diff --git a/optimize-rules-for-openEuler.patch b/optimize-rules-for-openEuler.patch new file mode 100644 index 0000000000000000000000000000000000000000..5734d605acf6a5af4038444eb66b844284f71eca --- /dev/null +++ b/optimize-rules-for-openEuler.patch @@ -0,0 +1,3046 @@ +From 35e22bf3b47c0ed9c44fddc8dbaa3313c9e2e2d6 Mon Sep 17 00:00:00 2001 +From: qsw333 +Date: Fri, 23 Feb 2024 20:03:16 +0800 +Subject: [PATCH] imporve check command + +--- + controls/std_openeuler.yml | 265 ++++++++++++++---- + .../base/service_haveged_enabled/rule.yml | 29 ++ + .../rule.yml | 30 ++ + .../oval/shared.xml | 25 ++ + .../sshd_configure_correct_interface/rule.yml | 26 ++ + .../oval/shared.xml | 54 ++++ + .../rule.yml | 25 ++ + .../sshd_use_strong_pubkey/oval/shared.xml | 1 + + .../sshd_use_strong_pubkey/rule.yml | 13 + + .../oval/shared.xml | 32 +++ + .../no_name_contained_in_password/rule.yml | 12 + + .../verify_owner_password/oval/shared.xml | 60 ++++ + .../verify_owner_password/rule.yml | 12 + + .../account_unique_group_id/oval/shared.xml | 51 ++++ + .../account_unique_group_id/rule.yml | 11 + + .../accounts_are_necessary/rule.yml | 20 ++ + .../first_logging_change_password/rule.yml | 24 ++ + .../login_accounts_are_necessary/rule.yml | 31 ++ + .../rule.yml | 39 +++ + .../sce/shared.sh | 15 + + .../oval/shared.xml | 25 ++ + .../configure_dump_journald_log/rule.yml | 25 ++ + .../configure_rsyslog_log_rotate/rule.yml | 48 ++++ + .../diasable_root_accessing_system/rule.yml | 51 ++++ + .../rsyslog_remote_loghost_openeuler/rule.yml | 19 ++ + .../rule.yml | 27 ++ + .../rule.yml | 27 ++ + .../rule.yml | 28 ++ + .../rule.yml | 21 ++ + .../rule.yml | 21 ++ + .../rule.yml | 21 ++ + .../sysctl_net_ipv4_tcp_fin_timeout/rule.yml | 22 ++ + .../rule.yml | 23 ++ + .../sysctl_net_ipv4_tcp_timestamps/rule.yml | 21 ++ + .../rule.yml | 24 ++ + .../rule.yml | 25 ++ + .../define_ld_lib_path_correctly/rule.yml | 41 +++ + .../files/define_path_strictly/rule.yml | 44 +++ + .../files/file_empty_link_prohibit/rule.yml | 25 ++ + .../file_empty_link_prohibit/sce/shared.sh | 11 + + .../file_hidden_executable_prohibit/rule.yml | 16 ++ + .../sce/shared.sh | 11 + + .../files/file_opened_count_limited/rule.yml | 34 +++ + .../files/file_permission_minimum/rule.yml | 139 +++++++++ + .../removed_unnecessary_file_mount/rule.yml | 38 +++ + .../mount_nodev_mode_partitions/rule.yml | 47 ++++ + .../mount_noexec_mode_partitions/rule.yml | 23 ++ + .../rule.yml | 21 ++ + .../mounted_nosuid_mode_partitions/rule.yml | 31 ++ + .../rule.yml | 33 +++ + .../coredumps/coredump_limited/rule.yml | 27 ++ + .../coredumps/coredump_limited/sce/shared.sh | 17 ++ + .../coredumps/coredump_prohibit/rule.yml | 27 ++ + .../coredumps/coredump_prohibit/sce/shared.sh | 11 + + .../rule.yml | 19 ++ + .../sce/shared.sh | 19 ++ + .../system/software/debugging_tools/rule.yml | 35 +++ + .../rule.yml | 39 +++ + .../configure_ssh_crypto_policy/rule.yml | 2 +- + .../ima_verification/rule.yml | 55 ++++ + .../software/network_sniffing_tools/rule.yml | 24 ++ + .../guide/system/software/polkit/group.yml | 6 + + .../only_root_can_run_pkexec/oval/shared.xml | 23 ++ + .../polkit/only_root_can_run_pkexec/rule.yml | 17 ++ + linux_os/guide/system/software/su/group.yml | 6 + + .../su/su_always_set_path/oval/shared.xml | 23 ++ + .../software/su/su_always_set_path/rule.yml | 20 ++ + .../rule.yml | 33 +++ + .../package_python2_removed/rule.yml | 18 ++ + 69 files changed, 2080 insertions(+), 58 deletions(-) + create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml + create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/first_logging_change_password/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh + create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/rule.yml + create mode 100644 linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml + create mode 100644 linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml + create mode 100644 linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost_openeuler/rule.yml + create mode 100644 linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone_openeuler/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml + create mode 100644 linux_os/guide/system/network/network-nftables/nftables_input_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-nftables/nftables_output_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/define_path_strictly/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/file_empty_link_prohibit/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh + create mode 100644 linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh + create mode 100644 linux_os/guide/system/permissions/files/file_opened_count_limited/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/file_permission_minimum/rule.yml + create mode 100644 linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/mount_nodev_mode_partitions/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/mount_noexec_mode_partitions/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/mount_only_no_modified_partitionsread/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/mounted_nosuid_mode_partitions/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml + create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/rule.yml + create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/sce/shared.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/rule.yml + create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/sce/shared.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/historical_command_records_limited/rule.yml + create mode 100644 linux_os/guide/system/permissions/restrictions/historical_command_records_limited/sce/shared.sh + create mode 100644 linux_os/guide/system/software/debugging_tools/rule.yml + create mode 100644 linux_os/guide/system/software/development_and_compliation_tools/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml + create mode 100644 linux_os/guide/system/software/network_sniffing_tools/rule.yml + create mode 100644 linux_os/guide/system/software/polkit/group.yml + create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml + create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml + create mode 100644 linux_os/guide/system/software/su/group.yml + create mode 100644 linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml + create mode 100644 linux_os/guide/system/software/su/su_always_set_path/rule.yml + create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml + create mode 100644 linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml + +diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml +index eb66293..b187420 100644 +--- a/controls/std_openeuler.yml ++++ b/controls/std_openeuler.yml +@@ -22,13 +22,19 @@ controls: + title: Ensure No Empty Symlink + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - file_empty_link_prohibit ++ - file_empty_link_prohibit.severity=high + + - id: 1.1.3_no_hidden_exec_files + title: Ensure No Hidden Executable Files + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - file_hidden_executable_prohibit ++ - file_hidden_executable_prohibit.severity=high + + - id: 1.1.4_global_writable_dir_sticky_set + title: Ensure Sticky Set On Global Writable Folder +@@ -62,25 +68,37 @@ controls: + title: Umount Unnecessary File System + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - removed_unnecessary_file_mount ++ - removed_unnecessary_file_mount.severity=high + + - id: 1.1.8_mount_as_readonly + title: Ensure Mount As Readonly If No Need To Write + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - mount_only_no_modified_partitionsread ++ - mount_only_no_modified_partitionsread.severity=high + + - id: 1.1.9_mount_as_nodev + title: Ensure Mount As Nodev + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - mount_nodev_mode_partitions ++ - mount_nodev_mode_partitions.severity=high + + - id: 1.1.10_mount_as_noexec + title: Ensure Mount As Noexec + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - mount_noexec_mode_partitions ++ - mount_noexec_mode_partitions.severity=high + + - id: 1.1.11_mount_as_noexec_nodev_for_removable + title: Ensure Mount As Noexec And Nodev For Removable Device +@@ -97,7 +115,10 @@ controls: + title: Ensure Mount As Nosuid + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - mounted_nosuid_mode_partitions ++ - mounted_nosuid_mode_partitions.severity=high + + - id: 1.1.13_remove_unnecessary_suid_sgid + title: Ensure Remove Unnecessary SUID And SGID +@@ -114,13 +135,19 @@ controls: + title: Ensure File Permission Minimize + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - file_permission_minimum ++ - file_permission_minimum.severity=high + + - id: 1.1.15_ulimit_correctly + title: Ensure Ulinmit Correctly + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - file_opened_count_limited ++ - file_opened_count_limited.severity=high + + - id: 1.1.16_symlinks_hardlinks_protected + title: Ensure Symlinks And Hardlinks Protected +@@ -146,19 +173,28 @@ controls: + title: Ensure Different Data Store In Different Partitions + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - partitions_manage_hard_drive_data ++ - partitions_manage_hard_drive_data.severity=high + + - id: 1.1.19_library_path_correct + title: Ensure LD_LIBRARY_PATH Correct + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - define_ld_lib_path_correctly ++ - define_ld_lib_path_correctly.severity=high + + - id: 1.1.20_user_path_correct + title: Ensure User PATH Correct + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - define_path_strictly ++ - define_path_strictly.severity=low + + - id: 1.2.1_ftp_not_installed + title: Ensure FTP Not Installed +@@ -204,7 +240,10 @@ controls: + title: Ensure Python2 Not Installed + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - package_python2_removed ++ - package_python2_removed.severity=high + + - id: 1.2.6_gpg_check_configured + title: Ensure GPG Check Configured +@@ -293,19 +332,28 @@ controls: + title: Ensure Network Sniffing Software Removed + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - network_sniffing_tools ++ - network_sniffing_tools.severity=high + + - id: 1.2.16_no_debug_tools + title: Ensure Debug Tools Removed + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - debugging_tools ++ - debugging_tools.severity=high + + - id: 1.2.17_no_compiler_tools + title: Ensure Compiler Tools Removed + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - development_and_compliation_tools ++ - development_and_compliation_tools.severity=high + + - id: 1.2.18_xwindow_not_installed + title: Ensure X Window Not Installed +@@ -375,19 +423,28 @@ controls: + title: Ensure All Login Accounts Are Necessary + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - login_accounts_are_necessary ++ - login_accounts_are_necessary.severity=high + + - id: 2.1.2_no_unused_accounts + title: Ensure No Unused Accounts + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - accounts_are_necessary ++ - accounts_are_necessary.severity=high + + - id: 2.1.3_different_accounts_have_different_groupid + title: Ensure Different Accounts Have Different GroupID + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - account_unique_group_id ++ - account_unique_group_id.severity=high + + - id: 2.1.4_no_uid_0_except_root + title: Ensure Only Root's UID Is 0 +@@ -578,13 +635,19 @@ controls: + title: Ensure Old Password Verified + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - verify_owner_password ++ - verify_owner_password.severity=high + + - id: 2.2.4_no_username_in_password + title: Ensure Password Not Contain User Name + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - no_name_contained_in_password ++ - no_name_contained_in_password.severity=high + + - id: 2.2.5_strong_hash_algorithm_for_password + title: Ensure Using Strong Hash Algorithm To Encipher Password +@@ -655,7 +718,10 @@ controls: + title: Ensure Password Changed At First Login + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - first_logging_change_password ++ - first_logging_change_password.severity=high + + - id: 2.3.1_account_lock_after_accessing_fail + title: Ensure Account Locked After Accessing Fail +@@ -720,7 +786,10 @@ controls: + title: Ensure HISTSIZE Limited + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - historical_command_records_limited ++ - historical_command_records_limited.severity=low + + - id: 2.4.2_selinux_enforce + title: Ensure SELinux Enforce +@@ -762,25 +831,37 @@ controls: + title: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - sudoers_disable_low_privileged_configure ++ - sudoers_disable_low_privileged_configure.severity=high + + - id: 2.4.7_cannot_use_pkexec_escalate + title: Ensure Low-privilege User Cannot Escalate By Pkexec + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - only_root_can_run_pkexec ++ - only_root_can_run_pkexec.severity=high + + - id: 2.4.8_always_set_path_config + title: Ensure ALWAYS_SET_PATH Configurated + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - su_always_set_path ++ - su_always_set_path.severity=high + + - id: 2.4.9_root_can_not_login_local + title: Ensure Root Can Not Login Local + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - diasable_root_accessing_system ++ - diasable_root_accessing_system.severity=low + + - id: 2.4.10_not_use_unconfined_service_t + title: Ensure Not Run Files wiht unconfined_service_t Flag +@@ -791,17 +872,14 @@ controls: + - selinux_confinement_of_daemons + - selinux_confinement_of_daemons.severity=low + +- - id: 2.4.11_all_daemons_run_with_mini_permission +- title: Ensure All Daemons Run With Minimum Permission +- levels: +- - base +- status: planned +- + - id: 2.5.1_ima_enabled + title: Ensure IMA Enabled + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - ima_verification ++ - ima_verification.severity=low + + - id: 2.5.2_aide_enabled + title: Ensure AIDE Enabled +@@ -818,7 +896,10 @@ controls: + title: Ensure Haveged Enabled + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - service_haveged_enabled ++ - service_haveged_enabled.severity=low + + - id: 2.6.2_global_crypto_setting + title: Global Crypto Setting Correct +@@ -863,7 +944,10 @@ controls: + title: Ensure Firewalld Set Default Zone Correctly + levels: + - base +- status: planned ++ status: manual ++ ruels: ++ - set_firewalld_default_zone_openeuler ++ - set_firewalld_default_zone_openeuler.severity=low + + - id: 3.2.3_firewalld_interface_set_to_correct_zone + title: Ensure Firewalld Set Correct Interface Zone +@@ -918,13 +1002,19 @@ controls: + title: Ensure Iptables Input Rules Set + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - iptables_input_policy_configured_corrently ++ - iptables_input_policy_configured_corrently.severity=low + + - id: 3.2.9_iptables_output_rules + title: Ensure Iptables Output Rules Set + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - iptables_output_policy_configured_corrently ++ - iptables_output_policy_configured_corrently.severity=low + + - id: 3.2.10_iptables_input_output_connection_rules + title: Ensure Iptables Input Output Connection Rules Set +@@ -966,13 +1056,19 @@ controls: + title: Ensure Nftables Input Rules Set + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - nftables_input_policy_configured_corrently ++ - nftables_input_policy_configured_corrently.severity=low + + - id: 3.2.15_nftables_output_rules + title: Ensure Nftables Output Rules Set + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - nftables_output_policy_configured_corrently ++ - nftables_output_policy_configured_corrently.severity=low + + - id: 3.2.16_nftables_input_output_connection_rules + title: Ensure Nftables Input Output Connection Rules Set +@@ -1017,7 +1113,10 @@ controls: + title: Ensure SSHd Pubkey Algorithm Correct + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - sshd_use_strong_pubkey ++ - sshd_use_strong_pubkey.severity=high + + - id: 3.3.5_sshd_pam_enabled + title: Ensure SSHd PAM Enabled +@@ -1050,7 +1149,10 @@ controls: + title: Ensure SSHd Ciphers Algorithm Not Overwritten + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - configure_ssh_crypto_policy ++ - configure_ssh_crypto_policy.severity=high + + - id: 3.3.9_sshd_forbid_root_login + title: Ensure SSHd Forbid Root Login From Remote +@@ -1074,7 +1176,10 @@ controls: + title: Ensure SSHd Listen Address Set Correct + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - sshd_configure_correct_interface ++ - sshd_configure_correct_interface.severity=low + + - id: 3.3.12_sshd_maxstartups_correct + title: Ensure SSHd MaxStartups Correct +@@ -1138,7 +1243,10 @@ controls: + title: Ensure SSHd Authorized Keys Not Set + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - sshd_prohibit_preset_authorized_keys ++ - sshd_prohibit_preset_authorized_keys.severity=high + + - id: 3.3.19_sshd_known_hosts_forbidden + title: Ensure SSHd Known Hosts Not Set +@@ -1153,7 +1261,10 @@ controls: + title: Ensure SSHd Has No Obsolete Configurations + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - sshd_disable_rhosts_rsa ++ - sshd_disable_rhosts_rsa.severity=high + + - id: 3.3.21_ssh_tcp_forward_disabled + title: Ensure SSHd TCP Forward Disabled +@@ -1168,7 +1279,10 @@ controls: + title: Ensure Cron Not Run Low Privilege User Writable Bash + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - no_lowprivilege_users_writeable_cmds_in_crontab_file ++ - no_lowprivilege_users_writeable_cmds_in_crontab_file.severity=high + + - id: 3.4.2_cron_enabled + title: Ensure Cron Deamon Running +@@ -1327,7 +1441,10 @@ controls: + title: Ensure Ignore All ICMP Request + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - sysctl_net_ipv4_icmp_echo_ignore_all ++ - sysctl_net_ipv4_icmp_echo_ignore_all.severity=high + + - id: 3.5.10_ignore_bogus_error_icmp_package + title: Ensure Ignore Bogus Error ICMP Package +@@ -1407,31 +1524,50 @@ controls: + title: Ensure tcp_timestamps Disabled + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_timestamps ++ - sysctl_net_ipv4_tcp_timestamps.severity=low + + - id: 3.5.17_tcp_time_wait_config + title: Ensure TCP Time Wait Correct + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_fin_timeout ++ - sysctl_net_ipv4_tcp_fin_timeout.severity=high + + - id: 3.5.18_syn_recv_set_correct + title: Ensure SYN Recv Set Correct + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_max_syn_backlog ++ - sysctl_net_ipv4_tcp_max_syn_backlog.severity=low + + - id: 3.5.19_arp_proxy_disabled + title: Ensure No ARP Proxy + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_default_proxy_arp ++ - sysctl_net_ipv4_conf_default_proxy_arp.severity=high ++ - sysctl_net_ipv4_conf_all_proxy_arp ++ - sysctl_net_ipv4_conf_all_proxy_arp.severity=high + + - id: 3.5.20_core_dump_set_correct + title: Ensure Core Dump Set Correct + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - coredump_limited ++ - coredump_limited.severity=high ++ - coredump_prohibit ++ - coredump_prohibit.severity=high + + - id: 3.5.21_sysrq_disabled + title: Ensure SysRq Key Disabled +@@ -1537,7 +1673,10 @@ controls: + title: Ensure Escalation Audited + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - audit_privilege_escalation_command ++ - audit_privilege_escalation_command.severity=low + + - id: 4.1.6_audit_module + title: Ensure Module Changes Audited +@@ -1737,7 +1876,10 @@ controls: + title: Ensure Mount Audited + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - audit_rules_media_export ++ - audit_rules_media_export.severity=low + + - id: 4.2.1_rsyslog_enabled + title: Ensure Rsyslog Enabled +@@ -1788,19 +1930,28 @@ controls: + title: Ensure Journald Transfer Set Correct + levels: + - base +- status: planned ++ status: automated ++ rules: ++ - configure_dump_journald_log ++ - configure_dump_journald_log.severity=high + + - id: 4.2.7_rsyslog_rotate + title: Ensure Rotate Setting In Rsyslog + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - configure_rsyslog_log_rotate ++ - configure_rsyslog_log_rotate.severity=high + + - id: 4.2.8_rsyslog_remote_server_config + title: Ensure Remote Log Server Correct + levels: + - base +- status: planned ++ status: manual ++ rules: ++ - rsyslog_remote_loghost_openeuler ++ - rsyslog_remote_loghost_openeuler.severity=low + + - id: 4.2.9_rsyslog_only_specified_server_receive_logs + title: Ensure Only Specified Server Can Receive Logs +diff --git a/linux_os/guide/services/base/service_haveged_enabled/rule.yml b/linux_os/guide/services/base/service_haveged_enabled/rule.yml +new file mode 100644 +index 0000000..d05b072 +--- /dev/null ++++ b/linux_os/guide/services/base/service_haveged_enabled/rule.yml +@@ -0,0 +1,29 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Enable haveged service' ++ ++description: |- ++ The haveged service provides an easy-to-use, unpredictable random number ++ generator. The generated random numbers are used to supplement the system ++ entropy pool, which can solve the problem of low system entropy in some ++ cases. It is recommended to enable this service in scenarios where encryption, ++ decryption or key generation is required (such as using openssl and gnutls). ++ ++ If the haveged service is not turned on, when the process that needs to ++ generate strong pseudo-random numbers gets values from /dev/random, it will ++ be stuck in waiting because it cannot get enough values, and will not return ++ until new random bytes are obtained. ++ ++rationale: |- ++ null. ++ ++severity: low ++ ++platform: machine ++ ++template: ++ name: service_enabled ++ vars: ++ servicename: haveged +\ No newline at end of file +diff --git a/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml b/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml +new file mode 100644 +index 0000000..6f85e31 +--- /dev/null ++++ b/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml +@@ -0,0 +1,30 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure All Commands/Bashes In Crontab File Are Not Writeable By Low-privilege Users' ++ ++description: |- ++

It can not be scanned automatically, please check it manually.

++

Use below cli commands to check if there is any low-privilege users writeable commands/bashes in /etc/crontab

++ ++ So, the wirteable flag of other users is present(-rwxrwxrwx.) and it is a risk. ++ ++rationale: |- ++ If any symlink files have no camonical path, it should be removed. ++ ++severity: medium ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml +new file mode 100644 +index 0000000..47510c8 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ SSH service interface should be configured correctly ++ ++ multi_platform_openeuler ++ ++ Configure the specified IP address for SSH connection. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^ListenAddress\s+((?:\d{1,3}\.){3}\d{1,3})$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml +new file mode 100644 +index 0000000..8f1cfb7 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'SSH service interface should be configured correctly' ++ ++description: |- ++ Generally, the server has multiple network cards and multiple ++ IP addresses. IP addresses should be planned for business and ++ management. Therefore, not every IP address needs to listen for ++ SSH connections. You can configure to limit SSH connections to ++ only specified IP addresses to reduce the attack surface. ++ ++

If the listening address has been configured, you can query the corresponding configuration through the grep command.

++ ++ ++ ++rationale: |- ++ Unconfigured IP addresses cannot connect to the server through SSH. ++ It is recommended to plan and configure according to the actual situation. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml +new file mode 100644 +index 0000000..2939bf9 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml +@@ -0,0 +1,54 @@ ++ ++ ++ ++ Prohibit SSH service pre setting authorized_Keys ++ ++ multi_platform_openeuler ++ ++ Prohibit SSH service shuold setting authorized_Keys ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /root/.* ++ authorized_keys ++ .* ++ 1 ++ ++ ++ ++ /home/.* ++ authorized_keys ++ .* ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml +new file mode 100644 +index 0000000..d2fa631 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Prohibit SSH service pre setting authorized_Keys' ++ ++description: |- ++ Authorized_ Keys is the public key of the remote host, which users can ++ store in their home directory $HOME/. ssh/authorized_ In the keys file, ++ for public key authentication, you can directly log in to the system. ++ ++

Use the grep command to view the configuration. If the return value is empty, it means authorized_keys is not preset:

++ ++ ++rationale: |- ++ If authorized is preset in the system_ Keys, and the server has enabled ++ the login method of public and private key authentication, allowing ++ attackers to bypass authentication and directly log in to the specified ++ system to attack it. So authorized cannot be preset in the system_ Keys. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml +new file mode 100644 +index 0000000..3c13a96 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml +@@ -0,0 +1 @@ ++{{{ oval_sshd_config(parameter="PubkeyAcceptedKeyTypes", value="((ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512),?)+") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml +new file mode 100644 +index 0000000..78c7e55 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml +@@ -0,0 +1,13 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Use Only Strong Algorithms For Public Key' ++ ++description: |- ++ Limit the algorithm of public key to strong algorithms. ++ ++rationale: |- ++ Week algorithms will introduce risks. ++ ++severity: high +diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml +new file mode 100644 +index 0000000..af4a11e +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml +@@ -0,0 +1,32 @@ ++ ++ ++ ++ Accounts password should not be contained substring of name ++ {{{- oval_affected(products) }}} ++ Accounts password should not be contained substring of name. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/pam.d/password-auth ++ ^.*usercheck[\s]*=[\s]*0.*$ ++ 1 ++ ++ ++ ++ /etc/pam.d/system-auth ++ ^.*usercheck[\s]*=[\s]*0.*$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml +new file mode 100644 +index 0000000..fa84a3b +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml +@@ -0,0 +1,12 @@ ++documentation_complete: true ++ ++title: 'Accounts Name Should Not Be Contained In Password' ++ ++description: |- ++ Accounts name should not be contained in password. ++ There is no usercheck=0. ++ ++rationale: |- ++ If the passowrd contains substring of accounts name, it is a risk. ++ ++severity: high +diff --git a/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml +new file mode 100644 +index 0000000..bfd0b01 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml +@@ -0,0 +1,60 @@ ++ ++ ++ ++ Accounts password should be verified during modifying ++ {{{- oval_affected(products) }}} ++ Accounts password should be verified during modifying. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/pam.d/password-auth ++ ^password[\s]+sufficient[\s]+pam_unix\.so.*$ ++ 1 ++ ++ ++ ++ /etc/pam.d/password-auth ++ ^password[\s]+required[\s]+pam_deny\.so.*$ ++ 1 ++ ++ ++ ++ /etc/pam.d/system-auth ++ ^password[\s]+sufficient[\s]+pam_unix\.so.*$ ++ 1 ++ ++ ++ ++ /etc/pam.d/system-auth ++ ^password[\s]+required[\s]+pam_deny\.so.*$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml +new file mode 100644 +index 0000000..b03948a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml +@@ -0,0 +1,12 @@ ++documentation_complete: true ++ ++title: 'Accounts Password Should Be Verified When Changing' ++ ++description: |- ++ Accounts password should be verified when it is modifying. ++ It is done by pam_unix.so. ++ ++rationale: |- ++ Anyone can change the password if no verifying. ++ ++severity: high +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml +new file mode 100644 +index 0000000..8d31f9a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml +@@ -0,0 +1,51 @@ ++ ++ ++ {{{ oval_metadata("All accounts on the system should have unique master group IDs for proper accountability.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ^(?!sync|shutdown|halt|operator).* ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ variable_count_of_all_user_group_ids ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml +new file mode 100644 +index 0000000..c86e51a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml +@@ -0,0 +1,11 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure All Accounts on the System Have Unique Master Group IDs' ++ ++description: 'Change user master group IDs, or delete accounts.' ++ ++rationale: 'To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.' ++ ++severity: medium +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml +new file mode 100644 +index 0000000..0216da2 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml +@@ -0,0 +1,20 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'All Accounts Are Necessary' ++ ++description: |- ++

It can not be scanned automatically, please check it manually.

++

If any account is not necessary, it should be removed from /etc/passwd.

++ ++ ++rationale: |- ++ It is a risk if an account exists in system but it is not necessary. ++ ++severity: high ++ +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/first_logging_change_password/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/first_logging_change_password/rule.yml +new file mode 100644 +index 0000000..cf86e46 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/first_logging_change_password/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure that the account is forced to change the password when logging in for the first time' ++ ++description: |- ++ Passwords that are not set by users themselves, such as passwords reset by ++ administrators, if not modified in a timely manner in the business environment, ++ can easily cause low-cost attacks. Therefore, users are required to forcibly change ++ their passwords when logging in to their accounts for the first time. Except for ++ the root password. ++ ++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml +new file mode 100644 +index 0000000..31e29c7 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'All Login Accounts Are Necessary' ++ ++description: |- ++

It can not be scanned automatically, please check it manually.

++ If any account need not login, it should be removed from /etc/passwd ++ or it should be marked by "nologin". ++

It can be checked as below cli commands:

++ ++ ++rationale: |- ++ It is a risk if an account can login system but it is not necessary. ++ ++severity: high ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml +new file mode 100644 +index 0000000..7cb6620 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Privilege escalation command audit rules should be configured' ++ ++description: |- ++ Ordinary users can obtain super administrator privileges by calling privilege ++ escalation commands (with SUID/SGID set). ++ ++

It is recommended to audit and monitor privilege escalation commands to facilitate ++ traceability afterwards.

++

openEuler does not configure audit rules for privilege escalation commands by ++ default. It is recommended that users configure corresponding rules based on actual ++ business scenarios.

++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ The use of privilege escalation ++ commands carries high risks and is often used by attackers to attack the system. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh +new file mode 100644 +index 0000000..8cbd201 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++# platform = multi_platform_openeuler ++# check-import = stdout ++ ++array=`find / -xdev -type f \( -perm -4000 -o -perm -2000 \) | awk '{print $1}'` ++ ++for element in ${array[@]} ++do ++ ret=`auditctl -l | grep "$element "` ++ if [ $? -ne 0 ]; then ++ else ++ exit "$XCCDF_RESULT_FAIL" ++ fi ++done ++exit "$XCCDF_RESULT_PASS" +diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml +new file mode 100644 +index 0000000..1e95b34 +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Make sure rsyslog dump journald log is configured ++ ++ multi_platform_openeuler ++ ++ Configure rsyslog dump journald log. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^[^#]*imjournal ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +new file mode 100644 +index 0000000..6121f9c +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Make sure rsyslog dump journald log is configured' ++ ++description: |- ++ ++ The system uses journald to collect logs. The logs may be stored on ++ volatile storage devices or on persistent storage devices. If there ++ are problems such as log loss or logs filling up the disk, the logs ++ must be dumped in a timely manner to ensure that the logs are more ++ consistent with the system. Safety. ++ ++

Check whether the relevant fields have been configured in the /etc/rsyslog.conf file:

++ 
$ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*
++ ++rationale: |- ++ If there is a volatile storage device for the log, failure to dump ++ the log in time may result in log loss. If there is a persistent ++ storage device, the amount of logs may be very large. If the logs ++ are not dumped in time, the logs may fill up the current partition, ++ causing the risk of other processes or system failures. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml +new file mode 100644 +index 0000000..318493d +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml +@@ -0,0 +1,48 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure that Rsyslog log rotate is configured' ++ ++description: |- ++ rsyslog is responsible for collecting log records from the system into files, and logrotate ++ is responsible for regularly or quantitatively copying and compressing log files to ensure ++ that excessive hard disk resources are not occupied due to excessive log file size, or that ++ the log files are even unmaintainable. ++ ++ By default, openEuler has configured the rsyslog rotate policy in the /etc/logrotate.d/rsyslog ++ file as follows:. ++ ++ rotate log file: ++ /var/log/cron ++ ++ /var/log/maillog ++ ++ /var/log/messages ++ ++ /var/log/secure ++ ++ /var/log/spooler ++ ++ The maximum retention period of log files is 365 days; ++ ++ A maximum of 30 log files can be retained; ++ ++ Log files are retained in a compressed manner; ++ ++ The log file reaches 4MB, perform rotate operation. ++ ++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ If the rotate policy is not configured, the log file will continue to grow, which may ++ eventually lead to the exhaustion of space on the hard disk partition where the log is ++ located, which may affect log recording at best, or may cause the system and business to be ++ unable to continue to execute normally. ++ ++severity: high +diff --git a/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml +new file mode 100644 +index 0000000..400c2e3 +--- /dev/null ++++ b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml +@@ -0,0 +1,51 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Prevent root users from accessing the system locally' ++ ++description: |- ++ Root is a super-privileged user in a Linux system and has access to all ++ Linux system resources. If you are allowed to directly use the root account ++ to log in to the Linux system to operate the system, it will bring many ++ potential security risks. In order to avoid the risks caused by this, it ++ should be prohibited to directly use the root account to log in to the ++ operating system, and only use other technologies when necessary. Methods ++ (such as: sudo or su) indirectly use the root account. ++ ++ Since the root account has the highest authority, logging in directly with ++ root has the following risks: ++ ++ High-risk misoperations may directly cause server paralysis, such as accidentally ++ deleting or modifying key system files; ++ ++ If multiple people need root privileges to operate, the root password will be ++ kept by multiple people, which can easily lead to password leakage and increase ++ password maintenance costs. ++ ++ openEuler is not configured by default. If there is no need to log in locally using ++ the root account in actual scenarios, it is recommended to disable local login ++ with the root account. ++ ++

It can not be scanned automatically, please check it manually.

++

The checking method is as follows:

++ ++ ++rationale: |- ++ The root account cannot access the system locally. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost_openeuler/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost_openeuler/rule.yml +new file mode 100644 +index 0000000..5557c92 +--- /dev/null ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost_openeuler/rule.yml +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++title: 'Ensure Logs Sent To Remote Host' ++ ++description: |- ++ The rsyslog log service can send local logs to a remote log server for unified storage, which is conducive to centralized management of logs in a networking environment. It prevents local logs from taking up too much hard disk space and prevents logs from being tampered with locally. ++ ++ openEuler does not configure remote log storage by default. It is recommended that users configure it according to actual business scenarios. ++ ++

Use the following command to check whether the relevant fields have been configured in the configuration file in the /etc/rsyslog.d/ directory:.

++ ++rationale: |- ++ If remote log storage is not configured, rsyslog logs will be saved in local files. If the administrator correctly configures the log storage path and rotate parameters, there will be no impact on the system and business. If remote log storage is configured, the security of the log transmission process must be ensured, such as encrypting the logs before transmitting them, and performing log transmissions by opening a secure encrypted channel (TCP+TLS1.2 and higher). ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone_openeuler/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone_openeuler/rule.yml +new file mode 100644 +index 0000000..df9cd73 +--- /dev/null ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone_openeuler/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Set Default firewalld Zone for Incoming Packets' ++ ++description: |- ++ The Firewalld service allows the firewall to be divided into several independent rule areas through the zone concept. Different interfaces or source addresses can be bound to different zones to implement different control logic. An area can be configured with many different network interfaces or sources, but conversely, an interface or source can only be bound to one area to avoid being unable to determine which area's rules are executed when packets enter and exit. ++ ++ If a zone finds that there is no explicit rule match when processing packets from an interface or source, the zone can decide how to process the packet, such as accepting, rejecting, or directly handing it over to the default zone for processing. ++ ++ You can configure an appropriate default area based on actual business scenarios. All network resources such as interfaces, source addresses, and connections that are not explicitly assigned to designated areas should be assigned to the default area. ++ ++ The openEuler firewalld service provides a total of 11 area types: Server, Workstation, block, dmz, drop, external, home, internal, public, trusted, and work. The default configuration is public. ++ ++

Use the following command to check the configuration of the current default zone.

++ ++rationale: |- ++ If the default zone configuration is inappropriate, it may have unintended effects on network resources that are not bound to other zones. ++ ++ If all network resources have been explicitly bound to other areas and detailed rules have been formulated, and no rules are configured in the default area, the default area will not affect services. But this is not recommended. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..70f713e +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure that the iptables input policy configuration is correct' ++ ++description: |- ++ The function of the Input chain is to filter packets received from external sources. Any ++ externally provided service requires configuring the corresponding Input policy and opening ++ the relevant port, so that external clients can access the service through that port. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the policy configured for the input chain meets business needs.

++ ++ ++rationale: |- ++ If not configured, all external attempts to access related services will be discarded due to ++ the default policy configuration being DROP. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..56ad54c +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure that the iptables output policy configuration is correct' ++ ++description: |- ++ There are two main situations for server outgoing messages: one is when the host process ++ actively connects to an external server, such as HTTP access, or sends data to a log server, ++ etc.; the other is when the host process accesses the local service externally and the local ++ machine responds to the message. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the policy configured for the output chain meets business needs.

++ ++ ++rationale: |- ++ If the OUTPUT policy is not configured, all outgoing messages from the server will be discarded ++ due to the default policy being DROP. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml +new file mode 100644 +index 0000000..7ae68d8 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Disable Kernel Parameter for ARP Proxy' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.proxy_arp", value="0") }}}' ++ ++rationale: |- ++ Restricted execution of programs that depend on the ARP proxy. ++ ++severity: high ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.conf.all.proxy_arp ++ sysctlval: '0' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml +new file mode 100644 +index 0000000..6b77815 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Disable Kernel Parameter for ARP Proxy by Default' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.default.proxy_arp", value="0") }}}' ++ ++rationale: |- ++ Restricted execution of programs that depend on the ARP proxy. ++ ++severity: high ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.conf.default.proxy_arp ++ sysctlval: '0' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml +new file mode 100644 +index 0000000..6d80ef3 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Set Kernel Parameter for Ignoring All ICMP' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_all", value="1") }}}' ++ ++rationale: |- ++ All ICMP packages are ignored. ++ ++severity: low ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.icmp_echo_ignore_all ++ sysctlval: '1' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml +new file mode 100644 +index 0000000..2c1681d +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Set Kernel Parameter for TCP TIME_WAIT' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_fin_timeout", value="60") }}}' ++ ++rationale: |- ++ Suggested value is 60.
++ If TIME_WAIT is set too long, DoS attacks may occur. ++ ++severity: high ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.tcp_fin_timeout ++ sysctlval: '60' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml +new file mode 100644 +index 0000000..89391a7 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Set Kernel Parameter for TCP SYN_RECV' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_max_syn_backlog", value="256") }}}' ++ ++rationale: |- ++ Suggested value is 256.
++ For security purposes, you are advised to set this parameter to a large value to mitigate TCP SYN flood attacks. ++ However, if this parameter is set to a large value, more system resources are consumed. ++ ++severity: low ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.tcp_max_syn_backlog ++ sysctlval: '256' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml +new file mode 100644 +index 0000000..ec7d3af +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Disable Kernel Parameter for TCP Timestamps' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_timestamps", value="0") }}}' ++ ++rationale: |- ++ After this function is enabled, packages with invalid addresses is recorded into kernel logs, which may cause logs overwrite. ++ ++severity: low ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.tcp_timestamps ++ sysctlval: '0' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-nftables/nftables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_input_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..f5091bf +--- /dev/null ++++ b/linux_os/guide/system/network/network-nftables/nftables_input_policy_configured_corrently/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Configure nftables input strategy' ++ ++description: |- ++ The function of the input chain is to filter messages received from the ++ outside. Any externally provided service needs to configure the ++ corresponding input policy and open the relevant port so that external ++ clients can access the service through the port. ++ ++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ If not configured, since the default policy is configured as DROP, all ++ external packets trying to access related services will be dropped. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-nftables/nftables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_output_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..ad82a61 +--- /dev/null ++++ b/linux_os/guide/system/network/network-nftables/nftables_output_policy_configured_corrently/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Configure nftables output strategy' ++ ++description: |- ++ There are two main situations when the server sends outbound messages. One ++ is when the host process actively connects to an external server, such as ++ http access, or sends outgoing data to a log server, etc. The other is when ++ the host process externally accesses local services and the local machine ++ responds arts. ++ ++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ If no output policy is configured, all outgoing packets from the server will ++ be discarded because the default policy is DROP. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml +new file mode 100644 +index 0000000..c0ab21e +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly' ++ ++description: |- ++ LD_LIBRARY_PATH is a Linux environment variable. When a program loads a ++ dynamic link library, it will first obtain it from the path specified by ++ this environment variable. Normally, this environment variable should ++ not be set. If it is maliciously set to an incorrect value, the program ++ may be linked to an incorrect dynamic library when running, resulting in ++ security risks. Note: The configuration in /etc/ld.so.conf.d will also ++ affect dynamic library loading, so you need to ensure correct configuration. ++ ++ openEuler does not set this variable by default. According to the actual ++ scenario, if LD_LIBRARY_PATH must be set, you need to ensure that the ++ value is correct in all user contexts. ++ ++

It can not be scanned automatically, please check it manually.

++

There are multiple configuration files that can permanently set the LD_LIBRARY_PATH ++ value, which need to be investigated. These files include: /etc/profile, ~/.bashrc, ~/.bash_profile. ++ The latter two files are files in the user's home directory. Each user Yes, be ++ sure not to miss it during inspection.

++ ++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml +new file mode 100644 +index 0000000..d9735e8 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml +@@ -0,0 +1,44 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure the user PATH variable is strictly defined' ++ ++description: |- ++ The PATH variable under Linux defines the search path for executable files ++ in the current user context. For example, if the user uses the ls command ++ in any directory, the system will search for the ls command in the directory ++ specified by the PATH variable and execute it after finding it. The PATH ++ variable in all user contexts cannot contain the current directory "." .The ++ directory must be a path that actually exists in the file system and meets ++ the design expectations of the system. The correct PATH value can effectively ++ prevent system commands from being replaced by malicious instructions and ++ ensure that system commands can be executed safely. ++ ++ So the PATH variable should be defined to the correct value, and the openEuler ++ system default setting is: ++ ++ /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin ++ ++ PATH can be modified according to the actual scenario, but be sure to make sure ++ it is correct. ++ ++

It can not be scanned automatically, please check it manually.

++

Use the echo command to print out the value of PATH in the current user context and check whether it is correct.

++ ++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/file_empty_link_prohibit/rule.yml b/linux_os/guide/system/permissions/files/file_empty_link_prohibit/rule.yml +new file mode 100644 +index 0000000..fd6551d +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_empty_link_prohibit/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Empty link files are prohibited' ++ ++description: |- ++

It can not be scanned automatically, please check it manually.

++

If any symlink files have no camonical path, it should be removed.

++ ++ ++rationale: |- ++ If any symlink files have no camonical path, it should be removed. ++ ++severity: high +diff --git a/linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh b/linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh +new file mode 100644 +index 0000000..12165ee +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = multi_platform_openeuler ++# check-import = stdout ++ ++temp=$(find ./ -type l -follow) ++ ++if [ "$temp" = "" ]; then ++ exit "$XCCDF_RESULT_PASS" ++fi ++ ++exit "$XCCDF_RESULT_FAIL" +diff --git a/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml +new file mode 100644 +index 0000000..6200a9c +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml +@@ -0,0 +1,16 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Disallow hidden executable files' ++ ++description: |- ++ In the Linux system, files prefixed with "." are hidden files (except for "." and ".." in the current directory and upper directory), and executable hidden files are not allowed in the system. ++ ++ The three files .bashrc, .bash_profile, and .bash_logout are the script files used when the system logs in/out of the shell after creating a user account. They are in line with industry practice and do not need to be deleted. Other hidden executable files must be deleted or removed. execute permission ++ ++rationale: |- ++ NULL. ++ ++severity: high ++ +diff --git a/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh +new file mode 100644 +index 0000000..6d78520 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = multi_platform_openeuler ++# check-import = stdout ++ ++temp=$(find / -type f -name "\.*" -perm /+x) ++ ++if [ "$temp" = "" ]; then ++ exit "$XCCDF_RESULT_PASS" ++fi ++ ++exit "$XCCDF_RESULT_FAIL" +diff --git a/linux_os/guide/system/permissions/files/file_opened_count_limited/rule.yml b/linux_os/guide/system/permissions/files/file_opened_count_limited/rule.yml +new file mode 100644 +index 0000000..1875b4f +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_opened_count_limited/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Opened Files Count Limited' ++ ++description: |- ++

It can not be scanned automatically, please check it manually.

++ ++

The number of files that can be opened in Linux is limited. If all resources are occupied by a user, other users cannot open the file.

++

openEuler allows a user to open a maximum of 1024 file handles by default. If the number of file handles exceeds 1024, ++ new file handles cannot be opened. Low-privilege users can modify the value of 1024, but the upper limit 524288 cannot be exceed. ++ The root can modify the upper limit.

++

This parameter is set to a proper value to prevent all processes of a single user from opening too many file handles and exhausting system resources.

++ ++

You can use below cli command to check the limitation:

++ ++ ++rationale: |- ++ None ++ ++severity: high ++ +diff --git a/linux_os/guide/system/permissions/files/file_permission_minimum/rule.yml b/linux_os/guide/system/permissions/files/file_permission_minimum/rule.yml +new file mode 100644 +index 0000000..910e607 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permission_minimum/rule.yml +@@ -0,0 +1,139 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure All Files Have Minimum Permission' ++ ++description: |- ++

It can not be scanned automatically, please check it manually.

++ ++

According to the minimum permission requirements, the minimum access permission must be set for key files in the system, ++ especially files that contain sensitive information. Users with corresponding permissions can access the directory. ++ If the file or directory permission is incorrectly configured, the file information may leakage.

++ ++

For example, if the access permission is set to 644 or greater, any user can access or even tamper with the data. ++ If the program's access permission is set to 755, as a result, any user can perform the operation, ++ which leads to privilege escalation risks.

++ ++

Common types of files or directories that require access permission control are as follows: ++

++

++ ++

The basic principles of permission control are as follows: ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++
File TypeSuggested Permission
Home Directory750(rwxr-x---)
Programs(Include bash, library)550(r-xr-x---)
Programs Directory550(r-xr-x---)
Configuration Files640(rw-r-----)
Configuration Files Directory750(rwxr-x---)
Log Files(Archived)440(r--r-----)
Log Files(Recording)640(rw-r-----)
Log Files Directory750(rwxr-x---)
Debug Files640(rw-r-----)
Debug Files Directory750(rwxr-x---)
Temporary Files Directory750(rwxr-x---)
Upgrading Files Directory770(rwxrwx---)
Data Files640(rw-r-----)
Data Files Directory750(rwxr-x---)
Directory Of Crypto Component, Private Key, Certificate, Encrypted Data700(rwx------)
Crypto Component, Private Key, Certificate, Encrypted Data600(rw-------)
Interface or Shell Files Of Crypto500(r-x------)
++

++

Generally, a non-root user is used to perform services. This user needs to access necessary directories in the Linux system and files. ++ Therefore, permission control can be relaxed for system directories, configuration files, executable files, ++ and certificate files that the system depends on.

++

The system is consistent with the general release in the industry. The suggestions are as follows: ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++
File TypeSuggested Permission
Directory755(rwxr-xr-x)
Programs(Include bash, library)755(rwxr-xr-x)
Configuration Files644(rw-r--r--)
Certificate Files(No Private Key)444(r--r--r--)
++

++ ++rationale: |- ++ The permission cannot be too high or too low. For example, if the permission of some system configuration files is set to 600 or 640, ++ common users cannot read the configuration files, the corresponding program may not be executed ++ because it does not have the permission to read the configuration. ++ ++severity: high ++ +diff --git a/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount/rule.yml b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount/rule.yml +new file mode 100644 +index 0000000..a58f76c +--- /dev/null ++++ b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure that unneeded file system mount is removed' ++ ++description: |- ++ The Linux system supports a variety of file systems, which are ++ loaded into the kernel through ko mode. As a general operating ++ system platform, openEuler will provide various file systems ko, ++ which are stored in the /lib/modules/(kernel version)/kernel/fs/ ++ directory and can be loaded through the insmod/modprobe command. ++ ++

Users should determine which file systems do not need to be supported ++ based on actual scenarios, and prohibit these file systems from being ++ mounted through configuration. These file systems usually include:

++

cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs

++

It can not be scanned automatically, please check it manually.

++

Use the following command to check the file system mounting status, such as cramfs.

++ ++ ++rationale: |- ++ Disabling mount support for unnecessary file systems can reduce ++ the attack surface and prevent attackers from attacking the system ++ by exploiting vulnerabilities in some uncommon file systems. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/mount_nodev_mode_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_nodev_mode_partitions/rule.yml +new file mode 100644 +index 0000000..58292b1 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_nodev_mode_partitions/rule.yml +@@ -0,0 +1,47 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Mounting in nodev mode does not require mounting the device' ++ ++description: |- ++ nodev means that device files are not allowed to be mounted, which is used ++ to reduce the attack surface and increase security. When the directory is ++ mounted, if the nodev option is set, all block devices, character devices ++ and other device files in the directory will be parsed into ordinary files ++ and cannot be operated on device files. If nodev is not set when mounting, ++ it will lead to security risks. For example, an attacker creates a file system ++ on the USB flash drive and creates a block device file in it (his own USB flash ++ drive, with corresponding permissions), and this block The device actually ++ points to the server hard disk or partition such as /dev/sda. If an attacker ++ has the opportunity to insert a USB flash drive into the server and the server ++ loads the USB flash drive, the attacker can access the corresponding file through ++ this block device file. Hard drive data. If the U disk in the above case is changed ++ to another hard disk or partition, a similar problem will exist. As long as there ++ is a maliciously constructed device file on the hard disk or partition, an attack ++ can be formed. ++ ++

The following directories are mounted by nodev by default in the openEuler system:

++

/sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、 ++ /sys/fs/pstore、/sys/fs/bpf、/sys/fs/cgroup/files、/sys/fs/cgroup/net_cls,net_prio、 ++ /sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/cpu,cpuacct、/sys/fs/cgroup/perf_event、 ++ /sys/fs/cgroup/pids、/sys/fs/cgroup/hugetlb、/sys/fs/cgroup/memory、/sys/fs/cgroup/blkio、 ++ /sys/fs/cgroup/cpuset、/sys/fs/cgroup/rdma、/sys/kernel/config、/sys/kernel/debug、/dev/mqueue、 ++ /tmp、/run/user/0

++

penEuler has the following directories (some directories vary depending on hard disk partitions ++ and deployment platforms). These directories are not mounted by nodev by default:

++

/dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、 ++ /var/lib/nfs/rpc_pipefs、/boot/efi、/home

++

In actual scenarios, based on business needs, the nodev method is used to mount partitions ++ that do not require device mounting.

++ ++

It can not be scanned automatically, please check it manually.

++ ++rationale: |- ++ ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/mount_noexec_mode_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_noexec_mode_partitions/rule.yml +new file mode 100644 +index 0000000..3c890df +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_noexec_mode_partitions/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Mount a partition without executable files in noexec mode' ++ ++description: |- ++ The data disk is only used to save data during system operation. There ++ is no need to execute relevant commands on the data disk. In this case, ++ the hard disk or partition must be mounted in noexec mode to improve security ++ and reduce the attack surface. ++ ++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/mount_only_no_modified_partitionsread/rule.yml b/linux_os/guide/system/permissions/partitions/mount_only_no_modified_partitionsread/rule.yml +new file mode 100644 +index 0000000..ee56ae3 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_only_no_modified_partitionsread/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Partitions that do not need to be modified are mounted read-only.' ++ ++description: |- ++ Mounting file systems that do not require data modification in read-only mode can ++ avoid unintentional or malicious data tampering and reduce the attack surface. ++ ++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/mounted_nosuid_mode_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mounted_nosuid_mode_partitions/rule.yml +new file mode 100644 +index 0000000..fe80bca +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mounted_nosuid_mode_partitions/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Make sure partitions that do not require SUID/SGID are mounted in nosuid mode' ++ ++description: |- ++ After the SUID bit is set on an executable file, even if the user executing the file ++ is not the owner of the file, the process will be temporarily granted the permissions ++ of the file owner during execution. For example, the ordinary user test executes a ++ program with permissions 755 and owner root. If the program does not set the SUID bit, ++ the process only has the permissions of the test user; if the SUID is set, the process ++ has root permissions during execution. . SGID has a similar function, but it only has ++ the permissions of the group to which the file belongs. For partitions that do not ++ need SUID/SGID, use the nosuid method to mount them. This can invalidate the S bit of ++ files with SUID/SGID in the partition, prevent privilege escalation through the ++ executable files of the partition, and strengthen the security of the partition. ++ ++

Users need to plan each mounted hard drive and partition and set nosuid mounting items ++ based on actual scenarios.

++ ++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml +new file mode 100644 +index 0000000..eaf1b4f +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Hard drive data should be managed in partitions' ++ ++description: |- ++ When installing the operating system, the operating system data and business data ++ partitions should be managed according to the characteristics of the actual scenario ++ to avoid placing all data on one hard disk or partition. Proper planning of hard disk ++ partitions can avoid or reduce the following risks: ++ ++ The log file is too large, causing the business or system data disk to become full; ++ The home directory of ordinary accounts is too large, causing the system or business disk to become full; ++ The system partition is not independent, causing the basic service of the operating system to fail when the disk is full, causing a full-scale DOS attack; ++ It is not conducive to minimizing permissions and encrypting data disks; ++ It is not conducive to system or data recovery after the disk is damaged. ++ ++ As a general operating system, openEuler installs separate partitions "/boot, /tmp, ++ /home, /" by default. It is recommended to determine the partition mounting and size ++ of other directories based on the actual scenario. ++ ++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/rule.yml +new file mode 100644 +index 0000000..d8928f5 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Limit the use of coredump' ++ ++description: |- ++ Core dump is the act of recording the memory status when a program ++ terminates abnormally or crashes during running, which is helpful ++ for subsequent location, but may contain sensitive information in ++ the process memory. Sometimes users need to enable the core dump ++ function to record the cause of the problem at that time. For ++ users who need to enable the core dump function, the path for log ++ input needs to be restricted, and the path must be restricted to ++ only allow specific users to access it. ++ ++ Enabling core dump helps to locate abnormal program termination or ++ crash, but it can easily leak sensitive information in memory. ++ openEuler is turned on by default. Users need to turn off core dump ++ or limit the path of log input and access users according to ++ business scenarios. ++ ++rationale: |- ++ NULL. ++ ++severity: high ++ +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/sce/shared.sh b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/sce/shared.sh +new file mode 100644 +index 0000000..059efff +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/sce/shared.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# platform = multi_platform_openeuler ++# check-import = stdout ++ ++if [ "$temp" = "0" ]; then ++ exit "$XCCDF_RESULT_PASS" ++fi ++ ++exit "$XCCDF_RESULT_FAIL" ++ ++core_path=$(sysctl kernel.core_pattern | awk -F"^[[:space:]]*kernel.core_pattern[[:space:]]*=[[:space:]]*" '{print $2}') ++[[ "${core_path}" =~ ^/.+ ]] || { exit "$XCCDF_RESULT_FAIL"; } ++core_dir=$(dirname "${core_path}") ++[[ -d "${core_dir}" ]] || { exit "$XCCDF_RESULT_FAIL"; } ++rights_digit=$(stat -c%a "${core_dir}") ++[[ "${rights_digit}" =~ ^700$ || "${rights_digit}" =~ ^1770$ || "${rights_digit}" =~ ^1777$ ]] || { exit "$XCCDF_RESULT_FAIL"; } ++exit "$XCCDF_RESULT_PASS" +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/rule.yml +new file mode 100644 +index 0000000..4fca98e +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Use of coredumps is prohibited' ++ ++description: |- ++ Core dump is the act of recording the memory status when a program ++ terminates abnormally or crashes during running, which is helpful ++ for subsequent location, but may contain sensitive information in ++ the process memory. Sometimes users need to enable the core dump ++ function to record the cause of the problem at that time. For ++ users who need to enable the core dump function, the path for log ++ input needs to be restricted, and the path must be restricted to ++ only allow specific users to access it. ++ ++ Enabling core dump helps to locate abnormal program termination or ++ crash, but it can easily leak sensitive information in memory. ++ openEuler is turned on by default. Users need to turn off core dump ++ or limit the path of log input and access users according to ++ business scenarios. ++ ++rationale: |- ++ NULL. ++ ++severity: high ++ +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/sce/shared.sh b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/sce/shared.sh +new file mode 100644 +index 0000000..2671563 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/sce/shared.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = multi_platform_openeuler ++# check-import = stdout ++ ++temp=$(ulimit -c) ++ ++if [ "$temp" = "0" ]; then ++ exit "$XCCDF_RESULT_PASS" ++fi ++ ++exit "$XCCDF_RESULT_FAIL" +diff --git a/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/rule.yml b/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/rule.yml +new file mode 100644 +index 0000000..2a03f2f +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/rule.yml +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Limit the number of historical command records' ++ ++description: |- ++ HISTSIZE is an environment variable that controls the size of the command history. Specifically, HISTSIZE defines the number of command entries that can be stored in the command history. By setting the value of HISTSIZE, you can limit or increase the size of the command history, thereby controlling the number of previously entered commands available in the command line terminal. ++ ++ For example, setting HISTSIZE=100 will limit the command history to 100 commands. Once the command history reaches this limit, new commands will overwrite the oldest commands to keep the history size from exceeding the specified value. ++ ++ What it does: Smaller history reduces the risk of sensitive information (such as passwords) being retained in the history. ++ ++ It is recommended that the system limit the number of historical commands viewed, 50 or 100 is recommended. ++ ++rationale: |- ++ The root account cannot access the system locally. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/sce/shared.sh b/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/sce/shared.sh +new file mode 100644 +index 0000000..c24729a +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/sce/shared.sh +@@ -0,0 +1,19 @@ ++#!/bin/bash ++# platform = multi_platform_openeuler ++# check-import = stdout ++ ++num=0 ++res=0 ++num=`echo $HISTSIZE` ++ ++if [ $num −lt 1 −o $num -gt 100 ]; then ++ exit "$XCCDF_RESULT_FAIL" ++fi ++ ++res=`grep -E '^HISTSIZE=([1-9]|[1-9][0-9]|100)$' /etc/profile` ++ ++if [ "$res" = "" ];then ++ exit "$XCCDF_RESULT_FAIL" ++fi ++ ++exit "$XCCDF_RESULT_PASS" +\ No newline at end of file +diff --git a/linux_os/guide/system/software/debugging_tools/rule.yml b/linux_os/guide/system/software/debugging_tools/rule.yml +new file mode 100644 +index 0000000..077064a +--- /dev/null ++++ b/linux_os/guide/system/software/debugging_tools/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'uninstall debugging tools' ++ ++description: |- ++ If the business environment contains debugging scripts and tools, they can ++ easily be exploited and attacked by attackers. Therefore, it is strictly ++ prohibited to install various debugging tools and files in the production ++ environment, including but not limited to: code debugging tools, privilege ++ escalation commands, scripts, and tools used for debugging functions, certificates, ++ and keys used in the debugging phase. Perf tools, point management and piling ++ tools for performance testing, attack scripts and tool scripts for verifying ++ security issues such as CVE, etc. Common open source third-party debugging tools ++ include: strace, gdb, readelf, perf, etc. ++ ++

It can not be scanned automatically, please check it manually.

++

Use keyword scanning to determine whether debugging tools exist in the business environment or mirror environment.

++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/software/development_and_compliation_tools/rule.yml b/linux_os/guide/system/software/development_and_compliation_tools/rule.yml +new file mode 100644 +index 0000000..8e9adb1 +--- /dev/null ++++ b/linux_os/guide/system/software/development_and_compliation_tools/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Uninstall development and compilation tools' ++ ++description: |- ++ If the business environment contains compilation tools, they can ++ easily be used by attackers to edit, tamper with, and reverse analyze ++ key files in the environment to carry out attacks. Therefore, it is ++ strictly prohibited to install various compilation, decompilation, ++ and binary analysis tools in the production environment, including ++ but not limited to: compilation tools, decompilation tools, compilation ++ environments, etc. Common third-party development and compilation tools ++ include: gcc, cpp, mcpp, flex, cmake, make, rpm-build, ld, ar, etc. ++ ++ If the business environment relies on interpreters such as python, lua, ++ and perl during deployment or operation, the interpreter running ++ environment can be retained. ++ ++

It can not be scanned automatically, please check it manually.

++

Use keyword scanning to determine whether debugging tools exist in the business environment or mirror environment.

++ ++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +index 8fe6ac0..1b82841 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle12,sle15,uos20 ++prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle12,sle15,uos20,openeuler2203,openeuler2403 + + title: 'Configure SSH to use System Crypto Policy' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml +new file mode 100644 +index 0000000..5e03b6d +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml +@@ -0,0 +1,55 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'IMA metrics should be enabled' ++ ++description: |- ++ IMA (Integrity Measurement Architecture) is an integrity protection function provided ++ by the kernel. When IMA is turned on, it can provide integrity measurements for ++ important files in the system based on user-defined policies. The measurement results ++ can be used locally and remotely. Proof of integrity. ++ ++ When the IMA measurement function is not enabled in the system, summary information ++ of key files cannot be recorded in real time, and tampering with file contents or ++ attributes cannot be identified. Functions such as local attestation and remote ++ attestation that protect system integrity rely on the summary value provided by IMA ++ metrics, so they cannot be used, or the integrity protection is incomplete. ++ ++ IMA global policy configuration is related to the specific environment. Normally, ++ integrity protection is only targeted at immutable files (such as executable files, ++ dynamic libraries, etc.). If the policy is improperly configured, it may lead to ++ excessive performance and memory overhead. It is recommended that users use their ++ own The situation determines whether to enable IMA and configure the correct policy. ++ ++ Note: Since IMA is only the measurement part of the global integrity protection ++ mechanism, complete use requires TPM 2.0 and remote attestation services. This ++ specification only explains and recommends the measurement part of IMA. If the ++ system does not integrate TPM 2.0 and remote attestation services, the IMA measurement ++ function should not be enabled. ++ ++ IMA measurement does not support container environments and virtual machine ++ environments, requires UEFI startup, and does not support Legacy mode. ++ ++

Use the following command to check whether the current system has IMA measurement enabled.

++ ++ ++rationale: |- ++ Turning on IMA metrics will cause a slight increase in system startup time and file ++ access time. ++ If the policy is improperly configured (such as measuring real-time changing log files, ++ temporary files, etc.), the measurement log may grow too fast and occupy too much system ++ memory, and the memory occupied by the measurement log will not be released before the ++ next restart of the system. , thus affecting the normal operation of the business. In ++ addition, because the measured files are constantly changing, the measurement value changes, ++ and the remote certification baseline value cannot be updated synchronously, causing the ++ remote certification to fail and losing the meaning of integrity protection. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/software/network_sniffing_tools/rule.yml b/linux_os/guide/system/software/network_sniffing_tools/rule.yml +new file mode 100644 +index 0000000..c4deefd +--- /dev/null ++++ b/linux_os/guide/system/software/network_sniffing_tools/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Uninstall network sniffing Package' ++ ++description: |- ++ If the production environment contains network sniffing tools, attackers ++ can easily use these tools to conduct network analysis and assist network ++ attacks. Therefore, installation of various network sniffing and packet ++ capture analysis tools, such as tcpdump, ethereal, wireshark, etc., should ++ be prohibited in the production environment. ++ ++

It can not be scanned automatically,please check it manually.

++

check the network_sniffing_tools,such as wireshark,netcat,tcpdump,namp,ethereal:

++ ++ ++rationale: |- ++ There is no need to install various network sniffing and packet capture ++ analysis tools in the production environment. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/software/polkit/group.yml b/linux_os/guide/system/software/polkit/group.yml +new file mode 100644 +index 0000000..37662e9 +--- /dev/null ++++ b/linux_os/guide/system/software/polkit/group.yml +@@ -0,0 +1,6 @@ ++documentation_complete: true ++ ++title: Polkit ++ ++description: |- ++ Polkit, which provides privilege escalation capabilities. +diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml +new file mode 100644 +index 0000000..ae03bd4 +--- /dev/null ++++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml +@@ -0,0 +1,23 @@ ++ ++ ++ ++ Only root user can run pkexec ++ ++ multi_platform_openeuler ++ ++ Only root user can run pkexec. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/polkit-1/rules.d/50-default.rules ++ ^[\s]*polkit.addAdminRule\(function.+\n*[\s]*return[\s]+\[\s*"\s*unix-user\s*:\s*[1-9]*[1-9][0-9]*\s*"\s*\] ++ 1 ++ ++ +diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml +new file mode 100644 +index 0000000..a4c1ebb +--- /dev/null ++++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml +@@ -0,0 +1,17 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure Only Root Can Run The Command of Pkexec' ++ ++description: |- ++ The pkexec command enables a common user to have the rights of the super user or other users. ++ After the authentication is successful, the command is executed with the rights of the super user. ++ Pkexec provides a convenient path for users to change their identities, unconstrained use of the pkexec command can bring potential security risks. ++ The permission to access the root account using pkexec is restricted.
++ By default, the password of the root user must be verified when uses pkexec. Only the root user can obtain the system administrator rights. ++ ++rationale: |- ++ Low-privilege users can not use pkexec. ++ ++severity: high +diff --git a/linux_os/guide/system/software/su/group.yml b/linux_os/guide/system/software/su/group.yml +new file mode 100644 +index 0000000..aa6e29d +--- /dev/null ++++ b/linux_os/guide/system/software/su/group.yml +@@ -0,0 +1,6 @@ ++documentation_complete: true ++ ++title: Su ++ ++description: |- ++ Su, which provides the ability to switch to root or other users. +diff --git a/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml +new file mode 100644 +index 0000000..942df37 +--- /dev/null ++++ b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml +@@ -0,0 +1,23 @@ ++ ++ ++ ++ Always set env path when user switched ++ ++ multi_platform_openeuler ++ ++ Alway set env path when user switched by su. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/login.defs ++ ^[\s]*ALWAYS_SET_PATH[\s]*=[\s]*yes[\s]*$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/software/su/su_always_set_path/rule.yml b/linux_os/guide/system/software/su/su_always_set_path/rule.yml +new file mode 100644 +index 0000000..9249bfe +--- /dev/null ++++ b/linux_os/guide/system/software/su/su_always_set_path/rule.yml +@@ -0,0 +1,20 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Ensure Always Set Path is Set to YES' ++ ++description: |- ++ The su command enables a common user to have the rights of the super user or other users. ++ It is often used to switch from a low-privilege user account to the system root account. ++ The su command provides a convenient way for users to change their identities. ++ However, using the su command without restrictions brings potential risks to the system. ++
++ The path is not automatically set for the user when the user is changed by using su. ++ If the system automatically initializes the environment variable PATH after you run the su command to switch users, ++ you can effectively prevent the privilege escalation which caused by inheriting the environment variable PATH. ++ ++rationale: |- ++ None ++ ++severity: high +diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml +new file mode 100644 +index 0000000..f73c428 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Make sure sudoers cannot configure scripts writable by low-privileged users' ++ ++description: |- ++ sudo can enable the set ordinary user to execute certain specific programs with root privileges, ++ and the corresponding configuration file is /etc/sudoers. Administrator users can configure ++ corresponding rules to make certain scripts or binary files run with root permissions. Therefore, ++ the scripts configured by sudo should only be writable by root. Scripts that can be written by ++ low-privilege users cannot be configured. If low-privilege users are configured, they can be written ++ by root. script, the user can perform privilege escalation operations by modifying the script. ++ ++

It can not be scanned automatically, please check it manually.

++

Check related configuration.

++ ++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml +new file mode 100644 +index 0000000..a3826b8 +--- /dev/null ++++ b/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml +@@ -0,0 +1,18 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203,openeuler2403 ++ ++title: 'Uninstall All Python2 Packages' ++ ++description: |- ++ {{{ describe_package_remove(package="python2") }}} ++ ++rationale: |- ++ python2 related packages should be removed. ++ ++severity: high ++ ++template: ++ name: package_removed ++ vars: ++ pkgname: python2 +-- +2.42.0.windows.2 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index b47df88efc36a8691c9f3b07a7a9000fc4329c80..c7c440612c79dca97d5df32ef9fe02670dc8b4d2 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.68 -Release: 3 +Release: 4 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -8,6 +8,7 @@ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{versio Patch0001: add-openeuler-support.patch Patch0002: add-openeuler-control-rules.patch +Patch0003: optimize-rules-for-openEuler.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML @@ -40,7 +41,7 @@ mkdir build %build cd build -%cmake ../ +%cmake -DSSG_SCE_ENABLED=ON ../ %make_build %install @@ -63,6 +64,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Sat Feb 24 2024 wangqingsan - 0.1.68-4 +- optimiz rules for openEuler + * Mon Feb 19 2024 steven - 0.1.68-3 - add openEuler 2403 LTS supporting and remove openEuler general version supporting