From f39a57efb9df3edf176c8b7955c79aacb0102f5e Mon Sep 17 00:00:00 2001 From: zcfsite Date: Wed, 18 Dec 2024 10:14:05 +0800 Subject: [PATCH] add automatic hardening and fix consistent with the baseline --- add-openeuler-automatic-hardening.patch | 563 ++++++++++++++++++ ...ied-to-be-consistent-with-the-specif.patch | 72 +++ scap-security-guide.spec | 7 +- 3 files changed, 641 insertions(+), 1 deletion(-) create mode 100644 add-openeuler-automatic-hardening.patch create mode 100644 scap-is-modified-to-be-consistent-with-the-specif.patch diff --git a/add-openeuler-automatic-hardening.patch b/add-openeuler-automatic-hardening.patch new file mode 100644 index 0000000..53be676 --- /dev/null +++ b/add-openeuler-automatic-hardening.patch @@ -0,0 +1,563 @@ +From 3b23cd442beb76647801229660513aedbf03517e Mon Sep 17 00:00:00 2001 +From: xuce +Date: Thu, 5 Dec 2024 12:37:16 +0800 +Subject: [PATCH] add openeuler automatic hardening +Signed-off-by: jinlun +Signed-off-by: xuce +--- + controls/std_openeuler.yml | 10 +++++++--- + .../package_avahi_removed/rule.yml | 2 +- + .../service_avahi-daemon_disabled/rule.yml | 2 +- + .../file_permissions_at_allow/rule.yml | 2 +- + .../file_permissions_cron_allow/rule.yml | 2 +- + .../sshd_allow_only_protocol2/bash/shared.sh | 2 +- + .../sshd_disable_rhosts_rsa/bash/shared.sh | 2 +- + .../sshd_use_strong_macs/bash/shared.sh | 2 +- + .../sshd_use_strong_pubkey/bash/shared.sh | 2 ++ + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 11 +++++++++++ + .../require_singleuser_auth/rule.yml | 2 +- + .../gid_passwd_group_same/bash/shared.sh | 10 ++++++++++ + .../use_pam_wheel_for_su/bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../configure_dump_journald_log/bash/shared.sh | 7 +++++++ + .../configure_dump_journald_log/rule.yml | 4 ++-- + .../rsyslog_cron_logging/bash/shared.sh | 4 ++-- + .../bash/shared.sh | 2 +- + .../aide/aide_build_database/oval/shared.xml | 2 ++ + .../only_root_can_run_pkexec/bash/shared.sh | 5 +++++ + .../su/su_always_set_path/bash/shared.sh | 6 ++++++ + .../sce/openeuler2403.sh | 17 +++++++++++++++++ + .../bash/shared.sh | 2 +- + shared/macros/10-bash.jinja | 10 +++++----- + .../templates/accounts_password/bash.template | 4 ++-- + .../templates/accounts_password/oval.template | 4 ++-- + .../grub2_bootloader_argument/bash.template | 2 +- + .../bash.template | 2 +- + shared/templates/service_disabled/bash.template | 2 +- + shared/templates/service_enabled/bash.template | 2 +- + shared/templates/sysctl/bash.template | 2 +- + 37 files changed, 103 insertions(+), 39 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh + create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh + create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh + create mode 100644 linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh + create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh + +diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml +index b187420..6985d6d 100644 +--- a/controls/std_openeuler.yml ++++ b/controls/std_openeuler.yml +@@ -53,7 +53,7 @@ controls: + rules: + - accounts_umask_etc_bashrc + - accounts_umask_etc_bashrc.severity=high +- - var_accounts_user_umask=077 ++ - var_accounts_user_umask=027 + + - id: 1.1.6_no_global_writable_file + title: Ensure No Global Writable File +@@ -280,8 +280,8 @@ controls: + - base + status: automated + rules: +- - service_avahi-daemon_disabled +- - service_avahi-daemon_disabled.severity=high ++ - package_avahi_removed ++ - package_avahi_removed.severity=high + + - id: 1.2.10_ldap_server_not_installed + title: Ensure LDAP Server Not Installed +@@ -711,6 +711,8 @@ controls: + - base + status: automated + rules: ++ - require_singleuser_auth ++ - require_singleuser_auth.severity=high + - require_emergency_target_auth + - require_emergency_target_auth.severity=high + +@@ -1627,6 +1629,8 @@ controls: + - base + status: automated + rules: ++ - package_audit_installed ++ - package_audit_installed.severity=high + - service_auditd_enabled + - service_auditd_enabled.severity=high + +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml +index ae6e5f3..ceaa7cf 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204,openeuler2203,openeuler2403 + + title: 'Uninstall avahi Server Package' + +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +index e799bae..2b0e53a 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Disable Avahi Server Software' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +index 30b6553..021fdab 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9 + + title: 'Verify Permissions on /etc/at.allow file' + +-{{% if 'rhel' not in product %}} ++{{% if 'rhel' not in product and 'openeuler' not in product %}} + {{% set target_perms_octal="0640" %}} + {{% set target_perms="-rw-r-----" %}} + {{% else %}} +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +index 1961b9a..dff56f0 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,r + + title: 'Verify Permissions on /etc/cron.allow file' + +-{{% if 'rhel' not in product %}} ++{{% if 'rhel' not in product and 'openeuler' not in product %}} + {{% set target_perms_octal="0640" %}} + {{% set target_perms="-rw-r-----" %}} + {{% else %}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh +index ba59876..cd31a2f 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler + + + {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Protocol', '2', '%s %s') }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh +index 5a1ec5c..7a918c9 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler + + + {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh +index f77be04..07bd77c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh +@@ -1,4 +1,4 @@ + # platform = multi_platform_all + +-{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}} ++{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com") }}} + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh +new file mode 100644 +index 0000000..7574233 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh +@@ -0,0 +1,2 @@ ++#platform=multi_platform_openeuler ++{{{ bash_sshd_config_set(parameter="PubkeyAcceptedKeyTypes", value="ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512") }}} +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh +index c830c07..d8499be 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler + + {{% if product in [ "sle12", "sle15" ] %}} + {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}} +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +index 449d912..3426bdc 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +index 3a32aad..2b0f4b4 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} + +diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh +new file mode 100644 +index 0000000..c11315b +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh +@@ -0,0 +1,11 @@ ++# platform = multi_platform_openeuler ++ ++grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/system-auth ++if [ $? -eq 0 ]; then ++ sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/system-auth ++fi ++ ++grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/password-auth ++if [ $? -eq 0 ]; then ++ sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/password-auth ++fi +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +index 6e47912..107ef85 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,openeuler2203,openeuler2403 + + title: 'Require Authentication for Single User Mode' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh +new file mode 100644 +index 0000000..7f1cd3a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh +@@ -0,0 +1,10 @@ ++# platform = multi_platform_openeuler ++ ++grep -E -v '^(halt|sync|shutdown)' "/etc/passwd" | awk -F ":" '($7 != "/bin/false" && $7 != "/sbin/nologin") {print $1, $4}' | while read user group; ++do ++ grep -q -P "^.*?:[^:]*:$group:" "/etc/group" ++ if [ $? -ne 0 ]; then ++ groupdel $user ++ groupadd -g $group $user ++ fi ++done +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +index cf672ee..17ed6f2 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler + + # uncomment the option if commented + sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh +index 36e7f8c..6f92e73 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_audispd_disk_full_action") }}} + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +index 8a53bf8..561ff0f 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_auditd_max_log_file") }}} + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +index 5007f96..1834f35 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +index a53f062..45ff50d 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_auditd_space_left") }}} + +diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh +new file mode 100644 +index 0000000..3f36da4 +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_openeuler ++ ++echo 'module(load="imjournal"' >> /etc/rsyslog.conf ++echo 'StateFile="/run/log/imjournal.state")' >> /etc/rsyslog.conf ++ ++systemctl daemon-reload ++systemctl restart rsyslog +diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +index 6121f9c..4643b87 100644 +--- a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml ++++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +@@ -13,7 +13,7 @@ description: |- + consistent with the system. Safety. + +

Check whether the relevant fields have been configured in the /etc/rsyslog.conf file:

+- 
$ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*
++ 
$ grep "^[^#]*imjournal" /etc/rsyslog.conf
+ + rationale: |- + If there is a volatile storage device for the log, failure to dump +@@ -22,4 +22,4 @@ rationale: |- + are not dumped in time, the logs may fill up the current partition, + causing the risk of other processes or system failures. + +-severity: high +\ No newline at end of file ++severity: high +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh +index 773f889..f6f3772 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh +@@ -1,8 +1,8 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_openeuler + + if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then + mkdir -p /etc/rsyslog.d +- echo "cron.* /var/log/cron" >> /etc/rsyslog.d/cron.conf ++ echo "cron.* /var/log/cron" >> /etc/rsyslog.conf + fi + + systemctl restart rsyslog.service +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +index 91b3495..265cda1 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler + df --local -P | awk '{if (NR!=1) print $6}' \ + | xargs -I '$6' find '$6' -xdev -type d \ + \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +index 14cf458..ffa8444 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +@@ -17,6 +17,8 @@ + /etc/aide.conf + {{% if 'sle' in product %}} + ^database=file:/([/a-z.]+)$ ++ {{% elif 'openeuler2403' in product %}} ++ ^database_in=file:@@{DBDIR}/([a-z.]+)$ + {{% else %}} + ^database=file:@@{DBDIR}/([a-z.]+)$ + {{% endif %}} +diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh +new file mode 100644 +index 0000000..8a5a7a2 +--- /dev/null ++++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh +@@ -0,0 +1,5 @@ ++# platform = multi_platform_openeuler ++ ++echo "polkit.addAdminRule(function(action, subject) { ++ return [\"unix-user:0\"]; ++});" > /etc/polkit-1/rules.d/50-default.rules +diff --git a/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh +new file mode 100644 +index 0000000..a5e4058 +--- /dev/null ++++ b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_openeuler ++ ++grep '^[\s]*ALWAYS_SET_PATH[\s]*=[\s]*yes[\s]*$' /etc/login.defs ++if [ $? -ne 0 ]; then ++ echo "ALWAYS_SET_PATH=yes" >> /etc/login.defs ++fi +diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh +new file mode 100644 +index 0000000..f272602 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# ++# platform = multi_platform_openeuler ++# check-import = stdout ++ ++result=$XCCDF_RESULT_PASS ++ ++comm="$(grep "(root)" /etc/sudoers | awk '{print $3}')" ++for line in $comm ; do ++ permissions=$(stat -c "%A" "$line") ++ if [[ ${permissions:8:1} == "w" ]]; then ++ result=$XCCDF_RESULT_FAIL ++ break ++ fi ++done ++ ++exit "$result" +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh +index 07e02fa..1a47c35 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler + {{% if product in ["sle12", "sle15"] %}} + sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/* + {{% else %}} +diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja +index 292a14a..9a8eace 100644 +--- a/shared/macros/10-bash.jinja ++++ b/shared/macros/10-bash.jinja +@@ -1980,7 +1980,7 @@ Part of the grub2_bootloader_argument template. + + #}} + {{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}} +-{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} ++{{% if 'ubuntu' in product or 'openeuler' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} + {{{ update_etc_default_grub_manually(arg_name, arg_name_value) }}} + {{% endif -%}} + {{{ grub_command("add", arg_name_value) }}} +@@ -1996,9 +1996,9 @@ Part of the grub2_bootloader_argument template. + #}} + {{%- macro update_etc_default_grub_manually_absent(arg_name) -%}} + # Correct the form of default kernel command line in GRUB +-if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' '/etc/default/grub' ; then +- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ arg_name }}}=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' +-fi ++while grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' '/etc/default/grub' ; do ++ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*[[:space:]]\?\){{{ arg_name }}}=\?[^[:space:]]*[[:space:]]\?\(.*"\)/\1\2/' '/etc/default/grub' ++done + {{%- endmacro %}} + + +@@ -2011,7 +2011,7 @@ Part of the grub2_bootloader_argument_absent template. + + #}} + {{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}} +-{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} ++{{% if 'ubuntu' in product or 'openeuler' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} + {{{ update_etc_default_grub_manually_absent(arg_name) }}} + {{% endif -%}} + {{{ grub_command("remove", arg_name) }}} +diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template +index 46e98c1..ac8a0d7 100644 +--- a/shared/templates/accounts_password/bash.template ++++ b/shared/templates/accounts_password/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + # reboot = false + # strategy = restrict + # complexity = low +@@ -12,7 +12,7 @@ if grep -sq {{{ VARIABLE }}} /etc/security/pwquality.conf.d/*.conf ; then + fi + {{% endif %}} + +-{{% if "ol" in product %}} ++{{% if "ol" in product or "openeuler2403" in product %}} + {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth', + 'password', + '', +diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template +index c83a666..5d5b1a7 100644 +--- a/shared/templates/accounts_password/oval.template ++++ b/shared/templates/accounts_password/oval.template +@@ -11,14 +11,14 @@ + + + +- {{% if "ol" in product %}} ++ {{% if "ol" in product or "openeuler2403" in product %}} + + {{% endif %}} + + + +- {{% if "ol" in product %}} ++ {{% if "ol" in product or "openeuler2403" in product %}} + +diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template +index 965f4d3..4cbedf3 100644 +--- a/shared/templates/grub2_bootloader_argument/bash.template ++++ b/shared/templates/grub2_bootloader_argument/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + {{# + See the OVAL template for more comments. + Product-specific categorization should be synced across all template content types +diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template +index 8d7d6e9..dd2ff30 100644 +--- a/shared/templates/grub2_bootloader_argument_absent/bash.template ++++ b/shared/templates/grub2_bootloader_argument_absent/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + {{# + See the OVAL template for more comments. + Product-specific categorization should be synced across all template content types +diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template +index 27666b0..6d6f027 100644 +--- a/shared/templates/service_disabled/bash.template ++++ b/shared/templates/service_disabled/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + # reboot = false + # strategy = disable + # complexity = low +diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template +index 00fd1ee..16ca4aa 100644 +--- a/shared/templates/service_enabled/bash.template ++++ b/shared/templates/service_enabled/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + # reboot = false + # strategy = enable + # complexity = low +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index 49e4d94..4370e45 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler + # reboot = true + # strategy = disable + # complexity = low +-- +2.33.0 + diff --git a/scap-is-modified-to-be-consistent-with-the-specif.patch b/scap-is-modified-to-be-consistent-with-the-specif.patch new file mode 100644 index 0000000..b8d02e4 --- /dev/null +++ b/scap-is-modified-to-be-consistent-with-the-specif.patch @@ -0,0 +1,72 @@ +From 34a439703a12363e348329db2cc1145a7084fe4d Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Tue, 10 Dec 2024 19:25:41 +0800 +Subject: [PATCH] the ssg is modified to be consistent with the specifications + +--- + controls/std_openeuler.yml | 1 + + .../bash/shared.sh | 6 ++++++ + .../oval/shared.xml | 4 ++++ + .../var_auditd_space_left.var | 1 + + 4 files changed, 12 insertions(+) + +diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml +index 6985d6d..3068afb 100644 +--- a/controls/std_openeuler.yml ++++ b/controls/std_openeuler.yml +@@ -1752,6 +1752,7 @@ controls: + rules: + - auditd_data_retention_space_left + - auditd_data_retention_space_left.severity=low ++ - var_auditd_space_left=75MB + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_action.severity=low + - var_auditd_space_left_action=syslog +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh +index 4233f10..293dc77 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh +@@ -2,6 +2,12 @@ + + {{{ bash_instantiate_variables("var_auditd_admin_space_left_percentage") }}} + ++{{% if "openeuler" in product %}} ++grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ ++ sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage/g" /etc/audit/auditd.conf || \ ++ echo "admin_space_left = $var_auditd_admin_space_left_percentage" >> /etc/audit/auditd.conf ++{{% else %}} + grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ + sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage%/g" /etc/audit/auditd.conf || \ + echo "admin_space_left = $var_auditd_admin_space_left_percentage%" >> /etc/audit/auditd.conf ++{{% endif %}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml +index 16d7433..b2acd8f 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml +@@ -17,7 +17,11 @@ + /etc/audit/auditd.conf + + ++{{% if "openeuler" in product %}} ++ ^[\s]*admin_space_left[\s]+=[\s]+(\d+)[\s]*$ ++{{% else %}} + ^[\s]*admin_space_left[\s]+=[\s]+(\d+)%[\s]*$ ++{{% endif %}} + 1 + + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var +index 4a3acba..3d86ed4 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var +@@ -10,6 +10,7 @@ interactive: false + + options: + 1000MB: 1000 ++ 75MB: 75 + 100MB: 100 + 250MB: 250 + 500MB: 500 +-- +2.33.0 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index c7c4406..8b97deb 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.68 -Release: 4 +Release: 5 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -9,6 +9,8 @@ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{versio Patch0001: add-openeuler-support.patch Patch0002: add-openeuler-control-rules.patch Patch0003: optimize-rules-for-openEuler.patch +Patch0004: add-openeuler-automatic-hardening.patch +Patch0005: scap-is-modified-to-be-consistent-with-the-specif.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML @@ -64,6 +66,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Wed Dec 18 2024 zcfsite - 0.1.68-5 +- add automatic hardening and fix consistent with the baseline + * Sat Feb 24 2024 wangqingsan - 0.1.68-4 - optimiz rules for openEuler -- Gitee