From 6245f19e1aa9297478060a73cbbdee82403867c0 Mon Sep 17 00:00:00 2001 From: jinlun Date: Tue, 3 Dec 2024 17:21:35 +0800 Subject: [PATCH] fix some issue. --- add-openeuler-automatic-hardening.patch | 137 +++++++++++++++++++----- scap-security-guide.spec | 5 +- 2 files changed, 114 insertions(+), 28 deletions(-) diff --git a/add-openeuler-automatic-hardening.patch b/add-openeuler-automatic-hardening.patch index eca2f7d..a9f32b0 100644 --- a/add-openeuler-automatic-hardening.patch +++ b/add-openeuler-automatic-hardening.patch @@ -1,6 +1,6 @@ -From a4a86e816552479cb41e3423aef67acc32fb8510 Mon Sep 17 00:00:00 2001 +From e64af3aba7460bab202a194613ecf672747fc199 Mon Sep 17 00:00:00 2001 From: jinlun -Date: Wed, 13 Nov 2024 14:38:36 +0800 +Date: Tue, 3 Dec 2024 17:18:17 +0800 Subject: [PATCH] Automatic hardening is supported. Signed-off-by: jinlun @@ -16,29 +16,33 @@ Signed-off-by: xuce .../bash/shared.sh | 2 +- .../bash/shared.sh | 2 +- .../bash/shared.sh | 11 +++++++++++ - .../bash/shared.sh | 10 ++++++++++ .../require_singleuser_auth/rule.yml | 2 +- .../gid_passwd_group_same/bash/shared.sh | 10 ++++++++++ .../use_pam_wheel_for_su/bash/shared.sh | 2 +- .../bash/shared.sh | 2 +- .../bash/shared.sh | 2 +- - .../configure_dump_journald_log/bash/shared.sh | 5 +++++ + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../configure_dump_journald_log/bash/shared.sh | 7 +++++++ + .../configure_dump_journald_log/rule.yml | 4 ++-- .../rsyslog_cron_logging/bash/shared.sh | 4 ++-- .../bash/shared.sh | 2 +- + .../aide/aide_build_database/oval/shared.xml | 2 ++ .../only_root_can_run_pkexec/bash/shared.sh | 5 +++++ .../su/su_always_set_path/bash/shared.sh | 6 ++++++ .../sce/openeuler2403.sh | 17 +++++++++++++++++ .../bash/shared.sh | 2 +- shared/macros/10-bash.jinja | 10 +++++----- + .../templates/accounts_password/bash.template | 4 ++-- + .../templates/accounts_password/oval.template | 4 ++-- .../grub2_bootloader_argument/bash.template | 2 +- .../bash.template | 2 +- shared/templates/service_disabled/bash.template | 2 +- shared/templates/service_enabled/bash.template | 2 +- shared/templates/sysctl/bash.template | 2 +- - 29 files changed, 98 insertions(+), 28 deletions(-) + 34 files changed, 100 insertions(+), 36 deletions(-) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh - create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh @@ -183,25 +187,9 @@ index 0000000..568f4f5 +fi + +grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/password-auth -+if [ $? -nq 0 ]; then ++if [ $? -eq 0 ]; then + sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/password-auth +fi -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh -new file mode 100644 -index 0000000..7795559 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh -@@ -0,0 +1,10 @@ -+# platform = multi_platform_openeuler -+ -+ -+cracklib-unpacker /usr/share/cracklib/pw_dict > ssg_dictionary.txt -+create-cracklib-dict ssg_dictionary.txt -+rm -f ssg_dictionary.txt -+grep -oE '^ *dictcheck *= *(-?[0-9]+)([[:space:]]|$)' /etc/security/pwquality.conf -+if [ $? -ne 0 ]; then -+echo "dictcheck = 1" >> /etc/security/pwquality.conf -+fi diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml index 6e47912..107ef85 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -240,6 +228,16 @@ index cf672ee..17ed6f2 100644 # uncomment the option if commented sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh +index 36e7f8c..6f92e73 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_audispd_disk_full_action") }}} + diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh index 8a53bf8..561ff0f 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh @@ -260,17 +258,49 @@ index 5007f96..1834f35 100644 {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +index a53f062..45ff50d 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_auditd_space_left") }}} + diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh new file mode 100644 -index 0000000..12febfb +index 0000000..3f36da4 --- /dev/null +++ b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh -@@ -0,0 +1,5 @@ +@@ -0,0 +1,7 @@ +# platform = multi_platform_openeuler + +echo 'module(load="imjournal"' >> /etc/rsyslog.conf +echo 'StateFile="/run/log/imjournal.state")' >> /etc/rsyslog.conf + ++systemctl daemon-reload ++systemctl restart rsyslog +diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +index 6121f9c..4643b87 100644 +--- a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml ++++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +@@ -13,7 +13,7 @@ description: |- + consistent with the system. Safety. + +

Check whether the relevant fields have been configured in the /etc/rsyslog.conf file:

+- 
$ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*
++ 
$ grep "^[^#]*imjournal" /etc/rsyslog.conf
+ + rationale: |- + If there is a volatile storage device for the log, failure to dump +@@ -22,4 +22,4 @@ rationale: |- + are not dumped in time, the logs may fill up the current partition, + causing the risk of other processes or system failures. + +-severity: high +\ No newline at end of file ++severity: high diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh index 773f889..f6f3772 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh @@ -296,16 +326,29 @@ index 91b3495..265cda1 100644 df --local -P | awk '{if (NR!=1) print $6}' \ | xargs -I '$6' find '$6' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +index 14cf458..ffa8444 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +@@ -17,6 +17,8 @@ + /etc/aide.conf + {{% if 'sle' in product %}} + ^database=file:/([/a-z.]+)$ ++ {{% elif 'openeuler2403' in product %}} ++ ^database_in=file:@@{DBDIR}/([a-z.]+)$ + {{% else %}} + ^database=file:@@{DBDIR}/([a-z.]+)$ + {{% endif %}} diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh new file mode 100644 -index 0000000..1057e81 +index 0000000..8a5a7a2 --- /dev/null +++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh @@ -0,0 +1,5 @@ +# platform = multi_platform_openeuler + +echo "polkit.addAdminRule(function(action, subject) { -+ return ["unix-user:0"]; ++ return [\"unix-user:0\"]; +});" > /etc/polkit-1/rules.d/50-default.rules diff --git a/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh new file mode 100644 @@ -387,6 +430,46 @@ index 292a14a..9a8eace 100644 {{{ update_etc_default_grub_manually_absent(arg_name) }}} {{% endif -%}} {{{ grub_command("remove", arg_name) }}} +diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template +index 46e98c1..ac8a0d7 100644 +--- a/shared/templates/accounts_password/bash.template ++++ b/shared/templates/accounts_password/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + # reboot = false + # strategy = restrict + # complexity = low +@@ -12,7 +12,7 @@ if grep -sq {{{ VARIABLE }}} /etc/security/pwquality.conf.d/*.conf ; then + fi + {{% endif %}} + +-{{% if "ol" in product %}} ++{{% if "ol" in product or "openeuler2403" in product %}} + {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth', + 'password', + '', +diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template +index c83a666..5d5b1a7 100644 +--- a/shared/templates/accounts_password/oval.template ++++ b/shared/templates/accounts_password/oval.template +@@ -11,14 +11,14 @@ + + + +- {{% if "ol" in product %}} ++ {{% if "ol" in product or "openeuler2403" in product %}} + + {{% endif %}} + + + +- {{% if "ol" in product %}} ++ {{% if "ol" in product or "openeuler2403" in product %}} + diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template index 965f4d3..4cbedf3 100644 --- a/shared/templates/grub2_bootloader_argument/bash.template diff --git a/scap-security-guide.spec b/scap-security-guide.spec index aba3a3f..0c171d3 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.68 -Release: 6 +Release: 7 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -65,6 +65,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Tue Dec 3 2024 jinlun - 0.1.68-7 +- fix some issue. + * Fri Nov 15 2024 jinlun - 0.1.68-6 - fix openeuler grub configuration to Automatic hardening. -- Gitee