.

++ ++

When the time between servers is inconsistent, there will be a deviation ++ in the time of the packets generated by each host. If there is a certain ++ processing order of data flows between multiple servers, and the server time ++ of the latter link is less than the time of the previous server, it may cause ++ The received packet is discarded because the time is greater than the local ++ time.

++ ++severity: low +\ No newline at end of file diff --git a/linux_os/guide/services/rsync/group.yml b/linux_os/guide/services/rsync/group.yml new file mode 100644 index 0000000..0482394 @@ -761,9 +870,18 @@ index 0000000..c301259 + +severity: high \ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +index f32287f..5ebb89d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +@@ -52,3 +52,4 @@ template: + parameter: Banner + rule_id: sshd_enable_warning_banner + value: /etc/issue ++ value@openeuler2203: /etc/issue.net diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml new file mode 100644 -index 0000000..e451290 +index 0000000..2939bf9 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml @@ -0,0 +1,54 @@ @@ -776,7 +894,7 @@ index 0000000..e451290 + + Prohibit SSH service shuold setting authorized_Keys + -+ ++ + + + @@ -807,14 +925,14 @@ index 0000000..e451290 + + + -+ /root ++ /root/.* + authorized_keys + .* + 1 + + + -+ /home ++ /home/.* + authorized_keys + .* + 1 @@ -908,6 +1026,165 @@ index 84a64db..625f15d 100644 title: 'Remove the X Windows Package Group' +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml +index 0139186..42c587f 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml +@@ -7,6 +7,14 @@ + + The number of allowed failed logins should be set correctly. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ {{% else %}} + + +@@ -31,6 +39,7 @@ + + + ++ {{% endif %}} + + + + {{% if product in ["openeuler2203"] %}} +- [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*audit[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] ++ ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authsucc\s+audit\s+deny=[0-3]*.*$ + {{% else %}} + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + {{% endif %}} +@@ -184,7 +193,7 @@ + + {{% if product in ["openeuler2203"] %}} +- [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*audit[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] ++ ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authsucc\s+audit\s+deny=[0-3]*.*$ + {{% else %}} + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + {{% endif %}} +@@ -223,4 +232,44 @@ + 1 + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/pam.d/system-auth ++ ^\s*auth\s+(?:(?:required))\s+pam_faillock.so\s+.*deny=[0-3].*$ ++ 1 ++ ++ ++ ++ /etc/pam.d/system-auth ++ ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+.*deny=[0-3].*$ ++ 1 ++ ++ ++ ++ /etc/pam.d/password-auth ++ ^\s*auth\s+(?:(?:required))\s+pam_faillock.so\s+.*deny=[0-3].*$ ++ 1 ++ ++ ++ ++ /etc/pam.d/password-auth ++ ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+.*deny=[0-3].*$ ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml +index 13bbae4..4a7b660 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml +@@ -1,9 +1,22 @@ + + + {{{ oval_metadata("Check dictcheck in pwquality") }}} ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% else %}} + + + ++ {{% endif %}} + + + + + ++ ++ ++ ++ ++ ++ /etc/pam\.d/system-auth ++ [\s]*password[\s]*requisite[\s]* pam_pwquality\.so[\s]*.* ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/pam\.d/system-auth ++ [\s]*password[\s]*requisite[\s]* pam_pwquality\.so[\s]*.*dictcheck[\s]*=[\s]*0.* ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/pam\.d/password-auth ++ [\s]*password[\s]*requisite[\s]* pam_pwquality\.so[\s]*.* ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/pam\.d/password-auth ++ [\s]*password[\s]*requisite[\s]* pam_pwquality\.so[\s]*.*dictcheck[\s]*=[\s]*0.* ++ 1 ++ ++ + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml new file mode 100644 index 0000000..eab54dd @@ -973,6 +1250,78 @@ index 0000000..92ca05a + +severity: low \ No newline at end of file +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml +index bcb50bd..d80e762 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml +@@ -36,7 +36,7 @@ + {{% if filepath %}} + {{{ filepath }}} + {{% endif %}} +- ^[\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$ ++ [\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$ + 1 + + {{% endmacro %}} +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml +index 9bbd226..0bd0ac1 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml +@@ -10,11 +10,21 @@ + + The default umask for users of the bash shell + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ {{% else %}} + + + + ++ {{% endif %}} + + + + + ++ ++ ++ ++ ++ /etc/bashrc ++ [\s]*umask[\s]*0077[\s]* ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/home/.*\.bashrc$ ++ [\s]*umask[\s]*0077[\s]* ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/home/.*$ ++ ^.bashrc$ ++ .* ++ 1 ++ ++ + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml new file mode 100644 index 0000000..6ba68e8 @@ -1011,6 +1360,247 @@ index 0000000..6ba68e8 + +severity: low \ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml +index 948c5a8..2f1e9ab 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - chmod' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml +index b007a5b..dde40d2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Ownership Changes to Files - chown' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml +index b6e94e8..4295c8d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - fchmod' + +@@ -42,5 +42,4 @@ warnings: + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system +- calls with others as identifying earlier in this guide is more efficient. +- ++ calls with others as identifying earlier in this guide is more efficient. +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml +index 99f23dc..6ff406c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - fchmodat' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml +index ba8ab84..d115f99 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Ownership Changes to Files - fchown' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml +index 1f14d0e..8c58434 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Ownership Changes to Files - fchownat' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml +index 1ae3563..3107f57 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - fremovexattr' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml +index 32036d7..240d5fd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - fsetxattr' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml +index 3da880e..8ee14ab 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Ownership Changes to Files - lchown' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml +index d614542..365e3fb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - lremovexattr' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml +index 99d8c06..abf165a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - lsetxattr' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml +index d9c4de1..233d283 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - removexattr' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml +index 1a9c10d..b2bf48a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml +index 674cf98..66fcc91 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml +index 118da61..015562b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - setxattr' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml +index b8734a0..27782c6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index ebd52e2..2e7f907 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -1107,10 +1697,10 @@ index 0000000..1e4f780 \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml new file mode 100644 -index 0000000..55af169 +index 0000000..abf76c2 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml -@@ -0,0 +1,44 @@ +@@ -0,0 +1,89 @@ + + + @@ -1118,8 +1708,25 @@ index 0000000..55af169 + {{{- oval_affected(products) }}} + Configure audit rules for administrator privileged operations + -+ -+ ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% else %}} ++ + + + @@ -1134,6 +1741,7 @@ index 0000000..55af169 + + + ++ {{% endif %}} + + + @@ -1154,6 +1762,33 @@ index 0000000..55af169 + 1 + + ++ ++ ++ ++ ++ /etc/sudoers ++ [\s]*Defaults[\s]*logfile[\s]*=[\s]*/var/log/sudo\.log[\s]* ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^\-w[\s]/var/log/sudo\.log[\s]\-p[\s]*wa[\s]*\-k.* ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^\-w[\s]/var/log/sudo\.log[\s]\-p[\s]*wa[\s]*\-k.* ++ 1 ++ ++ + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml new file mode 100644 @@ -1190,6 +1825,451 @@ index 0000000..63304a8 + +severity: high \ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml +index f02f22b..c514207 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml +@@ -5,7 +5,23 @@ + {{{- oval_affected(products) }}} + Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + ++ ++ {{% else %}} + + + +@@ -21,6 +37,7 @@ + + + ++ {{% endif %}} + + + +@@ -41,4 +58,22 @@ + 1 + + ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^\-w[\s]+(/etc/selinux|/etc/selinux/)[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^\-w[\s]+(/etc/selinux|/etc/selinux/)[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/oval/shared.xml +index 1ba55ad..511d635 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/oval/shared.xml +@@ -5,6 +5,30 @@ + {{{- oval_affected(products) }}} + Audit rules that detect the mounting of filesystems should be enabled. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% else %}} + + + +@@ -27,6 +51,7 @@ + + + ++ {{% endif %}} + + + +@@ -64,4 +89,40 @@ + ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])).*(-k[\s]+|-F[\s]+auid!=).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])).*(-k[\s]+|-F[\s]+auid!=).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])).*(-k[\s]+|-F[\s]+auid!=).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])).*(-k[\s]+|-F[\s]+auid!=).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml +index 05a5723..82d89e2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml +@@ -6,32 +6,74 @@ + The network environment should not be modified by anything other than + administrator action. Any change to network parameters should be audited. + ++ {{% if product in ['openeuler2203'] %}} ++ + +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% else %}} ++ + +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% endif %}} + + + +@@ -106,4 +148,40 @@ + 1 + + ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(setdomainname|sethostname|hosts|issue).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(setdomainname|sethostname|hosts|issue).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(setdomainname|sethostname|hosts|issue).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(setdomainname|sethostname|hosts|issue).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml +index 9cf46d4..9c8315a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml +@@ -5,7 +5,35 @@ + {{{- oval_affected(products) }}} + Record attempts to alter time through clock_settime. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + ++ ++ {{% else %}} + + + +@@ -33,6 +61,7 @@ + + + ++ {{% endif %}} + + + +@@ -71,4 +100,40 @@ + 1 + + ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml +index dce9b83..7119868 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml +@@ -6,12 +6,30 @@ + disk_error_action setting in /etc/audit/auditd.conf is set to a certain action + + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ {{% else %}} + + + ++ {{% endif %}} + + + ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ ++ 1 ++ ++ + + + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml +index 775c354..88e649a 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml +@@ -6,12 +6,30 @@ + disk_full_action setting in /etc/audit/auditd.conf is set to a certain action + + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ {{% else %}} + + + ++ {{% endif %}} + + + ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ ++ 1 ++ ++ + + + diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml new file mode 100644 index 0000000..bf0b651 @@ -1284,6 +2364,74 @@ index 0000000..2c9273d + or halt when disk space has run low: + 
admin_space_left_action single
+ +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml +index ce56d0e..e232b18 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml +@@ -6,11 +6,28 @@ + admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action + + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ {{% else %}} + + + ++ {{% endif %}} + + ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ ++ 1 ++ + + + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml +index 294fdbd..4a4c42e 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml +@@ -6,12 +6,29 @@ + space_left setting in /etc/audit/auditd.conf is set to at least a certain value + + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ {{% else %}} + + + +- ++ {{% endif %}} + + ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[\s]*space_left[\s]+=[\s]+(\d+)[\s]*$ ++ 1 ++ ++ + + + diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index cb1ff1d..080e1ee 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -1296,6 +2444,40 @@ index cb1ff1d..080e1ee 100644 title: 'Configure auditd space_left on Low Disk Space' +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml +index 50735c1..4f20c64 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml +@@ -6,11 +6,29 @@ + space_left_action setting in /etc/audit/auditd.conf is set to a certain action + + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ {{% else %}} + + + ++ {{% endif %}} + + ++ ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ ++ 1 ++ + + + diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml index 2c17ee1..0f4cdf0 100644 --- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml @@ -1865,6 +3047,40 @@ index 0000000..ea672eb + +severity: low \ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/configure_ipatbles_rule_refuse/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/configure_ipatbles_rule_refuse/rule.yml +new file mode 100644 +index 0000000..8cf8a56 +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/configure_ipatbles_rule_refuse/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables default deny policy should be configured correctly' ++ ++description: |- ++ The function of the Input chain is to filter packets received from external sources. Any ++ externally provided service requires configuring the corresponding Input policy and opening ++ the relevant port, so that external clients can access the service through that port. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the policy configured for the reject chain meets business needs.

++
    ++
  • You can use below cli command to check the input chain of IPv4: ++ 
    $ iptables -L | grep -E "INPUT|OUTPUT|FORWARD"
    ++
    • ++
  • Or check the input chain of IPv6: ++ 
    $ ip6tables -L | grep -E "INPUT|OUTPUT|FORWARD"
    ++
    • ++
++ ++rationale: |- ++ If not configured, all external attempts to access related services will be discarded due to ++ the default policy configuration being DROP. ++ ++severity: low +\ No newline at end of file diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index bbea345..19cc6f5 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -2984,7 +4200,7 @@ index 0000000..69b0c59 +severity: high \ No newline at end of file diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile -index de6890c..1f4de10 100644 +index de6890c..76fe4dd 100644 --- a/openeuler2203/profiles/standard.profile +++ b/openeuler2203/profiles/standard.profile @@ -9,158 +9,496 @@ description: |- @@ -3171,9 +4387,10 @@ index de6890c..1f4de10 100644 - no_netrc_files + - no_netrc_files.severity=low - service_chronyd_or_ntpd_enabled +- - chronyd_or_ntpd_specify_remote_server + - service_chronyd_or_ntpd_enabled.severity=low - - chronyd_or_ntpd_specify_remote_server -+ - chronyd_or_ntpd_specify_remote_server.severity=low ++ - ntpd_service_configure_correctly ++ - ntpd_service_configure_correctly.severity=low - kernel_module_sctp_disabled + - kernel_module_sctp_disabled.severity=low - kernel_module_tipc_disabled @@ -3198,9 +4415,10 @@ index de6890c..1f4de10 100644 - service_iptables_enabled + - service_iptables_enabled.severity=low - service_ip6tables_enabled +- - set_iptables_default_rule + - service_ip6tables_enabled.severity=low - - set_iptables_default_rule -+ - set_iptables_default_rule.severity=low ++ - configure_ipatbles_rule_refuse ++ - configure_ipatbles_rule_refuse.severity=low - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high - sysctl_net_ipv4_conf_all_accept_redirects @@ -3246,9 +4464,10 @@ index de6890c..1f4de10 100644 - service_crond_enabled + - service_crond_enabled.severity=high - cron_and_at_config +- - audit_rules_login_events + - cron_and_at_config.severity=high - - audit_rules_login_events -+ - audit_rules_login_events.severity=low ++ - audit_rules_login_events_lastlog ++ - audit_rules_login_events_lastlog.severity=low - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_group.severity=low - audit_rules_usergroup_modification_gshadow @@ -3485,6 +4704,424 @@ index de6890c..1f4de10 100644 + - service_haveged_enabled.severity=low + - configure_crypto_policy + - configure_crypto_policy.severity=low +\ No newline at end of file +diff --git a/shared/templates/template_OVAL_audit_rules_file_deletion_events b/shared/templates/template_OVAL_audit_rules_file_deletion_events +index bbf3edd..7be7152 100644 +--- a/shared/templates/template_OVAL_audit_rules_file_deletion_events ++++ b/shared/templates/template_OVAL_audit_rules_file_deletion_events +@@ -5,34 +5,63 @@ + {{{- oval_affected(products) }}} + The deletion of files should be audited. + ++ {{% if product in ['openeuler2203'] %}} ++ + +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- + +- +- +- +- +- +- +- +- +- ++ ++ {{% else %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- + +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% endif %}} + + + +@@ -71,4 +100,40 @@ + 1 + + ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:[\s]*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:[\s]*-F\s+auid>=1000[\s]+)(?:[\s]*-F\s+auid!=(-1|unset)[\s]+)[\s]*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:[\s]*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:[\s]*-F\s+auid>=1000[\s]+)(?:[\s]*-F\s+auid!=(-1|unset)[\s]+)[\s]*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:[\s]*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:[\s]*-F\s+auid>=1000[\s]+)(?:[\s]*-F\s+auid!=(-1|unset)[\s]+)[\s]*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:[\s]*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:[\s]*-F\s+auid>=1000[\s]+)(?:[\s]*-F\s+auid!=(-1|unset)[\s]+)[\s]*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ + +diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification +index 480d5de..28cd7e1 100644 +--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification ++++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification +@@ -5,42 +5,79 @@ + {{{- oval_affected(products) }}} + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + ++ {{% if product in ['openeuler2203'] %}} ++ + +- +- +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + +- + +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + ++ + ++ {{% else %}} ++ + +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% endif %}} + + + +@@ -164,4 +201,78 @@ + 1 + + ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EACCES[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EPERM[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EACCES[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EPERM[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EACCES[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EPERM[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EACCES[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EPERM[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ + +diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument +index 1fd8ec7..ecb7c2e 100644 +--- a/shared/templates/template_OVAL_grub2_bootloader_argument ++++ b/shared/templates/template_OVAL_grub2_bootloader_argument +@@ -5,6 +5,13 @@ + {{{- oval_affected(products) }}} + Look for argument {{{ ARG_NAME_VALUE }}} in the kernel line in /etc/default/grub. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ {{% else %}} + + {{% if product in ["rhel7", "ol7", "rhv4"] %}} + + {{% endif %}} + ++ {{% endif %}} + + + {{% if product in ["rhel7", "ol7", "rhv4"] %}} +@@ -95,4 +103,43 @@ + ^.*{{{ ARG_NAME_VALUE }}}.*$ + + ++ ++ ++ ++ ++ ++ /boot/grub2/grub.cfg ++ ^[\s]*.*{{{ ARG_NAME_VALUE }}}[\s]*.*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ /boot/efi/EFI/openEuler/grub ++ ^[\s]*.*{{{ ARG_NAME_VALUE }}}[\s]*.*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ /etc/default/grub ++ ^[\s]*.*{{{ ARG_NAME_VALUE }}}[\s]*.*$ ++ 1 ++ ++ + +diff --git a/shared/templates/template_OVAL_service_enabled b/shared/templates/template_OVAL_service_enabled +index 5958a97..09cbcf3 100644 +--- a/shared/templates/template_OVAL_service_enabled ++++ b/shared/templates/template_OVAL_service_enabled +@@ -12,6 +12,12 @@ + + The {{{ SERVICENAME }}} service should be enabled if possible. + ++ {{% if product in ["openeuler2203"] %}} ++ ++ ++ ++ ++ {{% else %}} + + + +@@ -22,6 +28,7 @@ + + + ++ {{% endif %}} + + + -- 2.42.0.windows.2 diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 6867da0..6884ec9 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.49 -Release: 10 +Release: 11 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -70,6 +70,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Fri Dec 22 2023 wangqingsan - 0.1.49-11 +- elevate 80 rules for openEuler + * Fri Dec 8 2023 wangqingsan - 0.1.49-10 - enable 80 rules for openEuler -- Gitee