From 78d5bc2896f0ec376789b2e416a2989a278c6d39 Mon Sep 17 00:00:00 2001 From: "steven.y.gui" Date: Mon, 24 Jun 2024 11:50:00 +0800 Subject: [PATCH] optimize 8 rules --- optimize-8-rules-for-openEuler.patch | 199 +++++++++++++++++++++++++++ scap-security-guide.spec | 6 +- 2 files changed, 204 insertions(+), 1 deletion(-) create mode 100644 optimize-8-rules-for-openEuler.patch diff --git a/optimize-8-rules-for-openEuler.patch b/optimize-8-rules-for-openEuler.patch new file mode 100644 index 0000000..9a22eb6 --- /dev/null +++ b/optimize-8-rules-for-openEuler.patch @@ -0,0 +1,199 @@ +From e7f1e45f0b3172b5b5a35a1822865fddbca6d9f0 Mon Sep 17 00:00:00 2001 +From: wangqingsan +Date: Wed, 19 Jun 2024 13:27:03 +0800 +Subject: [PATCH] fix bug for oe + +--- + .../oval/shared.xml | 2 +- + .../oval/shared.xml | 2 +- + .../sshd_set_max_auth_tries/oval/shared.xml | 14 ++++++++++++ + .../accounts_umask_etc_bashrc/oval/shared.xml | 4 ++-- + .../oval/shared.xml | 13 ++++++----- + .../rsyslog_files_permissions_oe/rule.yml | 22 +++++++++++++++++++ + .../service_ip6tables_enabled/rule.yml | 2 +- + openeuler2203/profiles/standard.profile | 4 ++-- + 8 files changed, 51 insertions(+), 12 deletions(-) + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml +index e6c1a0e..494e255 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml +@@ -19,7 +19,7 @@ + + + /etc/ssh/sshd_config +- ^maxstartups\s+\d+:\d+:\d+$ ++ ^MaxStartups\s*[0-9]*:[0-9]*:[0-9]*[0-9] + 1 + + +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml +index fb79aff..30bc3c4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml +@@ -19,7 +19,7 @@ + + + /etc/ssh/sshd_config +- ^LoginGraceTime\s+\d+$ ++ ^LoginGraceTime\s(\d*)[smhdw]*$ + 1 + + +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml +index a8eaabd..ae811c7 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml +@@ -8,14 +8,28 @@ + The SSH MaxAuthTries should be set to an + appropriate value. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ {{% else %}} + + + + ++ {{% endif %}} + + ++ ++ ++ ++ + + +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml +index 0bd0ac1..ec4197a 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml +@@ -95,7 +95,7 @@ + + + /etc/bashrc +- [\s]*umask[\s]*0077[\s]* ++ ^umask[\s]*0*7*$ + 1 + + +@@ -104,7 +104,7 @@ + + + ^/home/.*\.bashrc$ +- [\s]*umask[\s]*0077[\s]* ++ ^umask[\s]*0*7*$ + 1 + + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml +index 92b2667..372e175 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml +@@ -8,12 +8,15 @@ + The audit rules should be configured to log information about kernel module installing and removing. + + +- +- +- ++ + + + ++ ++ ++ ++ ++ + + + +@@ -22,7 +25,7 @@ + + + ^/etc/audit/rules\.d/.*\.rules$ +- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*.*$ + 1 + + +@@ -31,7 +34,7 @@ + + + ^/etc/audit/rules\.d/.*\.rules$ +- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*.*$ + 1 + + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml +new file mode 100644 +index 0000000..93fd68f +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++title: 'Ensure System Log Files Have Correct Permissions' ++ ++description: |- ++

Log files record system operations. The log tool rsyslog can record logs ++ to specified files. When the specified log file does not exist in the system, ++ rsyslog can create a new log file. You can set the permission on new log files ++ in the rsyslog configuration file. You can set the default file permission to ++ ensure that new log files have proper and secure permissions.

++

Run the following command to manually check whether the log permission is properly set:

++
$ ls -l LOGFILE
++

If the permissions are not 600 or more restrictive, run the following ++ command to correct this:

++
$ sudo chmod 0600 LOGFILE
" ++ ++rationale: |- ++ Log files can contain valuable information regarding system ++ configuration. If the system log files are not protected unauthorized ++ users could change the logged data, eliminating their forensic value. ++ ++severity: low +diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml +index d533940..a8ce14a 100644 +--- a/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml ++++ b/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml +@@ -34,6 +34,6 @@ template: + name: service_enabled + vars: + servicename: ip6tables +- packagename: iptables-ipv6 ++ packagename: iptables + + platform: machine +diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile +index 76fe4dd..4ae7a01 100644 +--- a/openeuler2203/profiles/standard.profile ++++ b/openeuler2203/profiles/standard.profile +@@ -376,8 +376,8 @@ selections: + - audit_rules_admin_privilege.severity=low + - recorded_authentication_related_event + - recorded_authentication_related_event.severity=high +- - rsyslog_files_permissions +- - rsyslog_files_permissions.severity=low ++ - rsyslog_files_permissions_oe ++ - rsyslog_files_permissions_oe.severity=low + - partitions_manage_hard_drive_data + - partitions_manage_hard_drive_data.severity=low + - uninstall_debugging_tools +-- +2.36.1 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 6884ec9..b48f6df 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.49 -Release: 11 +Release: 12 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -16,6 +16,7 @@ Patch0007:enable-76-rules-for-openEuler.patch Patch0008:enable-54-rules-for-openEuler.patch Patch0009:add-15-rules-for-openeuler.patch Patch0010:optimize-80-rules-for-openEuler.patch +Patch0011:optimize-8-rules-for-openEuler.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML @@ -70,6 +71,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Mon Jun 24 2024 steven - 0.1.49-12 +- optimize 8 rules for openEuler + * Fri Dec 22 2023 wangqingsan - 0.1.49-11 - elevate 80 rules for openEuler -- Gitee