From 6e2b0fcc7674c5daa4423220652cbff4a5ebff62 Mon Sep 17 00:00:00 2001 From: jinlun Date: Wed, 13 Nov 2024 11:19:56 +0800 Subject: [PATCH] Automatic hardening is supported. --- add-openeuler-automatic-hardening.patch | 406 ++++++++++++++++++++++++ scap-security-guide.spec | 6 +- 2 files changed, 411 insertions(+), 1 deletion(-) create mode 100644 add-openeuler-automatic-hardening.patch diff --git a/add-openeuler-automatic-hardening.patch b/add-openeuler-automatic-hardening.patch new file mode 100644 index 0000000..22523ff --- /dev/null +++ b/add-openeuler-automatic-hardening.patch @@ -0,0 +1,406 @@ +From e587488759e5c07058b273dbada7937b96cbc388 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Wed, 13 Nov 2024 14:38:36 +0800 +Subject: [PATCH] Automatic hardening is supported. + +Signed-off-by: jinlun +Signed-off-by: xuce +--- + controls/std_openeuler.yml | 10 +++++++--- + .../package_avahi_removed/rule.yml | 2 +- + .../service_avahi-daemon_disabled/rule.yml | 2 +- + .../sshd_allow_only_protocol2/bash/shared.sh | 2 +- + .../sshd_disable_rhosts_rsa/bash/shared.sh | 2 +- + .../sshd_use_strong_pubkey/bash/shared.sh | 2 ++ + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 11 +++++++++++ + .../bash/shared.sh | 10 ++++++++++ + .../require_singleuser_auth/rule.yml | 2 +- + .../gid_passwd_group_same/bash/shared.sh | 10 ++++++++++ + .../use_pam_wheel_for_su/bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../configure_dump_journald_log/bash/shared.sh | 7 +++++++ + .../rsyslog_cron_logging/bash/shared.sh | 4 ++-- + .../bash/shared.sh | 2 +- + .../only_root_can_run_pkexec/bash/shared.sh | 5 +++++ + .../su/su_always_set_path/bash/shared.sh | 6 ++++++ + .../sce/openeuler2403.sh | 17 +++++++++++++++++ + .../bash/shared.sh | 2 +- + .../grub2_bootloader_argument/bash.template | 2 +- + .../bash.template | 2 +- + shared/templates/service_disabled/bash.template | 2 +- + shared/templates/service_enabled/bash.template | 2 +- + shared/templates/sysctl/bash.template | 2 +- + 28 files changed, 95 insertions(+), 23 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh + create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh + create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh + create mode 100644 linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh + create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh + +diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml +index b187420..6985d6d 100644 +--- a/controls/std_openeuler.yml ++++ b/controls/std_openeuler.yml +@@ -53,7 +53,7 @@ controls: + rules: + - accounts_umask_etc_bashrc + - accounts_umask_etc_bashrc.severity=high +- - var_accounts_user_umask=077 ++ - var_accounts_user_umask=027 + + - id: 1.1.6_no_global_writable_file + title: Ensure No Global Writable File +@@ -280,8 +280,8 @@ controls: + - base + status: automated + rules: +- - service_avahi-daemon_disabled +- - service_avahi-daemon_disabled.severity=high ++ - package_avahi_removed ++ - package_avahi_removed.severity=high + + - id: 1.2.10_ldap_server_not_installed + title: Ensure LDAP Server Not Installed +@@ -711,6 +711,8 @@ controls: + - base + status: automated + rules: ++ - require_singleuser_auth ++ - require_singleuser_auth.severity=high + - require_emergency_target_auth + - require_emergency_target_auth.severity=high + +@@ -1627,6 +1629,8 @@ controls: + - base + status: automated + rules: ++ - package_audit_installed ++ - package_audit_installed.severity=high + - service_auditd_enabled + - service_auditd_enabled.severity=high + +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml +index ae6e5f3..ceaa7cf 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204,openeuler2203,openeuler2403 + + title: 'Uninstall avahi Server Package' + +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +index e799bae..2b0e53a 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Avahi Server Software' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh +index ba59876..cd31a2f 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler + + + {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Protocol', '2', '%s %s') }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh +index 5a1ec5c..7a918c9 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler + + + {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh +new file mode 100644 +index 0000000..7574233 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh +@@ -0,0 +1,2 @@ ++#platform=multi_platform_openeuler ++{{{ bash_sshd_config_set(parameter="PubkeyAcceptedKeyTypes", value="ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512") }}} +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh +index c830c07..d8499be 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler + + {{% if product in [ "sle12", "sle15" ] %}} + {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}} +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +index 449d912..3426bdc 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +index 3a32aad..2b0f4b4 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} + +diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh +new file mode 100644 +index 0000000..797f631 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh +@@ -0,0 +1,11 @@ ++# platform = multi_platform_openeuler ++ ++grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/system-auth ++if [ $? -eq 0 ]; then ++ sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/system-auth ++fi ++ ++grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/password-auth ++if [ $? -nq 0 ]; then ++ sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/password-auth ++fi +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh +new file mode 100644 +index 0000000..9f3f5df +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh +@@ -0,0 +1,10 @@ ++# platform = multi_platform_openeuler ++ ++ ++cracklib-unpacker /usr/share/cracklib/pw_dict > ssg_dictionary.txt ++create-cracklib-dict ssg_dictionary.txt ++rm -f ssg_dictionary.txt ++grep -oE '^ *dictcheck *= *(-?[0-9]+)([[:space:]]|$)' /etc/security/pwquality.conf ++if [ $? -ne 0 ]; then ++echo "dictcheck = 1" >> /etc/security/pwquality.conf ++fi +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +index 6e47912..107ef85 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,openeuler2203,openeuler2403 + + title: 'Require Authentication for Single User Mode' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh +new file mode 100644 +index 0000000..badcc54 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh +@@ -0,0 +1,10 @@ ++# platform = multi_platform_openeuler ++ ++grep -E -v '^(halt|sync|shutdown)' "/etc/passwd" | awk -F ":" '($7 != "/bin/false" && $7 != "/sbin/nologin") {print $1, $4}' | while read user group; ++do ++ grep -q -P "^.*?:[^:]*:$group:" "/etc/group" ++ if [ $? -ne 0 ]; then ++ groupdel $user ++ groupadd -g $group $user ++ fi ++done +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +index cf672ee..17ed6f2 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler + + # uncomment the option if commented + sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +index 8a53bf8..561ff0f 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_auditd_max_log_file") }}} + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +index 5007f96..1834f35 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} + +diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh +new file mode 100644 +index 0000000..7b8d8aa +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh +@@ -0,0 +1,5 @@ ++# platform = multi_platform_openeuler ++ ++echo 'module(load="imjournal"' >> /etc/rsyslog.conf ++echo 'StateFile="/run/log/imjournal.state")' >> /etc/rsyslog.conf ++ +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh +index 773f889..f6f3772 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh +@@ -1,8 +1,8 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_openeuler + + if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then + mkdir -p /etc/rsyslog.d +- echo "cron.* /var/log/cron" >> /etc/rsyslog.d/cron.conf ++ echo "cron.* /var/log/cron" >> /etc/rsyslog.conf + fi + + systemctl restart rsyslog.service +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +index 91b3495..265cda1 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + df --local -P | awk '{if (NR!=1) print $6}' \ + | xargs -I '$6' find '$6' -xdev -type d \ + \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ +diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh +new file mode 100644 +index 0000000..1057e81 +--- /dev/null ++++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh +@@ -0,0 +1,5 @@ ++# platform = multi_platform_openeuler ++ ++echo "polkit.addAdminRule(function(action, subject) { ++ return ["unix-user:0"]; ++});" > /etc/polkit-1/rules.d/50-default.rules +diff --git a/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh +new file mode 100644 +index 0000000..4ac660f +--- /dev/null ++++ b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_openeuler ++ ++grep '^[\s]*ALWAYS_SET_PATH[\s]*=[\s]*yes[\s]*$' /etc/login.defs ++if [ $? -ne 0 ]; then ++ echo "ALWAYS_SET_PATH=yes" >> /etc/login.defs ++fi +diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh +new file mode 100644 +index 0000000..f272602 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# ++# platform = multi_platform_openeuler ++# check-import = stdout ++ ++result=$XCCDF_RESULT_PASS ++ ++comm="$(grep "(root)" /etc/sudoers | awk '{print $3}')" ++for line in $comm ; do ++ permissions=$(stat -c "%A" "$line") ++ if [[ ${permissions:8:1} == "w" ]]; then ++ result=$XCCDF_RESULT_FAIL ++ break ++ fi ++done ++ ++exit "$result" +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh +index 07e02fa..1a47c35 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler + {{% if product in ["sle12", "sle15"] %}} + sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/* + {{% else %}} +diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template +index 965f4d3..4cbedf3 100644 +--- a/shared/templates/grub2_bootloader_argument/bash.template ++++ b/shared/templates/grub2_bootloader_argument/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + {{# + See the OVAL template for more comments. + Product-specific categorization should be synced across all template content types +diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template +index 8d7d6e9..dd2ff30 100644 +--- a/shared/templates/grub2_bootloader_argument_absent/bash.template ++++ b/shared/templates/grub2_bootloader_argument_absent/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + {{# + See the OVAL template for more comments. + Product-specific categorization should be synced across all template content types +diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template +index 27666b0..6d6f027 100644 +--- a/shared/templates/service_disabled/bash.template ++++ b/shared/templates/service_disabled/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + # reboot = false + # strategy = disable + # complexity = low +diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template +index 00fd1ee..16ca4aa 100644 +--- a/shared/templates/service_enabled/bash.template ++++ b/shared/templates/service_enabled/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + # reboot = false + # strategy = enable + # complexity = low +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index 49e4d94..4370e45 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + # reboot = true + # strategy = disable + # complexity = low +-- +2.33.0 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index c7c4406..d16def2 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.68 -Release: 4 +Release: 5 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -9,6 +9,7 @@ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{versio Patch0001: add-openeuler-support.patch Patch0002: add-openeuler-control-rules.patch Patch0003: optimize-rules-for-openEuler.patch +Patch0004: add-openeuler-automatic-hardening.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML @@ -64,6 +65,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Wed Nov 13 2024 jinlun - 0.1.68-5 +- Automatic hardening is supported. + * Sat Feb 24 2024 wangqingsan - 0.1.68-4 - optimiz rules for openEuler -- Gitee