diff --git a/add-openeuler-automatic-hardening.patch b/add-openeuler-automatic-hardening.patch index a9f32b03526ea4e995a193885c35d208d1835fdf..53be67610ade26d9e153271755c976d6611d89b2 100644 --- a/add-openeuler-automatic-hardening.patch +++ b/add-openeuler-automatic-hardening.patch @@ -1,16 +1,18 @@ -From e64af3aba7460bab202a194613ecf672747fc199 Mon Sep 17 00:00:00 2001 -From: jinlun -Date: Tue, 3 Dec 2024 17:18:17 +0800 -Subject: [PATCH] Automatic hardening is supported. - +From 3b23cd442beb76647801229660513aedbf03517e Mon Sep 17 00:00:00 2001 +From: xuce +Date: Thu, 5 Dec 2024 12:37:16 +0800 +Subject: [PATCH] add openeuler automatic hardening Signed-off-by: jinlun Signed-off-by: xuce --- controls/std_openeuler.yml | 10 +++++++--- .../package_avahi_removed/rule.yml | 2 +- .../service_avahi-daemon_disabled/rule.yml | 2 +- + .../file_permissions_at_allow/rule.yml | 2 +- + .../file_permissions_cron_allow/rule.yml | 2 +- .../sshd_allow_only_protocol2/bash/shared.sh | 2 +- .../sshd_disable_rhosts_rsa/bash/shared.sh | 2 +- + .../sshd_use_strong_macs/bash/shared.sh | 2 +- .../sshd_use_strong_pubkey/bash/shared.sh | 2 ++ .../bash/shared.sh | 2 +- .../bash/shared.sh | 2 +- @@ -40,7 +42,7 @@ Signed-off-by: xuce shared/templates/service_disabled/bash.template | 2 +- shared/templates/service_enabled/bash.template | 2 +- shared/templates/sysctl/bash.template | 2 +- - 34 files changed, 100 insertions(+), 36 deletions(-) + 37 files changed, 103 insertions(+), 39 deletions(-) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh @@ -115,6 +117,32 @@ index e799bae..2b0e53a 100644 title: 'Disable Avahi Server Software' +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +index 30b6553..021fdab 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9 + + title: 'Verify Permissions on /etc/at.allow file' + +-{{% if 'rhel' not in product %}} ++{{% if 'rhel' not in product and 'openeuler' not in product %}} + {{% set target_perms_octal="0640" %}} + {{% set target_perms="-rw-r-----" %}} + {{% else %}} +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +index 1961b9a..dff56f0 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,r + + title: 'Verify Permissions on /etc/cron.allow file' + +-{{% if 'rhel' not in product %}} ++{{% if 'rhel' not in product and 'openeuler' not in product %}} + {{% set target_perms_octal="0640" %}} + {{% set target_perms="-rw-r-----" %}} + {{% else %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh index ba59876..cd31a2f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh @@ -135,6 +163,16 @@ index 5a1ec5c..7a918c9 100644 {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh +index f77be04..07bd77c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh +@@ -1,4 +1,4 @@ + # platform = multi_platform_all + +-{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}} ++{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com") }}} + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh new file mode 100644 index 0000000..7574233 @@ -175,7 +213,7 @@ index 3a32aad..2b0f4b4 100644 diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh new file mode 100644 -index 0000000..568f4f5 +index 0000000..c11315b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh @@ -0,0 +1,11 @@ diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 0c171d3a57937b9e700be5f64e5798fc9d5687fc..83df73109db654d85ad6fdf33aba595b880abd0a 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.68 -Release: 7 +Release: 8 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -65,6 +65,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Thu Dec 5 2024 xuce - 0.1.68-8 +- fix strong MACs and permission of cron.allow and at.allow + * Tue Dec 3 2024 jinlun - 0.1.68-7 - fix some issue.