diff --git a/add-openeuler-automatic-hardening.patch b/add-openeuler-automatic-hardening.patch index 53be67610ade26d9e153271755c976d6611d89b2..85781ebd4ed074638fe38a031c18fcff26dc479d 100644 --- a/add-openeuler-automatic-hardening.patch +++ b/add-openeuler-automatic-hardening.patch @@ -4,45 +4,37 @@ Date: Thu, 5 Dec 2024 12:37:16 +0800 Subject: [PATCH] add openeuler automatic hardening Signed-off-by: jinlun Signed-off-by: xuce + --- - controls/std_openeuler.yml | 10 +++++++--- - .../package_avahi_removed/rule.yml | 2 +- - .../service_avahi-daemon_disabled/rule.yml | 2 +- - .../file_permissions_at_allow/rule.yml | 2 +- - .../file_permissions_cron_allow/rule.yml | 2 +- - .../sshd_allow_only_protocol2/bash/shared.sh | 2 +- - .../sshd_disable_rhosts_rsa/bash/shared.sh | 2 +- - .../sshd_use_strong_macs/bash/shared.sh | 2 +- - .../sshd_use_strong_pubkey/bash/shared.sh | 2 ++ + controls/std_openeuler2203.yml | 10 +++++++--- .../bash/shared.sh | 2 +- .../bash/shared.sh | 2 +- .../bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../file_permissions_at_allow/rule.yml | 2 +- + .../file_permissions_cron_allow/rule.yml | 2 +- + .../sshd_use_strong_pubkey/bash/shared.sh | 2 ++ .../bash/shared.sh | 11 +++++++++++ - .../require_singleuser_auth/rule.yml | 2 +- .../gid_passwd_group_same/bash/shared.sh | 10 ++++++++++ .../use_pam_wheel_for_su/bash/shared.sh | 2 +- - .../bash/shared.sh | 2 +- - .../bash/shared.sh | 2 +- - .../bash/shared.sh | 2 +- - .../bash/shared.sh | 2 +- .../configure_dump_journald_log/bash/shared.sh | 7 +++++++ .../configure_dump_journald_log/rule.yml | 4 ++-- .../rsyslog_cron_logging/bash/shared.sh | 4 ++-- .../bash/shared.sh | 2 +- - .../aide/aide_build_database/oval/shared.xml | 2 ++ + .../aide/aide_build_database/oval/shared.xml | 2 +- .../only_root_can_run_pkexec/bash/shared.sh | 5 +++++ .../su/su_always_set_path/bash/shared.sh | 6 ++++++ .../sce/openeuler2403.sh | 17 +++++++++++++++++ .../bash/shared.sh | 2 +- shared/macros/10-bash.jinja | 10 +++++----- - .../templates/accounts_password/bash.template | 4 ++-- + .../templates/accounts_password/bash.template | 2 +- .../templates/accounts_password/oval.template | 4 ++-- .../grub2_bootloader_argument/bash.template | 2 +- .../bash.template | 2 +- shared/templates/service_disabled/bash.template | 2 +- shared/templates/service_enabled/bash.template | 2 +- shared/templates/sysctl/bash.template | 2 +- - 37 files changed, 103 insertions(+), 39 deletions(-) + 28 files changed, 92 insertions(+), 30 deletions(-) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh @@ -51,21 +43,21 @@ Signed-off-by: xuce create mode 100644 linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh -diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml -index b187420..6985d6d 100644 ---- a/controls/std_openeuler.yml -+++ b/controls/std_openeuler.yml -@@ -53,7 +53,7 @@ controls: +diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml +index df69b488..f5d74498 100644 +--- a/controls/std_openeuler2203.yml ++++ b/controls/std_openeuler2203.yml +@@ -57,7 +57,7 @@ controls: rules: - accounts_umask_etc_bashrc - accounts_umask_etc_bashrc.severity=high - - var_accounts_user_umask=077 + - var_accounts_user_umask=027 - - id: 1.1.6_no_global_writable_file + - id: 1.1.6 title: Ensure No Global Writable File -@@ -280,8 +280,8 @@ controls: - - base +@@ -284,8 +284,8 @@ controls: + - l1_server status: automated rules: - - service_avahi-daemon_disabled @@ -73,10 +65,10 @@ index b187420..6985d6d 100644 + - package_avahi_removed + - package_avahi_removed.severity=high - - id: 1.2.10_ldap_server_not_installed + - id: 1.2.10 title: Ensure LDAP Server Not Installed -@@ -711,6 +711,8 @@ controls: - - base +@@ -716,6 +716,8 @@ controls: + - l1_server status: automated rules: + - require_singleuser_auth @@ -84,8 +76,8 @@ index b187420..6985d6d 100644 - require_emergency_target_auth - require_emergency_target_auth.severity=high -@@ -1627,6 +1629,8 @@ controls: - - base +@@ -1638,6 +1640,8 @@ controls: + - l1_server status: automated rules: + - package_audit_installed @@ -93,35 +85,51 @@ index b187420..6985d6d 100644 - service_auditd_enabled - service_auditd_enabled.severity=high -diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml -index ae6e5f3..ceaa7cf 100644 ---- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml -+++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true +diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh +index 342dc194..66757082 100644 +--- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh ++++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_openeuler + + {{{ bash_instantiate_variables("var_audispd_disk_full_action") }}} + +diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +index 32e2b70b..c066584a 100644 +--- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh ++++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_openeuler --prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204,openeuler2203,openeuler2403 + {{{ bash_instantiate_variables("var_auditd_max_log_file") }}} - title: 'Uninstall avahi Server Package' +diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +index c12f6315..ba23a334 100644 +--- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh ++++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_openeuler -diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -index e799bae..2b0e53a 100644 ---- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true + {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +index c0225b9f..b96d4412 100644 +--- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh ++++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_almalinux ++# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_openeuler - title: 'Disable Avahi Server Software' + {{{ bash_instantiate_variables("var_auditd_space_left") }}} diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml -index 30b6553..021fdab 100644 +index 8f514489..c2ae2269 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml -@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9 +@@ -2,7 +2,7 @@ documentation_complete: true title: 'Verify Permissions on /etc/at.allow file' @@ -131,89 +139,29 @@ index 30b6553..021fdab 100644 {{% set target_perms="-rw-r-----" %}} {{% else %}} diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml -index 1961b9a..dff56f0 100644 +index 0a1cf6b7..bf7b3be8 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml -@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,r +@@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Permissions on /etc/cron.allow file' -{{% if 'rhel' not in product %}} -+{{% if 'rhel' not in product and 'openeuler' not in product %}} ++{{% if 'rhel' not in product and 'openeuler' not in product %}} {{% set target_perms_octal="0640" %}} {{% set target_perms="-rw-r-----" %}} {{% else %}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh -index ba59876..cd31a2f 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler - - - {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Protocol', '2', '%s %s') }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh -index 5a1ec5c..7a918c9 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler - - - {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh -index f77be04..07bd77c 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh -@@ -1,4 +1,4 @@ - # platform = multi_platform_all - --{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}} -+{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com") }}} - diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh new file mode 100644 -index 0000000..7574233 +index 00000000..75742330 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh @@ -0,0 +1,2 @@ +#platform=multi_platform_openeuler +{{{ bash_sshd_config_set(parameter="PubkeyAcceptedKeyTypes", value="ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512") }}} -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh -index c830c07..d8499be 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler - - {{% if product in [ "sle12", "sle15" ] %}} - {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}} -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh -index 449d912..3426bdc 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler - - {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} - -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh -index 3a32aad..2b0f4b4 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_openeuler - - {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} - diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh new file mode 100644 -index 0000000..c11315b +index 00000000..c11315b8 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh @@ -0,0 +1,11 @@ @@ -228,21 +176,9 @@ index 0000000..c11315b +if [ $? -eq 0 ]; then + sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/password-auth +fi -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -index 6e47912..107ef85 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,openeuler2203,openeuler2403 - - title: 'Require Authentication for Single User Mode' - diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh new file mode 100644 -index 0000000..7f1cd3a +index 00000000..7f1cd3aa --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh @@ -0,0 +1,10 @@ @@ -257,58 +193,18 @@ index 0000000..7f1cd3a + fi +done diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh -index cf672ee..17ed6f2 100644 +index 5bd381d1..5cec2e13 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_almalinux ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_almalinux,multi_platform_openeuler # uncomment the option if commented - sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh -index 36e7f8c..6f92e73 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler - - {{{ bash_instantiate_variables("var_audispd_disk_full_action") }}} - -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh -index 8a53bf8..561ff0f 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler - - {{{ bash_instantiate_variables("var_auditd_max_log_file") }}} - -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh -index 5007f96..1834f35 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler - - {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} - -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh -index a53f062..45ff50d 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu -+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler - - {{{ bash_instantiate_variables("var_auditd_space_left") }}} - + sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh new file mode 100644 -index 0000000..3f36da4 +index 00000000..3f36da44 --- /dev/null +++ b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh @@ -0,0 +1,7 @@ @@ -320,10 +216,10 @@ index 0000000..3f36da4 +systemctl daemon-reload +systemctl restart rsyslog diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml -index 6121f9c..4643b87 100644 +index 887d99fe..d00cfdc6 100644 --- a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml -@@ -13,7 +13,7 @@ description: |- +@@ -11,7 +11,7 @@ description: |- consistent with the system. Safety.

Check whether the relevant fields have been configured in the /etc/rsyslog.conf file:

@@ -332,7 +228,7 @@ index 6121f9c..4643b87 100644 rationale: |- If there is a volatile storage device for the log, failure to dump -@@ -22,4 +22,4 @@ rationale: |- +@@ -20,4 +20,4 @@ rationale: |- are not dumped in time, the logs may fill up the current partition, causing the risk of other processes or system failures. @@ -340,46 +236,50 @@ index 6121f9c..4643b87 100644 \ No newline at end of file +severity: high diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh -index 773f889..f6f3772 100644 +index 1e301f53..e3e2a9c8 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh -@@ -1,8 +1,8 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_openeuler +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_openeuler - if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then + {{% if 'ol' in families %}} + if ! grep -Pzo '(?m)^\s*(cron|\*)\.\*\s*(/var/log/(cron|messages)|action\(\s*.*(?i:\btype\b)="omfile"\s*.*(?i:\bfile\b)="/var/log/(cron|messages)"\s*\))\s*$' /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then +@@ -6,7 +6,7 @@ if ! grep -Pzo '(?m)^\s*(cron|\*)\.\*\s*(/var/log/(cron|messages)|action\(\s*.*( + if ! grep -Pzo '(?m)^\s*cron\.\*\s*(/var/log/cron|action\(\s*.*(?i:\btype\b)="omfile"\s*.*(?i:\bfile\b)="/var/log/cron"\s*\))\s*$' /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then + {{% endif %}} mkdir -p /etc/rsyslog.d - echo "cron.* /var/log/cron" >> /etc/rsyslog.d/cron.conf + echo "cron.* /var/log/cron" >> /etc/rsyslog.conf fi - systemctl restart rsyslog.service + if {{{ bash_not_bootc_build() }}} ; then diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh -index 91b3495..265cda1 100644 +index 4353ef51..b25da971 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh @@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu -+# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler +-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux ++# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_openeuler df --local -P | awk '{if (NR!=1) print $6}' \ | xargs -I '$6' find '$6' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml -index 14cf458..ffa8444 100644 +index c87f7412..b9989413 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml -@@ -17,6 +17,8 @@ +@@ -17,7 +17,7 @@ /etc/aide.conf - {{% if 'sle' in product %}} + {{% if 'sle' in product or 'slmicro' in product %}} ^database=file:/([/a-z.]+)$ -+ {{% elif 'openeuler2403' in product %}} -+ ^database_in=file:@@{DBDIR}/([a-z.]+)$ +- {{% elif product in [ 'ol10', 'rhel10' ] %}} ++ {{% elif 'openeuler2403' in product or product in [ 'ol10', 'rhel10'] %}} + ^database_in=file:@@{DBDIR}/([a-z.]+)$ {{% else %}} ^database=file:@@{DBDIR}/([a-z.]+)$ - {{% endif %}} diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh new file mode 100644 -index 0000000..8a5a7a2 +index 00000000..8a5a7a24 --- /dev/null +++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh @@ -0,0 +1,5 @@ @@ -390,7 +290,7 @@ index 0000000..8a5a7a2 +});" > /etc/polkit-1/rules.d/50-default.rules diff --git a/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh new file mode 100644 -index 0000000..a5e4058 +index 00000000..a5e40585 --- /dev/null +++ b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh @@ -0,0 +1,6 @@ @@ -402,7 +302,7 @@ index 0000000..a5e4058 +fi diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh new file mode 100644 -index 0000000..f272602 +index 00000000..f2726025 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh @@ -0,0 +1,17 @@ @@ -424,34 +324,34 @@ index 0000000..f272602 + +exit "$result" diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh -index 07e02fa..1a47c35 100644 +index 1b03ae05..9bbcfddf 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler - {{% if product in ["sle12", "sle15"] %}} +-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_almalinux ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_almalinux,multi_platform_openeuler + {{% if product in ["sle12", "sle15", "slmicro5"] %}} sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/* {{% else %}} diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja -index 292a14a..9a8eace 100644 +index 13e0a897..c8671edd 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja -@@ -1980,7 +1980,7 @@ Part of the grub2_bootloader_argument template. +@@ -1954,7 +1954,7 @@ Part of the grub2_bootloader_argument template. #}} {{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}} --{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} -+{{% if 'ubuntu' in product or 'openeuler' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} +-{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15'] %}} ++{{% if 'ubuntu' in product or 'debian' in product or 'openeuler' in product or product in ['ol7', 'sle12', 'sle15'] %}} {{{ update_etc_default_grub_manually(arg_name, arg_name_value) }}} {{% endif -%}} {{{ grub_command("add", arg_name_value) }}} -@@ -1996,9 +1996,9 @@ Part of the grub2_bootloader_argument template. +@@ -1970,9 +1970,9 @@ Part of the grub2_bootloader_argument template. #}} {{%- macro update_etc_default_grub_manually_absent(arg_name) -%}} # Correct the form of default kernel command line in GRUB -if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' '/etc/default/grub' ; then -- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ arg_name }}}=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' +- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ arg_name }}}=\?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' -fi +while grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' '/etc/default/grub' ; do + sed -i 's/\(^GRUB_CMDLINE_LINUX=".*[[:space:]]\?\){{{ arg_name }}}=\?[^[:space:]]*[[:space:]]\?\(.*"\)/\1\2/' '/etc/default/grub' @@ -459,25 +359,19 @@ index 292a14a..9a8eace 100644 {{%- endmacro %}} -@@ -2011,7 +2011,7 @@ Part of the grub2_bootloader_argument_absent template. +@@ -1985,7 +1985,7 @@ Part of the grub2_bootloader_argument_absent template. #}} {{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}} --{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} -+{{% if 'ubuntu' in product or 'openeuler' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}} +-{{% if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15', 'slmicro5'] %}} ++{{% if 'ubuntu' in product or 'openeuler' in product or product in ['ol7', 'sle12', 'sle15', 'slmicro5'] %}} {{{ update_etc_default_grub_manually_absent(arg_name) }}} {{% endif -%}} {{{ grub_command("remove", arg_name) }}} diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template -index 46e98c1..ac8a0d7 100644 +index 44e50228..d527378b 100644 --- a/shared/templates/accounts_password/bash.template +++ b/shared/templates/accounts_password/bash.template -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler - # reboot = false - # strategy = restrict - # complexity = low @@ -12,7 +12,7 @@ if grep -sq {{{ VARIABLE }}} /etc/security/pwquality.conf.d/*.conf ; then fi {{% endif %}} @@ -488,7 +382,7 @@ index 46e98c1..ac8a0d7 100644 'password', '', diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template -index c83a666..5d5b1a7 100644 +index 7eacdf62..8a364943 100644 --- a/shared/templates/accounts_password/oval.template +++ b/shared/templates/accounts_password/oval.template @@ -11,14 +11,14 @@ @@ -509,55 +403,55 @@ index c83a666..5d5b1a7 100644 comment="check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf" id="test_password_pam_pwquality_{{{ VARIABLE }}}_not_overwritten" version="1"> diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template -index 965f4d3..4cbedf3 100644 +index 07057cbb..fb582e57 100644 --- a/shared/templates/grub2_bootloader_argument/bash.template +++ b/shared/templates/grub2_bootloader_argument/bash.template @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler +-# platform = multi_platform_debian,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux ++# platform = multi_platform_debian,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_openeuler {{# See the OVAL template for more comments. Product-specific categorization should be synced across all template content types diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template -index 8d7d6e9..dd2ff30 100644 +index 06db2fbc..f861cb85 100644 --- a/shared/templates/grub2_bootloader_argument_absent/bash.template +++ b/shared/templates/grub2_bootloader_argument_absent/bash.template @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler {{# See the OVAL template for more comments. Product-specific categorization should be synced across all template content types diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template -index 27666b0..6d6f027 100644 +index 4c93f2b8..171e347b 100644 --- a/shared/templates/service_disabled/bash.template +++ b/shared/templates/service_disabled/bash.template @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_openeuler # reboot = false # strategy = disable # complexity = low diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template -index 00fd1ee..16ca4aa 100644 +index 3249f02c..a68eabd1 100644 --- a/shared/templates/service_enabled/bash.template +++ b/shared/templates/service_enabled/bash.template @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler +-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_openeuler # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template -index 49e4d94..4370e45 100644 +index 7093aae9..d176ec79 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler +-# platform = multi_platform_debian,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu ++# platform = multi_platform_debian,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_openeuler # reboot = true # strategy = disable # complexity = low -- -2.33.0 +2.48.1 diff --git a/add-openeuler-control-rules.patch b/add-openeuler-control-rules.patch index 57bbbde9a4dd782d3d36d0eddd388bd35c8d6da6..0b2503cdfce74e835643481b7d9768717c15c038 100644 --- a/add-openeuler-control-rules.patch +++ b/add-openeuler-control-rules.patch @@ -4,4363 +4,709 @@ Date: Mon, 19 Feb 2024 16:22:48 +0800 Subject: [PATCH] add openeuler control rules --- - controls/std_openeuler.yml | 1786 ++++++++++++++++- - .../service_avahi-daemon_disabled/rule.yml | 2 +- - .../file_groupowner_cron_d/rule.yml | 2 +- - .../file_groupowner_cron_daily/rule.yml | 2 +- - .../file_groupowner_cron_hourly/rule.yml | 2 +- - .../file_groupowner_cron_monthly/rule.yml | 2 +- - .../file_groupowner_cron_weekly/rule.yml | 2 +- - .../file_groupowner_crontab/rule.yml | 2 +- - .../cron_and_at/file_owner_cron_d/rule.yml | 2 +- - .../file_owner_cron_daily/rule.yml | 2 +- - .../file_owner_cron_hourly/rule.yml | 2 +- - .../file_owner_cron_monthly/rule.yml | 2 +- - .../file_owner_cron_weekly/rule.yml | 2 +- - .../cron_and_at/file_owner_crontab/rule.yml | 2 +- - .../file_permissions_cron_d/rule.yml | 2 +- - .../file_permissions_cron_daily/rule.yml | 2 +- - .../file_permissions_cron_hourly/rule.yml | 2 +- - .../file_permissions_cron_monthly/rule.yml | 2 +- - .../file_permissions_cron_weekly/rule.yml | 2 +- - .../file_permissions_crontab/rule.yml | 2 +- - .../file_at_deny_not_exist/rule.yml | 2 +- - .../file_cron_deny_not_exist/rule.yml | 2 +- - .../file_groupowner_at_allow/rule.yml | 2 +- - .../file_groupowner_cron_allow/rule.yml | 2 +- - .../file_owner_at_allow/rule.yml | 2 +- - .../file_owner_cron_allow/rule.yml | 2 +- - .../file_permissions_at_allow/rule.yml | 2 +- - .../file_permissions_cron_allow/rule.yml | 2 +- - .../service_crond_enabled/rule.yml | 2 +- - .../service_dhcpd_disabled/rule.yml | 2 +- - .../service_named_disabled/rule.yml | 2 +- - .../package_httpd_removed/rule.yml | 2 +- - .../package_openldap-clients_removed/rule.yml | 2 +- - .../package_openldap-servers_removed/rule.yml | 2 +- - .../service_rpcbind_disabled/rule.yml | 2 +- - .../service_nfs_disabled/rule.yml | 2 +- - .../rule.yml | 2 +- - .../ntp/ntpd_configure_restrictions/rule.yml | 2 +- - .../nis/package_ypbind_removed/rule.yml | 2 +- - .../nis/package_ypserv_removed/rule.yml | 2 +- - .../obsolete/service_rsyncd_disabled/rule.yml | 4 +- - .../printing/package_cups_removed/rule.yml | 2 +- - .../package_samba_removed/rule.yml | 2 +- - .../package_net-snmp_removed/rule.yml | 2 +- - .../sshd_use_strong_ciphers/rule.yml | 2 +- - .../ssh_server/sshd_use_strong_kex/rule.yml | 2 +- - .../ssh_server/sshd_use_strong_macs/rule.yml | 2 +- - .../guide/services/ssh/sshd_strong_kex.var | 1 + - .../rule.yml | 2 +- - .../xwindows_remove_packages/rule.yml | 2 +- - .../file_groupowner_etc_issue/rule.yml | 2 +- - .../file_groupowner_etc_issue_net/rule.yml | 2 +- - .../file_groupowner_etc_motd/rule.yml | 2 +- - .../file_owner_etc_issue/rule.yml | 2 +- - .../file_owner_etc_issue_net/rule.yml | 2 +- - .../file_owner_etc_motd/rule.yml | 2 +- - .../file_permissions_etc_issue/rule.yml | 2 +- - .../file_permissions_etc_issue_net/rule.yml | 2 +- - .../file_permissions_etc_motd/rule.yml | 2 +- - .../accounts-banners/warning_banners/rule.yml | 24 + - .../rule.yml | 2 +- - .../oval/openeuler.xml | 291 +++ - .../rule.yml | 2 +- - .../oval/openeuler.xml | 285 +++ - .../rule.yml | 2 +- - ...nts_passwords_pam_faillock_unlock_time.var | 1 + - .../accounts_password_pam_dcredit/rule.yml | 2 +- - .../accounts_password_pam_dictcheck/rule.yml | 2 +- - .../rule.yml | 2 +- - .../accounts_password_pam_lcredit/rule.yml | 2 +- - .../accounts_password_pam_minclass/rule.yml | 2 +- - .../accounts_password_pam_minlen/rule.yml | 2 +- - .../accounts_password_pam_ocredit/rule.yml | 2 +- - .../accounts_password_pam_retry/rule.yml | 2 +- - .../accounts_password_pam_ucredit/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../oval/shared.xml | 2 +- - .../require_emergency_target_auth/rule.yml | 4 +- - .../service_debug-shell_disabled/rule.yml | 2 +- - .../account_temp_expire_date/rule.yml | 2 +- - .../account_unique_id/rule.yml | 2 +- - .../group_unique_id/rule.yml | 2 +- - .../group_unique_name/rule.yml | 2 +- - .../accounts_maximum_age_login_defs/rule.yml | 1 - - .../accounts_minimum_age_login_defs/rule.yml | 1 - - .../no_forward_files/rule.yml | 2 +- - .../root_logins/use_pam_wheel_for_su/rule.yml | 2 +- - .../accounts-session/accounts_tmout/rule.yml | 2 +- - .../rule.yml | 2 +- - .../accounts_umask_etc_bashrc/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../audit_rules_login_events_lastlog/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../audit_rules_sudoers/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../auditd_audispd_disk_full_action/rule.yml | 2 +- - .../rule.yml | 2 +- - .../auditd_data_retention_space_left/rule.yml | 2 +- - .../auditing/grub2_audit_argument/rule.yml | 2 +- - .../rule.yml | 2 +- - .../non-uefi/grub2_password/rule.yml | 2 +- - .../uefi/grub2_uefi_password/rule.yml | 2 +- - .../rsyslog_cron_logging/rule.yml | 2 +- - .../rsyslog_logging_configured/rule.yml | 2 +- - .../rsyslog_remote_access_monitoring/rule.yml | 2 +- - .../logging/rsyslog_filecreatemode/rule.yml | 2 +- - .../service_firewalld_enabled/rule.yml | 2 +- - .../set_firewalld_appropriate_zone/rule.yml | 2 +- - .../rule.yml | 2 +- - .../set_ipv6_loopback_traffic/rule.yml | 4 + - .../set_loopback_traffic/rule.yml | 4 + - .../set_iptables_default_rule/rule.yml | 4 + - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 5 +- - .../rule.yml | 5 +- - .../rule.yml | 5 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../sysctl_net_ipv4_ip_forward/rule.yml | 2 +- - .../rule.yml | 2 +- - .../service_nftables_enabled/rule.yml | 2 +- - .../set_nftables_loopback_traffic/rule.yml | 2 +- - .../set_nftables_new_connections/rule.yml | 2 +- - .../kernel_module_sctp_disabled/rule.yml | 2 +- - .../wireless_disable_interfaces/rule.yml | 6 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../file_permissions_ungroupowned/rule.yml | 2 +- - .../files/no_files_unowned_by_user/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../sysctl_kernel_randomize_va_space/rule.yml | 3 + - .../sysctl_kernel_dmesg_restrict/rule.yml | 2 +- - .../restrictions/sysctl_kernel_sysrq/rule.yml | 2 +- - .../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +- - .../selinux_confinement_of_daemons/rule.yml | 2 +- - .../selinux/selinux_policytype/rule.yml | 2 +- - .../crypto/configure_crypto_policy/rule.yml | 2 +- - .../aide/aide_build_database/rule.yml | 2 +- - .../aide/package_aide_installed/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../ensure_gpgcheck_never_disabled/rule.yml | 2 +- - products/openeuler2203/product.yml | 1 + - products/openeuler2403/product.yml | 1 + - shared/applicability/package.yml | 2 +- - 195 files changed, 2599 insertions(+), 187 deletions(-) + controls/std_openeuler2203.yml | 2 + + .../obsolete/service_rsyncd_disabled/rule.yml | 1 + + .../accounts-banners/warning_banners/rule.yml | 22 ++ + .../oval/openeuler.xml | 291 ++++++++++++++++++ + .../oval/openeuler.xml | 285 +++++++++++++++++ + .../oval/shared.xml | 2 +- + .../set_ipv6_loopback_traffic/rule.yml | 4 + + .../set_loopback_traffic/rule.yml | 4 + + .../set_iptables_default_rule/rule.yml | 4 + + .../wireless_disable_interfaces/rule.yml | 4 + + shared/applicability/package.yml | 2 +- + 11 files changed, 619 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml -diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml -index 5599b04..eb66293 100644 ---- a/controls/std_openeuler.yml -+++ b/controls/std_openeuler.yml -@@ -7,28 +7,1808 @@ levels: - - id: base - - controls: -+ - id: 1.1.1_no_unowner_ungroup_files -+ title: Ensure All Files Have Owner And Group -+ levels: -+ - base -+ status: automated -+ rules: -+ - no_files_unowned_by_user -+ - no_files_unowned_by_user.severity=high -+ - file_permissions_ungroupowned -+ - file_permissions_ungroupowned.severity=high -+ -+ - id: 1.1.2_no_empty_symlink -+ title: Ensure No Empty Symlink -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.3_no_hidden_exec_files -+ title: Ensure No Hidden Executable Files -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.4_global_writable_dir_sticky_set -+ title: Ensure Sticky Set On Global Writable Folder -+ levels: -+ - base -+ status: automated -+ rules: -+ - dir_perms_world_writable_sticky_bits -+ - dir_perms_world_writable_sticky_bits.severity=high -+ -+ - id: 1.1.5_umask_set_correct -+ title: Ensure UMASK Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - accounts_umask_etc_bashrc -+ - accounts_umask_etc_bashrc.severity=high -+ - var_accounts_user_umask=077 -+ -+ - id: 1.1.6_no_global_writable_file -+ title: Ensure No Global Writable File -+ levels: -+ - base -+ status: automated -+ rules: -+ - file_permissions_unauthorized_world_writable -+ - file_permissions_unauthorized_world_writable.severity=high -+ -+ - id: 1.1.7_umount_unnecessary_file_system -+ title: Umount Unnecessary File System -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.8_mount_as_readonly -+ title: Ensure Mount As Readonly If No Need To Write -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.9_mount_as_nodev -+ title: Ensure Mount As Nodev -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.10_mount_as_noexec -+ title: Ensure Mount As Noexec -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.11_mount_as_noexec_nodev_for_removable -+ title: Ensure Mount As Noexec And Nodev For Removable Device -+ levels: -+ - base -+ status: automated -+ rules: -+ - mount_option_noexec_removable_partitions -+ - mount_option_noexec_removable_partitions.severity=high -+ - mount_option_nodev_removable_partitions -+ - mount_option_nodev_removable_partitions.severity=high -+ -+ - id: 1.1.12_mount_as_nosuid -+ title: Ensure Mount As Nosuid -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.13_remove_unnecessary_suid_sgid -+ title: Ensure Remove Unnecessary SUID And SGID -+ levels: -+ - base -+ status: automated -+ rules: -+ - file_permissions_unauthorized_suid -+ - file_permissions_unauthorized_suid.severity=high -+ - file_permissions_unauthorized_sgid -+ - file_permissions_unauthorized_sgid.severity=high -+ -+ - id: 1.1.14_file_permission_minimize -+ title: Ensure File Permission Minimize -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.15_ulimit_correctly -+ title: Ensure Ulinmit Correctly -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.16_symlinks_hardlinks_protected -+ title: Ensure Symlinks And Hardlinks Protected -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_fs_protected_symlinks -+ - sysctl_fs_protected_symlinks.severity=high -+ - sysctl_fs_protected_hardlinks -+ - sysctl_fs_protected_hardlinks.severity=high -+ -+ - id: 1.1.17_usb_disabled -+ title: Ensure USB Disabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - kernel_module_usb-storage_disabled -+ - kernel_module_usb-storage_disabled.severity=low -+ -+ - id: 1.1.18_partitions_management -+ title: Ensure Different Data Store In Different Partitions -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.19_library_path_correct -+ title: Ensure LD_LIBRARY_PATH Correct -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.1.20_user_path_correct -+ title: Ensure User PATH Correct -+ levels: -+ - base -+ status: planned -+ - - id: 1.2.1_ftp_not_installed -- title: Ensure FTP is not installed -+ title: Ensure FTP Not Installed - levels: - - base - status: automated - rules: - - package_ftp_removed -+ - package_ftp_removed.severity=high - - - id: 1.2.2_tftp_server_not_installed -- title: Ensure TFTP Server is not installed -+ title: Ensure TFTP Server Not Installed - levels: - - base +diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml +index 4717aa3d..65badc0e 100644 +--- a/controls/std_openeuler2203.yml ++++ b/controls/std_openeuler2203.yml +@@ -691,6 +691,8 @@ controls: + - l1_server status: automated rules: - - package_tftp_removed -+ - package_tftp_removed.severity=high - - package_tftp-server_removed -+ - package_tftp-server_removed.severity=high - - - id: 1.2.3_telnet_server_not_installed -- title: Ensure Telnet Server is not installed -+ title: Ensure Telnet Server Not Installed - levels: - - base - status: automated - rules: - - package_telnet_removed -+ - package_telnet_removed.severity=high - - package_telnet-server_removed -+ - package_telnet-server_removed.severity=high -+ -+ - id: 1.2.4_snmp_not_installed -+ title: Ensure SNMP Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - package_net-snmp_removed -+ - package_net-snmp_removed.severity=high -+ -+ - id: 1.2.5_python2_not_installed -+ title: Ensure Python2 Not Installed -+ levels: -+ - base -+ status: planned -+ -+ - id: 1.2.6_gpg_check_configured -+ title: Ensure GPG Check Configured -+ levels: -+ - base -+ status: automated -+ rules: -+ - ensure_gpgcheck_globally_activated -+ - ensure_gpgcheck_globally_activated.severity=high -+ - ensure_gpgcheck_never_disabled -+ - ensure_gpgcheck_never_disabled.severity=high ++ - warning_banners ++ - warning_banners.severity=high + - file_groupowner_etc_issue + - file_groupowner_etc_issue.severity=high + - file_groupowner_etc_issue_net +diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +index 0c6da6e7..2c83bfa7 100644 +--- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +@@ -40,5 +40,6 @@ template: + packagename@sle12: rsync + packagename@sle15: rsync + packagename@openeuler2203: rsync ++ packagename@openeuler2403: rsync + servicename@ubuntu2404: rsync + packagename@ubuntu2404: rsync +diff --git a/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml b/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml +new file mode 100644 +index 00000000..3ad208ab +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml +@@ -0,0 +1,22 @@ ++documentation_complete: true + -+ - id: 1.2.7_debug-shell_disabled -+ title: Ensure Debug-Shell Disabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_debug-shell_disabled -+ - service_debug-shell_disabled.severity=high ++title: 'Check Warning Banners Correctly' + -+ - id: 1.2.8_rsync_not_installed -+ title: Ensure Rsync Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_rsyncd_disabled -+ - service_rsyncd_disabled.severity=high ++description: |- ++

It can not be scanned automatically, please check it manually.

++ Warning banners contain warning information added on the system login page and are marked by all users who log in to the system. ++
++ Proper security warning information may increase the risk of system attacks or violate local laws and regulations. ++
++ openEuler security warning banners must be formulated by security department personnel and comply with local laws and regulations. ++
++ In addition, don't expose the system version, application server type, functions through warning banners, to prevent attackers from obtaining system information and launching attacks. ++
++ Run the cat command to check the warning banners in the /etc/motd, /etc/issue, and /etc/issue.net files. Check whether the information is reasonable. + -+ - id: 1.2.9_avahi_not_installed -+ title: Ensure Avahi Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_avahi-daemon_disabled -+ - service_avahi-daemon_disabled.severity=high ++rationale: |- ++ None + -+ - id: 1.2.10_ldap_server_not_installed -+ title: Ensure LDAP Server Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - package_openldap-servers_removed -+ - package_openldap-servers_removed.severity=high ++severity: high + -+ - id: 1.2.11_cups_not_installed -+ title: Ensure CUPS Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - package_cups_removed -+ - package_cups_removed.severity=high ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml +new file mode 100644 +index 00000000..0abb80d8 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml +@@ -0,0 +1,291 @@ ++ ++ ++ {{{ oval_metadata("Lockout account after failed login attempts") }}} ++ ++ ++ ++ ++ ++ ++ + -+ - id: 1.2.12_nis_server_not_installed -+ title: Ensure NIS Server Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - package_ypserv_removed -+ - package_ypserv_removed.severity=high ++ ++ ++ ++ ++ ++ ++ ++ + -+ - id: 1.2.13_nis_client_not_installed -+ title: Ensure NIS Client Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - package_ypbind_removed -+ - package_ypbind_removed.severity=high ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + -+ - id: 1.2.14_ldap_client_not_installed -+ title: Ensure LDAP Client Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - package_openldap-clients_removed -+ - package_openldap-clients_removed.severity=high ++ ++ ++ ^[\s]*auth\N+pam_unix\.so ++ + -+ - id: 1.2.15_no_network_sniffing_software -+ title: Ensure Network Sniffing Software Removed -+ levels: -+ - base -+ status: planned ++ ++ ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail ++ + -+ - id: 1.2.16_no_debug_tools -+ title: Ensure Debug Tools Removed -+ levels: -+ - base -+ status: planned ++ ++ ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so ++ + -+ - id: 1.2.17_no_compiler_tools -+ title: Ensure Compiler Tools Removed -+ levels: -+ - base -+ status: planned ++ ++ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) ++ + -+ - id: 1.2.18_xwindow_not_installed -+ title: Ensure X Window Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - xwindows_remove_packages -+ - xwindows_remove_packages.severity=low ++ ++ ^[\s]*deny[\s]*=[\s]*([0-9]+) ++ + -+ - id: 1.2.19_http_not_installed -+ title: Ensure Http Service Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - package_httpd_removed -+ - package_httpd_removed.severity=low ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ ++ 1 ++ + -+ - id: 1.2.20_samba_not_installed -+ title: Ensure Samba Service Not Installed -+ levels: -+ - base -+ status: automated -+ rules: -+ - package_samba_removed -+ - package_samba_removed.severity=low ++ ++ ++ + -+ - id: 1.2.21_dns_disabled -+ title: Ensure DNS Service Disabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_named_disabled -+ - service_named_disabled.severity=low ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ + -+ - id: 1.2.22_nfs_disabled -+ title: Ensure NFS Service Disabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_nfs_disabled -+ - service_nfs_disabled.severity=low ++ ++ ++ + -+ - id: 1.2.23_rpc_disabled -+ title: Ensure RPC Service Disabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_rpcbind_disabled -+ - service_rpcbind_disabled.severity=low ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ + -+ - id: 1.2.24_DHCP_disabled -+ title: Ensure DHCP Service Disabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_dhcpd_disabled -+ - service_dhcpd_disabled.severity=low ++ ++ ++ + ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ + -+ - id: 2.1.1_login_accounts_are_necessary -+ title: Ensure All Login Accounts Are Necessary -+ levels: -+ - base -+ status: planned ++ ++ ++ + -+ - id: 2.1.2_no_unused_accounts -+ title: Ensure No Unused Accounts -+ levels: -+ - base -+ status: planned ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ + -+ - id: 2.1.3_different_accounts_have_different_groupid -+ title: Ensure Different Accounts Have Different GroupID -+ levels: -+ - base -+ status: planned ++ ++ ++ + -+ - id: 2.1.4_no_uid_0_except_root -+ title: Ensure Only Root's UID Is 0 -+ levels: -+ - base -+ status: automated -+ rules: -+ - accounts_no_uid_except_zero -+ - accounts_no_uid_except_zero.severity=high ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ + -+ - id: 2.1.5_account_related_files_permission -+ title: Ensure Account Related Files Have Correct Permission -+ levels: -+ - base -+ status: automated -+ rules: -+ - file_owner_etc_passwd -+ - file_owner_etc_passwd.severity=high -+ - file_groupowner_etc_passwd -+ - file_groupowner_etc_passwd.severity=high -+ - file_owner_etc_shadow -+ - file_owner_etc_shadow.severity=high -+ - file_groupowner_etc_shadow -+ - file_groupowner_etc_shadow.severity=high -+ - file_owner_etc_group -+ - file_owner_etc_group.severity=high -+ - file_groupowner_etc_group -+ - file_groupowner_etc_group.severity=high -+ - file_owner_etc_gshadow -+ - file_owner_etc_gshadow.severity=high -+ - file_groupowner_etc_gshadow -+ - file_groupowner_etc_gshadow.severity=high -+ - file_owner_backup_etc_passwd -+ - file_owner_backup_etc_passwd.severity=high -+ - file_groupowner_backup_etc_passwd -+ - file_groupowner_backup_etc_passwd.severity=high -+ - file_owner_backup_etc_shadow -+ - file_owner_backup_etc_shadow.severity=high -+ - file_groupowner_backup_etc_shadow -+ - file_groupowner_backup_etc_shadow.severity=high -+ - file_owner_backup_etc_group -+ - file_owner_backup_etc_group.severity=high -+ - file_groupowner_backup_etc_group -+ - file_groupowner_backup_etc_group.severity=high -+ - file_owner_backup_etc_gshadow -+ - file_owner_backup_etc_gshadow.severity=high -+ - file_groupowner_backup_etc_gshadow -+ - file_groupowner_backup_etc_gshadow.severity=high -+ - file_permissions_etc_passwd -+ - file_permissions_etc_passwd.severity=high -+ - file_permissions_etc_shadow -+ - file_permissions_etc_shadow.severity=high -+ - file_permissions_etc_group -+ - file_permissions_etc_group.severity=high -+ - file_permissions_etc_gshadow -+ - file_permissions_etc_gshadow.severity=high -+ - file_permissions_backup_etc_passwd -+ - file_permissions_backup_etc_passwd.severity=high -+ - file_permissions_backup_etc_shadow -+ - file_permissions_backup_etc_shadow.severity=high -+ - file_permissions_backup_etc_group -+ - file_permissions_backup_etc_group.severity=high -+ - file_permissions_backup_etc_gshadow -+ - file_permissions_backup_etc_gshadow.severity=high ++ ++ ++ + -+ - id: 2.1.6_account_has_home_dir -+ title: Ensure All Accounts Have Own Home Folder -+ levels: -+ - base -+ status: automated -+ rules: -+ - accounts_user_interactive_home_directory_exists -+ - accounts_user_interactive_home_directory_exists.severity=high ++ ++ ++ + -+ - id: 2.1.7_all_groups_existed -+ title: Ensure All Groups Existed -+ levels: -+ - base -+ status: automated -+ rules: -+ - gid_passwd_group_same -+ - gid_passwd_group_same.severity=high ++ ++ ++ + -+ - id: 2.1.8_unique_uid -+ title: Ensure UID Unique -+ levels: -+ - base -+ status: automated -+ rules: -+ - account_unique_id -+ - account_unique_id.severity=high -+ -+ - id: 2.1.9_account_unique_name -+ title: Ensure Account Name Unique -+ levels: -+ - base -+ status: automated -+ rules: -+ - account_unique_name -+ - account_unique_name.severity=high -+ -+ - id: 2.1.10_group_unique_id -+ title: Ensure Group Unique ID -+ levels: -+ - base -+ status: automated -+ rules: -+ - group_unique_id -+ - group_unique_id.severity=high -+ -+ - id: 2.1.11_group_unique_name -+ title: Ensure Group Unique Name -+ levels: -+ - base -+ status: automated -+ rules: -+ - group_unique_name -+ - group_unique_name.severity=high -+ -+ - id: 2.1.12_account_expire -+ title: Ensure Account Expire Date Correct -+ levels: -+ - base -+ status: manual -+ rules: -+ - account_temp_expire_date -+ - account_temp_expire_date.severity=low -+ -+ - id: 2.1.13_no_forward_in_home -+ title: Ensure No .forward Files In Home Folder -+ levels: -+ - base -+ status: automated -+ rules: -+ - no_forward_files -+ - no_forward_files.severity=low -+ -+ - id: 2.1.14_no_netrc_in_home -+ title: Ensure No .netrc Files In Home Folder -+ levels: -+ - base -+ status: automated -+ rules: -+ - no_netrc_files -+ - no_netrc_files.severity=low -+ -+ - id: 2.2.1_password_complexity_correct -+ title: Ensure Set Correct Password Complexity -+ levels: -+ - base -+ status: automated -+ rules: -+ - accounts_password_pam_minlen -+ - accounts_password_pam_minlen.severity=high -+ - var_password_pam_minlen=8 -+ - accounts_password_pam_minclass -+ - accounts_password_pam_minclass.severity=high -+ - var_password_pam_minclass=3 -+ - accounts_password_pam_retry -+ - accounts_password_pam_retry.severity=high -+ - var_password_pam_retry=3 -+ - accounts_password_pam_dcredit -+ - accounts_password_pam_dcredit.severity=high -+ - var_password_pam_dcredit=0 -+ - accounts_password_pam_ucredit -+ - accounts_password_pam_ucredit.severity=high -+ - var_password_pam_ucredit=0 -+ - accounts_password_pam_lcredit -+ - accounts_password_pam_lcredit.severity=high -+ - var_password_pam_lcredit=0 -+ - accounts_password_pam_ocredit -+ - accounts_password_pam_ocredit.severity=high -+ - var_password_pam_ocredit=0 -+ - accounts_password_pam_enforce_root -+ - accounts_password_pam_enforce_root.severity=high -+ -+ - id: 2.2.2_history_password_not_used -+ title: Ensure No History Password Used -+ levels: -+ - base -+ status: automated -+ rules: -+ - accounts_password_pam_unix_remember -+ - accounts_password_pam_unix_remember.severity=high -+ - var_password_pam_unix_remember=5 -+ -+ - id: 2.2.3_verify_old_password -+ title: Ensure Old Password Verified -+ levels: -+ - base -+ status: planned -+ -+ - id: 2.2.4_no_username_in_password -+ title: Ensure Password Not Contain User Name -+ levels: -+ - base -+ status: planned -+ -+ - id: 2.2.5_strong_hash_algorithm_for_password -+ title: Ensure Using Strong Hash Algorithm To Encipher Password -+ levels: -+ - base -+ status: automated -+ rules: -+ - set_password_hashing_algorithm_systemauth -+ - set_password_hashing_algorithm_systemauth.severity=high -+ - set_password_hashing_algorithm_passwordauth -+ - set_password_hashing_algorithm_passwordauth.severity=high -+ -+ - id: 2.2.6_password_dictionary_correct -+ title: Ensure Password Dictionary Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - accounts_password_pam_dictcheck -+ - accounts_password_pam_dictcheck.severity=high -+ -+ - id: 2.2.7_password_expire_correct -+ title: Ensure Password Expire Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - accounts_maximum_age_login_defs -+ - accounts_maximum_age_login_defs.severity=high -+ - var_accounts_maximum_age_login_defs=90 -+ - accounts_password_warn_age_login_defs -+ - accounts_password_warn_age_login_defs.severity=high -+ - var_accounts_password_warn_age_login_defs=7 -+ - accounts_minimum_age_login_defs -+ - accounts_minimum_age_login_defs.severity=high -+ - var_accounts_minimum_age_login_defs=0 -+ -+ - id: 2.2.8_forbid_empty_password -+ title: Ensure No Empty Password -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_disable_empty_passwords -+ - sshd_disable_empty_passwords.severity=high -+ -+ - id: 2.2.9_grub_password_set -+ title: Ensure Grub Password Set -+ levels: -+ - base -+ status: automated -+ rules: -+ - grub2_password -+ - grub2_password.severity=high -+ - grub2_uefi_password -+ - grub2_uefi_password.severity=high -+ -+ - id: 2.2.10_single_user_password_set -+ title: Ensure Password Set In Single User Mode -+ levels: -+ - base -+ status: automated -+ rules: -+ - require_emergency_target_auth -+ - require_emergency_target_auth.severity=high ++ ++ 0 ++ + -+ - id: 2.2.11_chpwd_at_first_login -+ title: Ensure Password Changed At First Login -+ levels: -+ - base -+ status: planned ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ + -+ - id: 2.3.1_account_lock_after_accessing_fail -+ title: Ensure Account Locked After Accessing Fail -+ levels: -+ - base -+ status: automated -+ rules: -+ - accounts_passwords_pam_faillock_deny -+ - accounts_passwords_pam_faillock_deny.severity=high -+ - var_accounts_passwords_pam_faillock_deny=3 -+ - accounts_passwords_pam_faillock_unlock_time -+ - accounts_passwords_pam_faillock_unlock_time.severity=high -+ - var_accounts_passwords_pam_faillock_unlock_time=300 ++ ++ ++ ++ ++ + -+ - id: 2.3.2_session_timeout_set_correct -+ title: Ensure TIMOUT Set Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - accounts_tmout -+ - accounts_tmout.severity=high -+ - var_accounts_tmout=5_min ++ ++ ++ + -+ - id: 2.3.3_banners_correct -+ title: Ensure Warning Banners Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - warning_banners -+ - warning_banners.severity=high -+ - file_groupowner_etc_issue -+ - file_groupowner_etc_issue.severity=high -+ - file_groupowner_etc_issue_net -+ - file_groupowner_etc_issue_net.severity=high -+ - file_groupowner_etc_motd -+ - file_groupowner_etc_motd.severity=high -+ - file_owner_etc_issue -+ - file_owner_etc_issue.severity=high -+ - file_owner_etc_issue_net -+ - file_owner_etc_issue_net.severity=high -+ - file_owner_etc_motd -+ - file_owner_etc_motd.severity=high -+ - file_permissions_etc_issue -+ - file_permissions_etc_issue.severity=high -+ - file_permissions_etc_issue_net -+ - file_permissions_etc_issue_net.severity=high -+ - file_permissions_etc_motd -+ - file_permissions_etc_motd.severity=high ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ + -+ - id: 2.3.4_banners_path_correct -+ title: Ensure Warning Path Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_enable_warning_banner_net -+ - sshd_enable_warning_banner_net.severity=high ++ ++ ++ ++ ++ + -+ - id: 2.4.1_histsize_limited -+ title: Ensure HISTSIZE Limited -+ levels: -+ - base -+ status: planned ++ ++ ++ + -+ - id: 2.4.2_selinux_enforce -+ title: Ensure SELinux Enforce -+ levels: -+ - base -+ status: automated -+ rules: -+ - selinux_state -+ - selinux_state.severity=low ++ ++ ++ ^/etc/security/faillock.conf$ ++ ++ 1 ++ + -+ - id: 2.4.3_selinux_config -+ title: Ensure SELinux Configurate Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - selinux_policytype -+ - selinux_policytype.severity=low ++ ++ ++ ++ ++ + -+ - id: 2.4.4_su_usage_limited -+ title: Ensure SU Usage Limited -+ levels: -+ - base -+ status: automated -+ rules: -+ - use_pam_wheel_for_su -+ - use_pam_wheel_for_su.severity=high ++ ++ ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml +new file mode 100644 +index 00000000..94c1ecaa +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml +@@ -0,0 +1,285 @@ ++ ++ ++ {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}} ++ ++ ++ ++ ++ ++ ++ + -+ - id: 2.4.5_use_sudo_to_run -+ title: Ensure Use Sudo To Run -+ levels: -+ - base -+ status: automated -+ rules: -+ - sudo_restrict_privilege_elevation_to_authorized -+ - sudo_restrict_privilege_elevation_to_authorized.severity=high ++ ++ ++ ++ ++ ++ ++ ++ + -+ - id: 2.4.6_no_low-privilege_user_writable_files_with_sudo -+ title: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User -+ levels: -+ - base -+ status: planned ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + -+ - id: 2.4.7_cannot_use_pkexec_escalate -+ title: Ensure Low-privilege User Cannot Escalate By Pkexec -+ levels: -+ - base -+ status: planned ++ ++ ++ ^[\s]*auth\N+pam_unix\.so ++ + -+ - id: 2.4.8_always_set_path_config -+ title: Ensure ALWAYS_SET_PATH Configurated -+ levels: -+ - base -+ status: planned ++ ++ ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail ++ + -+ - id: 2.4.9_root_can_not_login_local -+ title: Ensure Root Can Not Login Local -+ levels: -+ - base -+ status: planned ++ ++ ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so ++ + -+ - id: 2.4.10_not_use_unconfined_service_t -+ title: Ensure Not Run Files wiht unconfined_service_t Flag -+ levels: -+ - base -+ status: automated -+ rules: -+ - selinux_confinement_of_daemons -+ - selinux_confinement_of_daemons.severity=low ++ ++ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) ++ + -+ - id: 2.4.11_all_daemons_run_with_mini_permission -+ title: Ensure All Daemons Run With Minimum Permission -+ levels: -+ - base -+ status: planned ++ ++ ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) ++ + -+ - id: 2.5.1_ima_enabled -+ title: Ensure IMA Enabled -+ levels: -+ - base -+ status: planned ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ ++ 1 ++ + -+ - id: 2.5.2_aide_enabled -+ title: Ensure AIDE Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - package_aide_installed -+ - package_aide_installed.severity=low -+ - aide_build_database -+ - aide_build_database.severity=low ++ ++ ++ + -+ - id: 2.6.1_haveged_enabled -+ title: Ensure Haveged Enabled -+ levels: -+ - base -+ status: planned ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ + -+ - id: 2.6.2_global_crypto_setting -+ title: Global Crypto Setting Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - configure_crypto_policy -+ - configure_crypto_policy.severity=low ++ ++ ++ + ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ + -+ - id: 3.1.1_unusual_network_service_not_used -+ title: Ensure No Unusual Network Service -+ levels: -+ - base -+ status: automated -+ rules: -+ - kernel_module_sctp_disabled -+ - kernel_module_sctp_disabled.severity=low -+ - kernel_module_tipc_disabled -+ - kernel_module_tipc_disabled.severity=low ++ ++ ++ + -+ - id: 3.1.2_wireless_disabled -+ title: Ensure No WIFI -+ levels: -+ - base -+ status: automated -+ rules: -+ - wireless_disable_interfaces -+ - wireless_disable_interfaces.severity=low ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ + -+ - id: 3.2.1_firewalld_enabled -+ title: Ensure Firewalld Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_firewalld_enabled -+ - service_firewalld_enabled.severity=low ++ ++ ++ + -+ - id: 3.2.2_firewalld_default_zone_correct -+ title: Ensure Firewalld Set Default Zone Correctly -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.2.3_firewalld_interface_set_to_correct_zone -+ title: Ensure Firewalld Set Correct Interface Zone -+ levels: -+ - base -+ status: manual -+ rules: -+ - set_firewalld_appropriate_zone -+ - set_firewalld_appropriate_zone.severity=low -+ -+ - id: 3.2.4_firewalld_disable_unnecessary_service_and_port -+ title: Ensure Unnecessary Service And Port Disabled -+ levels: -+ - base -+ status: manual -+ rules: -+ - unnecessary_firewalld_services_ports_disabled -+ - unnecessary_firewalld_services_ports_disabled.severity=low -+ -+ - id: 3.2.5_iptables_enabled -+ title: Ensure Iptables Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_iptables_enabled -+ - service_iptables_enabled.severity=low -+ - service_ip6tables_enabled -+ - service_ip6tables_enabled.severity=low -+ -+ - id: 3.2.6_iptables_default_refuse_rules -+ title: Ensure Iptables Default Refuse Rules Set -+ levels: -+ - base -+ status: manual -+ rules: -+ - set_iptables_default_rule -+ - set_iptables_default_rule.severity=low -+ -+ - id: 3.2.7_iptables_loopback_rules -+ title: Ensure Iptables Loopback Rules Set -+ levels: -+ - base -+ status: automated -+ rules: -+ - set_loopback_traffic -+ - set_loopback_traffic.severity=low -+ - set_ipv6_loopback_traffic -+ - set_ipv6_loopback_traffic.severity=low -+ -+ - id: 3.2.8_iptables_input_rules -+ title: Ensure Iptables Input Rules Set -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.2.9_iptables_output_rules -+ title: Ensure Iptables Output Rules Set -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.2.10_iptables_input_output_connection_rules -+ title: Ensure Iptables Input Output Connection Rules Set -+ levels: -+ - base -+ status: manual -+ rules: -+ - set_iptables_outbound_n_established -+ - set_iptables_outbound_n_established.severity=low -+ -+ - id: 3.2.11_nftables_enabled -+ title: Ensure Nftables Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_nftables_enabled -+ - service_nftables_enabled.severity=low -+ -+ - id: 3.2.12_nftables_default_refuse_rules -+ title: Ensure Nftables Default Refuse Rules Set -+ levels: -+ - base -+ status: manual -+ rules: -+ - nftables_ensure_default_deny_policy -+ - nftables_ensure_default_deny_policy.severity=low -+ -+ - id: 3.2.13_nftables_loopback_rules -+ title: Ensure Nftables Loopback Rules Set -+ levels: -+ - base -+ status: manual -+ rules: -+ - set_nftables_loopback_traffic -+ - set_nftables_loopback_traffic.severity=low -+ -+ - id: 3.2.14_nftables_input_rules -+ title: Ensure Nftables Input Rules Set -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.2.15_nftables_output_rules -+ title: Ensure Nftables Output Rules Set -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.2.16_nftables_input_output_connection_rules -+ title: Ensure Nftables Input Output Connection Rules Set -+ levels: -+ - base -+ status: manual -+ rules: -+ - set_nftables_new_connections -+ - set_nftables_new_connections.severity=low -+ -+ - id: 3.3.1_sshd_protocol_is_2 -+ title: Ensure SSHd Protocol Version Is 2 -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_allow_only_protocol2 -+ - sshd_allow_only_protocol2.severity=high -+ -+ - id: 3.3.2_sshd_authentication_setting_correct -+ title: Ensure SSHd Authentication Setting Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_disable_rhosts -+ - sshd_disable_rhosts.severity=high -+ - disable_host_auth -+ - disable_host_auth.severity=high -+ -+ - id: 3.3.3_sshd_keyexchange_correct -+ title: Ensure SSHd Key Exchange Algorithm Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_use_strong_kex -+ - sshd_use_strong_kex.severity=high -+ - sshd_strong_kex=std_openeuler -+ -+ - id: 3.3.4_sshd_pubkey_correct -+ title: Ensure SSHd Pubkey Algorithm Correct -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.3.5_sshd_pam_enabled -+ title: Ensure SSHd PAM Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_enable_pam -+ - sshd_enable_pam.severity=high -+ -+ - id: 3.3.6_sshd_mac_correct -+ title: Ensure SSHd MACs Algorithm Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_use_strong_macs -+ - sshd_use_strong_macs.severity=high -+ -+ - id: 3.3.7_sshd_ciphers_correct -+ title: Ensure SSHd Ciphers Algorithm Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_use_strong_ciphers -+ - sshd_use_strong_ciphers.severity=high -+ -+ - id: 3.3.8_sshd_ciphers_not_overwritten -+ title: Ensure SSHd Ciphers Algorithm Not Overwritten -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.3.9_sshd_forbid_root_login -+ title: Ensure SSHd Forbid Root Login From Remote -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_disable_root_login -+ - sshd_disable_root_login.severity=low -+ -+ - id: 3.3.10_sshd_log_level_correct -+ title: Ensure SSHd Log Level Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_set_loglevel_verbose -+ - sshd_set_loglevel_verbose.severity=low -+ -+ - id: 3.3.11_sshd_listen_addr -+ title: Ensure SSHd Listen Address Set Correct -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.3.12_sshd_maxstartups_correct -+ title: Ensure SSHd MaxStartups Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_set_maxstartups -+ - sshd_set_maxstartups.severity=low -+ - var_sshd_set_maxstartups=10:30:60 -+ -+ - id: 3.3.13_sshd_maxsessions_correct -+ title: Ensure SSHd Maxsessions Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_set_max_sessions -+ - sshd_set_max_sessions.severity=low -+ - var_sshd_max_sessions=10 -+ -+ - id: 3.3.14_sshd_forbid_x11_forwarding -+ title: Ensure SSHd X11 Forwarding Forbidden -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_disable_x11_forwarding -+ - sshd_disable_x11_forwarding.severity=high -+ -+ - id: 3.3.15_sshd_maxauthtries_correct -+ title: Ensure SSHd MaxAuthTries Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_set_max_auth_tries -+ - sshd_set_max_auth_tries.severity=low -+ - sshd_max_auth_tries_value=3 -+ -+ - id: 3.3.16_sshd_forbid_permituserenvironment -+ title: Ensure SSHd PermitUserEnvironment Forbidden -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_do_not_permit_user_env -+ - sshd_do_not_permit_user_env.severity=high -+ -+ - id: 3.3.17_sshd_logingracetime_correct -+ title: Ensure SSHd LoginGraceTime Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_set_login_grace_time -+ - sshd_set_login_grace_time.severity=low -+ - var_sshd_set_login_grace_time=60 -+ -+ - id: 3.3.18_sshd_authorized_keys_forbidden -+ title: Ensure SSHd Authorized Keys Not Set -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.3.19_sshd_known_hosts_forbidden -+ title: Ensure SSHd Known Hosts Not Set -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_disable_user_known_hosts -+ - sshd_disable_user_known_hosts.severity=high -+ -+ - id: 3.3.20_sshd_no_obsolete_config -+ title: Ensure SSHd Has No Obsolete Configurations -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.3.21_ssh_tcp_forward_disabled -+ title: Ensure SSHd TCP Forward Disabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - sshd_disable_tcp_forwarding -+ - sshd_disable_tcp_forwarding.severity=high -+ -+ - id: 3.4.1_crontab_not_run_low_privilege_user_writable_bash -+ title: Ensure Cron Not Run Low Privilege User Writable Bash -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.4.2_cron_enabled -+ title: Ensure Cron Deamon Running -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_crond_enabled -+ - service_crond_enabled.severity=high -+ -+ - id: 3.4.3_at_cron_set_correct -+ title: Ensure AT And Cron Set Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - file_groupowner_cron_d -+ - file_groupowner_cron_d.severity=high -+ - file_groupowner_cron_daily -+ - file_groupowner_cron_daily.severity=high -+ - file_groupowner_cron_hourly -+ - file_groupowner_cron_hourly.severity=high -+ - file_groupowner_cron_monthly -+ - file_groupowner_cron_monthly.severity=high -+ - file_groupowner_cron_weekly -+ - file_groupowner_cron_weekly.severity=high -+ - file_groupowner_crontab -+ - file_groupowner_crontab.severity=high -+ - file_owner_cron_d -+ - file_owner_cron_d.severity=high -+ - file_owner_cron_daily -+ - file_owner_cron_daily.severity=high -+ - file_owner_cron_hourly -+ - file_owner_cron_hourly.severity=high -+ - file_owner_cron_monthly -+ - file_owner_cron_monthly.severity=high -+ - file_owner_cron_weekly -+ - file_owner_cron_weekly.severity=high -+ - file_owner_crontab -+ - file_owner_crontab.severity=high -+ - file_permissions_cron_d -+ - file_permissions_cron_d.severity=high -+ - file_permissions_cron_daily -+ - file_permissions_cron_daily.severity=high -+ - file_permissions_cron_hourly -+ - file_permissions_cron_hourly.severity=high -+ - file_permissions_cron_monthly -+ - file_permissions_cron_monthly.severity=high -+ - file_permissions_cron_weekly -+ - file_permissions_cron_weekly.severity=high -+ - file_permissions_crontab -+ - file_permissions_crontab.severity=high -+ - file_at_deny_not_exist -+ - file_at_deny_not_exist.severity=high -+ - file_cron_deny_not_exist -+ - file_cron_deny_not_exist.severity=high -+ - file_groupowner_at_allow -+ - file_groupowner_at_allow.severity=high -+ - file_groupowner_cron_allow -+ - file_groupowner_cron_allow.severity=high -+ - file_owner_at_allow -+ - file_owner_at_allow.severity=high -+ - file_owner_cron_allow -+ - file_owner_cron_allow.severity=high -+ - file_permissions_at_allow -+ - file_permissions_at_allow.severity=high -+ - file_permissions_cron_allow -+ - file_permissions_cron_allow.severity=high -+ -+ - id: 3.5.1_kaslr_enabled -+ title: Ensure KASLR Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_kernel_randomize_va_space -+ - sysctl_kernel_randomize_va_space.severity=high -+ -+ - id: 3.5.2_dmesg_access_permission_correct -+ title: Ensure Dmesg Access Permission Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_kernel_dmesg_restrict -+ - sysctl_kernel_dmesg_restrict.severity=high -+ -+ - id: 3.5.3_kptr_restrict_correct -+ title: Ensure Kptr_restrict Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_kernel_kptr_restrict -+ - sysctl_kernel_kptr_restrict.severity=high -+ - sysctl_kernel_kptr_restrict_value=1 -+ -+ - id: 3.5.4_smap_enabled -+ title: Ensure Kernel SMAP Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - grub2_nosmap_argument_absent -+ - grub2_nosmap_argument_absent.severity=high -+ -+ - id: 3.5.5_smep_enabled -+ title: Ensure Kernel SMEP Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - grub2_nosmep_argument_absent -+ - grub2_nosmep_argument_absent.severity=high -+ -+ - id: 3.5.6_not_response_icmp_broadcast -+ title: Ensure ICMP Broadcast Package Not Responsed -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high -+ -+ - id: 3.5.7_not_receive_icmp_redirect -+ title: Ensure ICMP Redirect Package Not Received -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_all_accept_redirects -+ - sysctl_net_ipv4_conf_all_accept_redirects.severity=high -+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled -+ - sysctl_net_ipv4_conf_all_secure_redirects -+ - sysctl_net_ipv4_conf_all_secure_redirects.severity=high -+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled -+ - sysctl_net_ipv4_conf_default_secure_redirects -+ - sysctl_net_ipv4_conf_default_secure_redirects.severity=high -+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled -+ - sysctl_net_ipv6_conf_all_accept_redirects -+ - sysctl_net_ipv6_conf_all_accept_redirects.severity=high -+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled -+ -+ - id: 3.5.8_forbid_forward_icmp_redirect_package -+ title: Ensure No ICMP Redirect Package Forwarded -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_all_send_redirects -+ - sysctl_net_ipv4_conf_all_send_redirects.severity=high -+ - sysctl_net_ipv4_conf_default_send_redirects -+ - sysctl_net_ipv4_conf_default_send_redirects.severity=high -+ -+ - id: 3.5.9_ignore_all_icmp_request -+ title: Ensure Ignore All ICMP Request -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.5.10_ignore_bogus_error_icmp_package -+ title: Ensure Ignore Bogus Error ICMP Package -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -+ -+ - id: 3.5.11_rp_filter_enabled -+ title: Ensure Reverse Proxy Filter Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_all_rp_filter -+ - sysctl_net_ipv4_conf_all_rp_filter.severity=high -+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled -+ - sysctl_net_ipv4_conf_default_rp_filter -+ - sysctl_net_ipv4_conf_default_rp_filter.severity=high -+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled -+ -+ - id: 3.5.12_forbid_ip_forwarding -+ title: Ensure IP Forwarding Disabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_net_ipv4_ip_forward -+ - sysctl_net_ipv4_ip_forward.severity=high -+ - sysctl_net_ipv6_conf_all_forwarding -+ - sysctl_net_ipv6_conf_all_forwarding.severity=high -+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled -+ -+ - id: 3.5.13_source_route_disabled -+ title: Ensure Source Route Disabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_all_accept_source_route -+ - sysctl_net_ipv4_conf_all_accept_source_route.severity=high -+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -+ - sysctl_net_ipv4_conf_default_accept_source_route -+ - sysctl_net_ipv4_conf_default_accept_source_route.severity=high -+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -+ - sysctl_net_ipv6_conf_all_accept_source_route -+ - sysctl_net_ipv6_conf_all_accept_source_route.severity=high -+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -+ - sysctl_net_ipv6_conf_default_accept_source_route -+ - sysctl_net_ipv6_conf_default_accept_source_route.severity=high -+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled -+ -+ - id: 3.5.14_tcp-syn_cookie_enabled -+ title: Ensure TCP-SYN Cookie Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_net_ipv4_tcp_syncookies -+ - sysctl_net_ipv4_tcp_syncookies.severity=high -+ -+ - id: 3.5.15_log_martians -+ title: Ensure Source Route And Redirectly Logged -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_all_log_martians -+ - sysctl_net_ipv4_conf_all_log_martians.severity=high -+ - sysctl_net_ipv4_conf_default_log_martians -+ - sysctl_net_ipv4_conf_default_log_martians.severity=high -+ -+ - id: 3.5.16_tcp_timestamps_disabled -+ title: Ensure tcp_timestamps Disabled -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.5.17_tcp_time_wait_config -+ title: Ensure TCP Time Wait Correct -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.5.18_syn_recv_set_correct -+ title: Ensure SYN Recv Set Correct -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.5.19_arp_proxy_disabled -+ title: Ensure No ARP Proxy -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.5.20_core_dump_set_correct -+ title: Ensure Core Dump Set Correct -+ levels: -+ - base -+ status: planned -+ -+ - id: 3.5.21_sysrq_disabled -+ title: Ensure SysRq Key Disabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_kernel_sysrq -+ - sysctl_kernel_sysrq.severity=high -+ -+ - id: 3.5.22_ptrace_scope_correct -+ title: Ensure ptrace_scope Set Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - sysctl_kernel_yama_ptrace_scope -+ - sysctl_kernel_yama_ptrace_scope.severity=low -+ -+ - id: 3.5.23_seccomp_enabled -+ title: Ensure Seccomp Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - kernel_config_seccomp -+ - kernel_config_seccomp.severity=low -+ -+ - id: 3.6.1_ntpd_configuration_correct -+ title: Ensure Ntpd Configuration Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_ntpd_enabled -+ - service_ntpd_enabled.severity=low -+ - ntpd_configure_restrictions -+ - ntpd_configure_restrictions.severity=low -+ - ntpd_specify_remote_server -+ - ntpd_specify_remote_server.severity=low -+ -+ - id: 3.6.2_chrony_configuration_correct -+ title: Ensure Chrony Configuration Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_chronyd_enabled -+ - service_chronyd_enabled.severity=low -+ - chronyd_specify_remote_server -+ - chronyd_specify_remote_server.severity=low -+ -+ -+ - id: 4.1.1_auditd_enabled -+ title: Ensure Auditd Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_auditd_enabled -+ - service_auditd_enabled.severity=high -+ -+ - id: 4.1.2_auditd_rotate_enabled -+ title: Ensure Auditd Rotate Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - auditd_data_retention_max_log_file_action -+ - auditd_data_retention_max_log_file_action.severity=high -+ - var_auditd_max_log_file_action=rotate -+ - auditd_data_retention_num_logs -+ - auditd_data_retention_num_logs.severity=high -+ - var_auditd_num_logs=5 -+ -+ - id: 4.1.3_lastlog_config -+ title: Ensure Lastlog Recorded -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_login_events_lastlog -+ - audit_rules_login_events_lastlog.severity=low -+ -+ - id: 4.1.4_audit_account_change -+ title: Ensure Account Info Changing Audited -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_usergroup_modification_group -+ - audit_rules_usergroup_modification_group.severity=low -+ - audit_rules_usergroup_modification_gshadow -+ - audit_rules_usergroup_modification_gshadow.severity=low -+ - audit_rules_usergroup_modification_opasswd -+ - audit_rules_usergroup_modification_opasswd.severity=low -+ - audit_rules_usergroup_modification_passwd -+ - audit_rules_usergroup_modification_passwd.severity=low -+ - audit_rules_usergroup_modification_shadow -+ - audit_rules_usergroup_modification_shadow.severity=low -+ -+ - id: 4.1.5_audit_escalation -+ title: Ensure Escalation Audited -+ levels: -+ - base -+ status: planned -+ -+ - id: 4.1.6_audit_module -+ title: Ensure Module Changes Audited -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_privileged_commands_modprobe -+ - audit_rules_privileged_commands_modprobe.severity=low -+ - audit_rules_privileged_commands_insmod -+ - audit_rules_privileged_commands_insmod.severity=low -+ - audit_rules_privileged_commands_rmmod -+ - audit_rules_privileged_commands_rmmod.severity=low -+ - audit_rules_kernel_module_loading -+ - audit_rules_kernel_module_loading.severity=low -+ -+ - id: 4.1.7_audit_sudo -+ title: Ensure Sudo Operation Audited -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_privileged_commands_sudo -+ - audit_rules_privileged_commands_sudo.severity=low -+ -+ - id: 4.1.8_enable_audit_during_boot -+ title: Ensure Auditd Enabled During Boot -+ levels: -+ - base -+ status: automated -+ rules: -+ - grub2_audit_argument -+ - grub2_audit_argument.severity=low -+ -+ - id: 4.1.9_audit_backlog_limit_correct -+ title: Ensure Audit Backlog Limit Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - grub2_audit_backlog_limit_argument -+ - grub2_audit_backlog_limit_argument.severity=low -+ -+ - id: 4.1.10_audit_not_use_auditctl -+ title: Ensure Auditctl Not Used -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_immutable -+ - audit_rules_immutable.severity=low -+ -+ - id: 4.1.11_audit_logsize_correct -+ title: Ensure Audit Log Size Set Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - auditd_data_retention_max_log_file -+ - auditd_data_retention_max_log_file.severity=high -+ - auditd_data_retention_max_log_file_action -+ - auditd_data_retention_max_log_file_action.severity=high -+ -+ - id: 4.1.12_audit_disk_space_config -+ title: Ensure Audit Disk Space Set Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - auditd_data_retention_space_left -+ - auditd_data_retention_space_left.severity=low -+ - auditd_data_retention_space_left_action -+ - auditd_data_retention_space_left_action.severity=low -+ - var_auditd_space_left_action=syslog -+ - auditd_data_retention_admin_space_left_percentage -+ - auditd_data_retention_admin_space_left_percentage.severity=low -+ - var_auditd_admin_space_left_percentage=50pc -+ - auditd_data_retention_admin_space_left_action -+ - auditd_data_retention_admin_space_left_action.severity=low -+ - var_auditd_admin_space_left_action=suspend -+ - auditd_audispd_disk_full_action -+ - auditd_audispd_disk_full_action.severity=low -+ - auditd_data_disk_full_action -+ - auditd_data_disk_full_action.severity=low -+ - var_auditd_disk_full_action=suspend -+ - auditd_data_disk_error_action -+ - auditd_data_disk_error_action.severity=low -+ - var_auditd_disk_error_action=suspend -+ -+ - id: 4.1.13_audit_sudoers -+ title: Ensure Sudoers Audited -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_sudoers -+ - audit_rules_sudoers.severity=low -+ -+ - id: 4.1.14_audit_session -+ title: Ensure Session Audited -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_session_events -+ - audit_rules_session_events.severity=low -+ -+ - id: 4.1.15_audit_time_changing -+ title: Ensure Time Changing Audited -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_time_adjtimex -+ - audit_rules_time_adjtimex.severity=low -+ - audit_rules_time_settimeofday -+ - audit_rules_time_settimeofday.severity=low -+ - audit_rules_time_clock_settime -+ - audit_rules_time_clock_settime.severity=low -+ -+ - id: 4.1.16_audit_selinux -+ title: Ensure SELinux Audited -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_mac_modification -+ - audit_rules_mac_modification.severity=low -+ - audit_rules_mac_modification_usr_share -+ - audit_rules_mac_modification_usr_share.severity=low -+ -+ - id: 4.1.17_audit_network -+ title: Ensure Network Audited -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_networkconfig_modification -+ - audit_rules_networkconfig_modification.severity=low -+ -+ - id: 4.1.18_audit_successful_file_access -+ title: Ensure Successful File Access Audited -+ levels: -+ - base -+ status: manual -+ rules: -+ - audit_rules_successful_file_modification_chmod -+ - audit_rules_successful_file_modification_chmod.severity=low -+ - audit_rules_successful_file_modification_fchmod -+ - audit_rules_successful_file_modification_fchmod.severity=low -+ - audit_rules_successful_file_modification_fchmodat -+ - audit_rules_successful_file_modification_fchmodat.severity=low -+ - audit_rules_successful_file_modification_chown -+ - audit_rules_successful_file_modification_chown.severity=low -+ - audit_rules_successful_file_modification_fchown -+ - audit_rules_successful_file_modification_fchown.severity=low -+ - audit_rules_successful_file_modification_fchownat -+ - audit_rules_successful_file_modification_fchownat.severity=low -+ - audit_rules_successful_file_modification_setxattr -+ - audit_rules_successful_file_modification_setxattr.severity=low -+ - audit_rules_successful_file_modification_lsetxattr -+ - audit_rules_successful_file_modification_lsetxattr.severity=low -+ - audit_rules_successful_file_modification_fsetxattr -+ - audit_rules_successful_file_modification_fsetxattr.severity=low -+ - audit_rules_successful_file_modification_removexattr -+ - audit_rules_successful_file_modification_removexattr.severity=low -+ - audit_rules_successful_file_modification_lremovexattr -+ - audit_rules_successful_file_modification_lremovexattr.severity=low -+ - audit_rules_successful_file_modification_fremovexattr -+ - audit_rules_successful_file_modification_fremovexattr.severity=low -+ -+ - id: 4.1.19_audit_unsuccessful_file_access -+ title: Ensure Unsuccessful File Access Audited -+ levels: -+ - base -+ status: automated -+ rules: -+ - audit_rules_unsuccessful_file_modification -+ - audit_rules_unsuccessful_file_modification.severity=low -+ -+ - id: 4.1.20_audit_file_delete -+ title: Ensure File Delete Audited -+ levels: -+ - base -+ status: manual -+ rules: -+ - audit_rules_successful_file_modification_rename -+ - audit_rules_successful_file_modification_rename.severity=low -+ - audit_rules_successful_file_modification_renameat -+ - audit_rules_successful_file_modification_renameat.severity=low -+ - audit_rules_successful_file_modification_unlink -+ - audit_rules_successful_file_modification_unlink.severity=low -+ - audit_rules_successful_file_modification_unlinkat -+ - audit_rules_successful_file_modification_unlinkat.severity=low -+ -+ - id: 4.1.21_audit_mount -+ title: Ensure Mount Audited -+ levels: -+ - base -+ status: planned -+ -+ - id: 4.2.1_rsyslog_enabled -+ title: Ensure Rsyslog Enabled -+ levels: -+ - base -+ status: automated -+ rules: -+ - service_rsyslog_enabled -+ - service_rsyslog_enabled.severity=high -+ -+ - id: 4.2.2_rsyslog_auth -+ title: Ensure Authentication Logged -+ levels: -+ - base -+ status: automated -+ rules: -+ - rsyslog_remote_access_monitoring -+ - rsyslog_remote_access_monitoring.severity=high -+ -+ - id: 4.2.3_rsyslog_cron -+ title: Ensure Cron Logged -+ levels: -+ - base -+ status: automated -+ rules: -+ - rsyslog_cron_logging -+ - rsyslog_cron_logging.severity=high -+ -+ - id: 4.2.4_rsyslog_file_permission -+ title: Ensure Rsyslog's Files Permission Correct -+ levels: -+ - base -+ status: automated -+ rules: -+ - rsyslog_filecreatemode -+ - rsyslog_filecreatemode.severity=low -+ -+ - id: 4.2.5_rsyslog_for_services -+ title: Ensure Important Services Logged -+ levels: -+ - base -+ status: automated -+ rules: -+ - rsyslog_logging_configured -+ - rsyslog_logging_configured.severity=low -+ -+ - id: 4.2.6_rsyslog_journald_transfer -+ title: Ensure Journald Transfer Set Correct -+ levels: -+ - base -+ status: planned -+ -+ - id: 4.2.7_rsyslog_rotate -+ title: Ensure Rotate Setting In Rsyslog -+ levels: -+ - base -+ status: planned -+ -+ - id: 4.2.8_rsyslog_remote_server_config -+ title: Ensure Remote Log Server Correct -+ levels: -+ - base -+ status: planned -+ -+ - id: 4.2.9_rsyslog_only_specified_server_receive_logs -+ title: Ensure Only Specified Server Can Receive Logs -+ levels: -+ - base -+ status: automated -+ rules: -+ - rsyslog_accept_remote_messages_tcp -+ - rsyslog_accept_remote_messages_tcp.severity=low -+ - rsyslog_accept_remote_messages_udp -+ - rsyslog_accept_remote_messages_udp.severity=low -diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -index 2b0e53a..e799bae 100644 ---- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Avahi Server Software' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -index 4ce4b1e..e63cf34 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Who Owns cron.d' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -index 032b15e..226d9c8 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Who Owns cron.daily' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -index 2d4f1f9..9065a84 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Who Owns cron.hourly' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -index d47730c..35a16a3 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Who Owns cron.monthly' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -index c63c3de..7eadb97 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Who Owns cron.weekly' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -index 3f43b81..6e39d76 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Who Owns Crontab' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -index 49b2e3a..1cc18db 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Owner on cron.d' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -index 74210b6..0a448d8 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Owner on cron.daily' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -index 9e4ab04..f9130b7 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Owner on cron.hourly' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -index 78dadcc..05ace52 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Owner on cron.monthly' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -index 69001b6..51f3d9b 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Owner on cron.weekly' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -index 2636571..e5e1357 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Owner on crontab' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -index 8d5e6dd..4dcd062 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Permissions on cron.d' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -index 175ba80..f2a3301 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Permissions on cron.daily' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -index 7578b5d..48b5bcc 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Permissions on cron.hourly' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -index 4694a91..3da1b9e 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Permissions on cron.monthly' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -index 5409311..b382c42 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Permissions on cron.weekly' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -index 009a233..777a0f1 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Permissions on crontab' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml -index 81e089f..18a9520 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 - - title: 'Ensure that /etc/at.deny does not exist' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml -index a164bf3..9eed643 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 - - title: 'Ensure that /etc/cron.deny does not exist' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml -index c060951..c0821cd 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Who Owns /etc/at.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml -index a62e314..1fb33f6 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Who Owns /etc/cron.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml -index dafb8d4..20b64ab 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify User Who Owns /etc/at.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml -index 4e59001..0eae2e6 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify User Who Owns /etc/cron.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml -index aaa429e..30b6553 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Permissions on /etc/at.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml -index c2710c4..1961b9a 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Permissions on /etc/cron.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -index ec390e3..3a3c6d1 100644 ---- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Enable cron Service' - -diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -index 356f236..b8324bf 100644 ---- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Disable DHCP Service' - -diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -index ce858b1..1387845 100644 ---- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Disable named Service' - -diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml -index 044177b..07543b0 100644 ---- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml -+++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Uninstall httpd Package' - -diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -index 2ec31a2..6644f7d 100644 ---- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -@@ -8,7 +8,7 @@ - - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 - - title: 'Ensure LDAP client is not installed' - -diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml -index bf75fff..828d36d 100644 ---- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml -+++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml -@@ -11,7 +11,7 @@ - - documentation_complete: true - --prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 -+prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 - - title: 'Uninstall openldap-servers Package' - -diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -index 9071b7e..fd41721 100644 ---- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Disable rpcbind Service' - -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -index 91f73ab..8cdd594 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Disable Network File System (nfs)' - -diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml -index c74221c..6a2919f 100644 ---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4 -+prodtype: alinux2,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhv4 - - title: 'Specify a Remote NTP Server' - -diff --git a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml -index de51899..e4a62cb 100644 ---- a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml -+++ b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,rhel7,sle12,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,ubuntu2004,ubuntu2204 - - title: 'Configure server restrictions for ntpd' - -diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -index c5f90c4..5f79ef7 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Remove NIS Client' - -diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -index b057fc5..359340e 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Uninstall ypserv Package' - -diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -index de1f832..1653ad3 100644 ---- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Ensure rsyncd service is disabled' - -@@ -47,3 +47,5 @@ template: - packagename@ol7: rsync - packagename@sle12: rsync - packagename@sle15: rsync -+ packagename@openeuler2203: rsync -+ packagename@openeuler2403: rsync -diff --git a/linux_os/guide/services/printing/package_cups_removed/rule.yml b/linux_os/guide/services/printing/package_cups_removed/rule.yml -index df44086..e6e13cf 100644 ---- a/linux_os/guide/services/printing/package_cups_removed/rule.yml -+++ b/linux_os/guide/services/printing/package_cups_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Uninstall CUPS Package' - -diff --git a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml -index 1b633c6..2b8ef03 100644 ---- a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml -+++ b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Uninstall Samba Package' - -diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml -index 3763480..aaf1c94 100644 ---- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml -+++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: debian10,debian11,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: debian10,debian11,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Uninstall net-snmp Package' - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml -index 91e0556..3e32b5e 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,rhel7,sle12,sle15,ubuntu2204 -+prodtype: ol7,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2204 - - title: 'Use Only Strong Ciphers' - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml -index 0a0b3a9..a928355 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Use Only Strong Key Exchange algorithms' - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml -index b6fea18..c9e4f13 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,rhel7,sle12,sle15,ubuntu2204 -+prodtype: ol7,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2204 - - title: 'Use Only Strong MACs' - -diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var -index 9becb4b..c0519e2 100644 ---- a/linux_os/guide/services/ssh/sshd_strong_kex.var -+++ b/linux_os/guide/services/ssh/sshd_strong_kex.var -@@ -17,3 +17,4 @@ options: - cis_sle12: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 - cis_sle15: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 - cis_ubuntu2004: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 -+ std_openeuler: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -index 170f89f..5af9d26 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Remove the X Windows Package Group' - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml -index 607ed94..eb84592 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Disable graphical user interface' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -index 5e6d02f..ce9a463 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Ownership of System Login Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml -index 76b10f4..be54b97 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Ownership of System Login Banner for Remote Connections' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -index 2e796ee..90ef7e1 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify Group Ownership of Message of the Day Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml -index 70b4f39..0f8b6e1 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify ownership of System Login Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml -index cff8e39..8efa940 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify ownership of System Login Banner for Remote Connections' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -index 16011b1..954946b 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify ownership of Message of the Day Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -index 9968c5c..a7b4364 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify permissions on System Login Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml -index cb8d9db..02b69cb 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify permissions on System Login Banner for Remote Connections' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -index 339274b..0038c14 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify permissions on Message of the Day Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml b/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml -new file mode 100644 -index 0000000..548b47b ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml -@@ -0,0 +1,24 @@ -+documentation_complete: true -+ -+prodtype: openeuler2203,openeuler2403 -+ -+title: 'Check Warning Banners Correctly' -+ -+description: |- -+

It can not be scanned automatically, please check it manually.

-+ Warning banners contain warning information added on the system login page and are marked by all users who log in to the system. -+
-+ Proper security warning information may increase the risk of system attacks or violate local laws and regulations. -+
-+ openEuler security warning banners must be formulated by security department personnel and comply with local laws and regulations. -+
-+ In addition, don't expose the system version, application server type, functions through warning banners, to prevent attackers from obtaining system information and launching attacks. -+
-+ Run the cat command to check the warning banners in the /etc/motd, /etc/issue, and /etc/issue.net files. Check whether the information is reasonable. -+ -+rationale: |- -+ None -+ -+severity: high -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -index f3e6931..2118833 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Limit Password Reuse' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml -new file mode 100644 -index 0000000..0abb80d ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml -@@ -0,0 +1,291 @@ -+ -+ -+ {{{ oval_metadata("Lockout account after failed login attempts") }}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^[\s]*auth\N+pam_unix\.so -+ -+ -+ -+ ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail -+ -+ -+ -+ ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so -+ -+ -+ -+ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) -+ -+ -+ -+ ^[\s]*deny[\s]*=[\s]*([0-9]+) -+ -+ -+ -+ -+ ^/etc/pam.d/system-auth$ -+ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/password-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/system-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/system-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/password-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/password-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ 0 -+ -+ -+ -+ -+ ^/etc/pam.d/system-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/password-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/security/faillock.conf$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -index 3f7bbd8..d1d77f0 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2204 - - title: 'Lock Accounts After Failed Password Attempts' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml -new file mode 100644 -index 0000000..94c1eca ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml -@@ -0,0 +1,285 @@ -+ -+ -+ {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^[\s]*auth\N+pam_unix\.so -+ -+ -+ -+ ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail -+ -+ -+ -+ ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so -+ -+ -+ -+ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) -+ -+ -+ -+ ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) -+ -+ -+ -+ -+ ^/etc/pam.d/system-auth$ -+ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/password-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/system-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/system-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/password-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/password-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/system-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/pam.d/password-auth$ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/security/faillock.conf$ -+ -+ 1 -+ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ + + -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml -index 7157b51..6022dcd 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2204 - - title: 'Set Lockout Time for Failed Password Attempts' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var -index 46c73e4..206b03e 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var -@@ -17,5 +17,6 @@ options: - 604800: 604800 - 86400: 86400 - 900: 900 -+ 300: 300 - default: 0 - never: 0 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml -index e67cd88..5843fd2 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 - - title: 'Ensure PAM Enforces Password Requirements - Minimum Digit Characters' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml -index d41ca6c..6ec6fba 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004 -+prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel8,rhel9,ubuntu2004 - - title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml -index 198475c..15f4617 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol9,rhel8,rhel9 -+prodtype: fedora,ol9,openeuler2203,openeuler2403,rhel8,rhel9 - - title: 'Ensure PAM Enforces Password Requirements - Enforce for root User' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml -index 5799a7b..4de04a1 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 - - title: 'Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -index 45a8dfa..d0c33ab 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 - - title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -index f05b6e0..6a9b551 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 - - title: 'Ensure PAM Enforces Password Requirements - Minimum Length' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml -index 632aa24..89fd371 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 - - title: 'Ensure PAM Enforces Password Requirements - Minimum Special Characters' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -index df2272b..c3052a0 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml -index 6c631ea..5b4041c 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 - - title: 'Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml -index bf87c9c..786e396 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: "Set PAM''s Password Hashing Algorithm - password-auth" - -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -index 5375365..803ad40 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: "Set PAM''s Password Hashing Algorithm" - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml -index fadfa30..7cc8b57 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml -@@ -36,7 +36,7 @@ - - - /usr/lib/systemd/system/emergency.service -- {{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} -+ {{%- if product in ["fedora", "ol8", "ol9", "openeuler2203", "openeuler2403", "rhel8", "rhel9", "sle12", "sle15"] -%}} - ^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency - {{%- else -%}} - ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -index e3b3c18..53bea43 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Require Authentication for Emergency Systemd Target' - -@@ -86,7 +86,7 @@ fixtext: |- - Configure {{{ full_name }}} to require authentication for system emergency mode. - - Add or edit the following line in "/usr/lib/systemd/system/emergency.service": -- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} -+ {{% if product in ["fedora", "ol8", "ol9", "openeuler2203", "openeuler2403", "rhel8", "rhel9", "sle12", "sle15"] -%}} - ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency - {{%- else -%}} - ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" -diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml -index f232eb7..7f9c4dc 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Disable debug-shell SystemD Service' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml -index d4b7117..0493d9e 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Assign Expiration Date to Temporary Accounts' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml -index 3cda626..aca9ef5 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure All Accounts on the System Have Unique User IDs' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml -index aa5a69c..0cb8d6e 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure All Groups on the System Have Unique Group ID' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml -index 55b2c5e..e1da489 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure All Groups on the System Have Unique Group Names' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -index 3591fba..41489ff 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -@@ -84,4 +84,3 @@ srg_requirement: |- - {{{ full_name }}} user account passwords for new users or password changes must have a 60 day maximum password lifetime restriction in /etc/login.defs. - - platform: package[shadow-utils] -- -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -index 3cbb4d9..7eaac40 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -@@ -84,4 +84,3 @@ srg_requirement: |- - {{{ full_name }}} passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs. - - platform: package[shadow-utils] -- -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml -index c101f11..fc64d11 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 - - title: 'Verify No .forward Files Exist' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml -index d0ed1f4..3f33979 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Enforce usage of pam_wheel for su authentication' - -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -index a660109..1b6a66f 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Set Interactive Session Timeout' - -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -index e58fb7d..a4f4432 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'All Interactive Users Home Directories Must Exist' - -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -index 1795fac..1148bf9 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure the Default Bash Umask is Set Correctly' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml -index d3b0186..1dbd420 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Record Successful Permission Changes to Files - chmod' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml -index 241d1d6..7996a8f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Ownership Changes to Files - chown' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml -index ce7070e..c62a171 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Permission Changes to Files - fchmod' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml -index 4b6cee0..c839def 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Permission Changes to Files - fchmodat' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml -index 6bc0b95..f4eb579 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Ownership Changes to Files - fchown' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml -index e882a57..545979e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Ownership Changes to Files - fchownat' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml -index ee4ff3a..090ecb1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Permission Changes to Files - fremovexattr' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml -index d40bfde..be1e1fa 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Permission Changes to Files - fsetxattr' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml -index 90873b1..d313b57 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Ownership Changes to Files - lchown' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml -index acbfbc0..b424556 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Permission Changes to Files - lremovexattr' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml -index b669f75..c72f4ad 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Permission Changes to Files - lsetxattr' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml -index 7d7e3eb..14ed330 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Permission Changes to Files - removexattr' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml -index 82d103e..5f29767 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Delete Attempts to Files - rename' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml -index 1736c97..44bf9e0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Delete Attempts to Files - renameat' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml -index 75809f4..b167733 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Permission Changes to Files - setxattr' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml -index 91e8f67..cb411e5 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Delete Attempts to Files - unlink' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml -index a11b195..86bab31 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Record Successful Delete Attempts to Files - unlinkat' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -index fe9f1d9..cc33a91 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -index 1b476f4..b873f49 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Unsuccessful Access Attempts to Files - creat' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -index 398110d..50b9592 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Unsuccessful Access Attempts to Files - ftruncate' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -index 8893d52..083feb4 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Unsuccessful Access Attempts to Files - open' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -index cb615dc..cb62dd9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -index 1126705..aad0d0f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Unsuccessful Access Attempts to Files - openat' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -index 2884c9d..8f68d62 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Unsuccessful Access Attempts to Files - truncate' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -index 90a7173..368747c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -index f8ab574..47b8db1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -index d63a995..7c0230d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -index a1d7d2c..dc25542 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -index 34e160a..006e96e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Attempts to Alter Logon and Logout Events - lastlog' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml -index 1086361..0b0e0bc 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure auditd Collects Information on the Use of Privileged Commands - insmod' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml -index 19e74ab..b4d6fb5 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure auditd Collects Information on the Use of Privileged Commands - modprobe' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml -index bb5b567..8849eb0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure auditd Collects Information on the Use of Privileged Commands - rmmod' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -index 3d76a1a..e8da204 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -@@ -4,7 +4,7 @@ - - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudo' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml -index 628dc4f..6a1e04e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol8,ol9,rhel8,rhel9 -+prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel8,rhel9 - - title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml -index 46128d8..b2d42c5 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Events that Modify User/Group Information - /etc/group' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml -index 5cfe91d..f502455 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Events that Modify User/Group Information - /etc/gshadow' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml -index d58af4c..c35d421 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Events that Modify User/Group Information - /etc/security/opasswd' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml -index d67693e..cf91038 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Events that Modify User/Group Information - /etc/passwd' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml -index 68a975a..b5e3762 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Record Events that Modify User/Group Information - /etc/shadow' - -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml -index 8ccde19..10032fa 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Configure audispd''s Plugin disk_full_action When Disk Is Full' - -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml -index 01c5df5..91c9cb9 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol8,ol9,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 - - title: 'Configure auditd admin_space_left on Low Disk Space' - -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml -index d9b97fb..a8fe5c7 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Configure auditd space_left on Low Disk Space' - -diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -index e81a90b..1b9abe0 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' - -diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -index 65132d8..6e3aeb6 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Extend Audit Backlog Limit for the Audit Daemon' - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -index 9acb58b..21f343b 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Set Boot Loader Password in grub2' - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -index 18d5b92..d749483 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Set the UEFI Boot Loader Password' - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml -index 8a7b722..6755b6a 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 - - title: 'Ensure cron Is Logging To Rsyslog' - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml -index 76f0e4b..47aeef5 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Ensure logging is configured' - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml -index bea5ed4..1588359 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel8,rhel9,ubuntu2004,ubuntu2204 - - title: 'Ensure remote access methods are monitored in Rsyslog' - -diff --git a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml -index f37af58..b79c97c 100644 ---- a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml -+++ b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 -+prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 - - title: 'Ensure rsyslog Default File Permissions Configured' - -diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -index cd22594..18b3db5 100644 ---- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Verify firewalld Enabled' - -diff --git a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml -index ae73778..6a5355a 100644 ---- a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,sle15 -+prodtype: rhel7,rhel8,openeuler2203,openeuler2403,sle15 - - title: 'Ensure network interfaces are assigned to appropriate zone' - -diff --git a/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml b/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml -index 05f7144..1f93b40 100644 ---- a/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: sle15 -+prodtype: openeuler2203,openeuler2403,sle15 - - title: 'Ensure Unnecessary Services and Ports Are Not Accepted' - ++ id="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth" ++ comment="One and only one occurrence is expected in auth section of password-auth"> ++ ++ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/system-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/pam.d/password-auth$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/security/faillock.conf$ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml +index f0e8d952..8de00f87 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml +@@ -35,7 +35,7 @@ + + + /usr/lib/systemd/system/emergency.service +- {{%- if product in ["fedora", "ol8", "ol9", "kylinserver10", "openeuler2203", "sle12", "sle15", "slmicro5"] or 'rhel' in product -%}} ++ {{%- if product in ["fedora", "ol8", "ol9", "kylinserver10", "openeuler2203", "openeuler2403", "sle12", "sle15", "slmicro5"] or 'rhel' in product -%}} + ^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency + {{%- else -%}} + ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml -index 73e27ed..9b9db6f 100644 +index 0a28ea58..840f15f4 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml -@@ -16,7 +16,11 @@ rationale: |- +@@ -17,7 +17,11 @@ rationale: |- severity: medium +{{% if product in ['openeuler2203','openeuler2403'] %}} +platform: machine +{{% else %}} - platform: not package[nftables] and not package[ufw] + platform: not package[nftables] and not package[ufw] and package[iptables] +{{% endif %}} identifiers: cce@sle12: CCE-92215-3 diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml -index 6ab31a4..ef09802 100644 +index 34db3ae1..9627cf4a 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml -@@ -16,7 +16,11 @@ rationale: |- +@@ -17,7 +17,11 @@ rationale: |- severity: medium +{{% if product in ['openeuler2203','openeuler2403'] %}} +platform: machine +{{% else %}} - platform: not package[nftables] and not package[ufw] + platform: not package[nftables] and not package[ufw] and package[iptables] +{{% endif %}} identifiers: cce@sle12: CCE-92214-6 diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml -index c7ea1c0..100a1ec 100644 +index f194da36..2ef3ec76 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml @@ -18,7 +18,11 @@ rationale: |- @@ -4374,619 +720,33 @@ index c7ea1c0..100a1ec 100644 +{{% endif %}} identifiers: - cce@rhel7: CCE-86719-2 -diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml -index 88b1b36..34663ba 100644 ---- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml -+++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: sle12,sle15 -+prodtype: openeuler2203,openeuler2403,sle12,sle15 - - title: 'Ensure Outbound and Established Connections are Configured' - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml -index 9a69794..f05d2c9 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces' - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml -index c1f0dc4..10100f3 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' - -@@ -69,3 +69,6 @@ template: - vars: - sysctlvar: net.ipv6.conf.all.accept_source_route - datatype: int -+{{% if "openeuler" in product %}} -+ missing_parameter_pass: 'true' -+{{% endif %}} -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml -index c02cdc4..d155c12 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Kernel Parameter for IPv6 Forwarding' - -@@ -63,3 +63,6 @@ template: - vars: - sysctlvar: net.ipv6.conf.all.forwarding - datatype: int -+{{% if "openeuler" in product %}} -+ missing_parameter_pass: 'true' -+{{% endif %}} -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml -index e985040..2a54324 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default' - -@@ -68,3 +68,6 @@ template: - vars: - sysctlvar: net.ipv6.conf.default.accept_source_route - datatype: int -+{{% if "openeuler" in product %}} -+ missing_parameter_pass: 'true' -+{{% endif %}} -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml -index 8756e21..efd7d4a 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml -index 2ccc278..af51919 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml -index dfcd0b6..0de28f3 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -index e3b2b18..95bf511 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml -index 849ae47..a0aa7cf 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml -index 9a54bbc..d7dcd8a 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml -index 9ff43ba..7e7e254 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml -index b688a15..ac4ed33 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml -index 90ef90f..c41f654 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml -index 5b12a1b..bccfe90 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml -index a5fb5f4..1b1b6a0 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml -index 31e76dd..274288f 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml -index e6b948b..ab99ff1 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -index fc30851..f73277a 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -index a485053..1c6493e 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml -index 7d989f7..f9f161a 100644 ---- a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml -+++ b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: sle15,ubuntu2004,ubuntu2204 -+prodtype: openeuler2203,openeuler2403,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure nftables Default Deny Firewall Policy' - -diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml -index 5be921e..56204f9 100644 ---- a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml -+++ b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,sle15,ubuntu2004,ubuntu2204 -+prodtype: openeuler2203,openeuler2403,rhel7,rhel8,sle15,ubuntu2004,ubuntu2204 - - title: 'Verify nftables Service is Enabled' - -diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml -index 043c11b..6f9d562 100644 ---- a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml -+++ b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: sle15,ubuntu2004,ubuntu2204 -+prodtype: openeuler2203,openeuler2403,sle15,ubuntu2004,ubuntu2204 - - title: 'Set nftables Configuration for Loopback Traffic' - -diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml -index ae1a369..5adafb8 100644 ---- a/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml -+++ b/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: sle15 -+prodtype: openeuler2203,openeuler2403,sle15 - - title: 'Ensure all outbound and established connections are configured for nftables' - -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml -index 20eeb3e..f03402b 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable SCTP Support' - + cce@rhel8: CCE-85968-6 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -index 02cb56f..17157d4 100644 +index 256ab855..8ab9ad47 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Deactivate Wireless Network Interfaces' - -@@ -117,4 +117,8 @@ fixtext: |- +@@ -138,4 +138,8 @@ fixtext: |- srg_requirement: '{{{ full_name }}} wireless network adapters must be disabled.' +{{% if product in ['openeuler2203','openeuler2403'] %}} +platform: machine +{{% else %}} - platform: wifi-iface -+{{% endif %}} -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -index 5683f30..a85c072 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - title: 'Ensure All SGID Executables Are Authorized' - --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,uos20 - - description: |- - The SGID (set group id) bit should be set only on files that were -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -index 249f971..58dc69a 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - title: 'Ensure All SUID Executables Are Authorized' - --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,uos20 - - description: |- - The SUID (set user id) bit should be set only on files that were -diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -index 11060d0..936873d 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure All Files Are Owned by a Group' - -diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -index 13650fc..f9af42a 100644 ---- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Ensure All Files Are Owned by a User' - -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml -index 8cbcf66..ed7412f 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Disable Modprobe Loading of USB Storage Driver' - -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml -index d06852d..327c297 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 - - title: 'Add nodev Option to Removable Media Partitions' - -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml -index 75934b9..d47a355 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 - - title: 'Add noexec Option to Removable Media Partitions' - -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml -index ed025e4..024eceb 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml -@@ -60,6 +60,9 @@ template: - sysctlvar: kernel.randomize_va_space - sysctlval: '2' - datatype: int -+{{% if "openeuler" in product %}} -+ missing_parameter_pass: 'true' + platform: wifi-iface and not container +{{% endif %}} - - fixtext: |- - Configure {{{ full_name }}} to implement virtual address space randomization. -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml -index b73d219..e122550 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Restrict Access to Kernel Message Buffer' - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml -index bf2e143..4df4480 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Disallow magic SysRq key' - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml -index e03106c..7e5b67a 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Restrict usage of ptrace to descendant processes' - -diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml -index 00cc2ff..8b5667b 100644 ---- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Ensure No Daemons are Unconfined by SELinux' - -diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml -index a49219e..d9abd2d 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Configure SELinux Policy' - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml -index e3b95bc..cb37065 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 - - title: 'Configure System Cryptography Policy' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml -index 43e5f16..9f1d220 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Build and Test AIDE Database' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml -index a361171..ea14229 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Install AIDE' - -diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml -index b90f566..5fc764b 100644 ---- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - title: 'The operating system must restrict privilege elevation to authorized personnel' - --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 - - description: |- - The sudo command allows a user to execute programs with elevated -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -index 18c6f48..26b59e9 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 - - title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration' - -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml -index 6428781..8e059b0 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Ensure gpgcheck Enabled for All {{{ pkg_manager }}} Package Repositories' - -diff --git a/products/openeuler2203/product.yml b/products/openeuler2203/product.yml -index 89e9f8b..5beaac5 100644 ---- a/products/openeuler2203/product.yml -+++ b/products/openeuler2203/product.yml -@@ -8,6 +8,7 @@ benchmark_root: "../../linux_os/guide" - profiles_root: "./profiles" - - pkg_manager: "dnf" -+pkg_manager_config_file: "/etc/yum.conf" - - init_system: "systemd" - -diff --git a/products/openeuler2403/product.yml b/products/openeuler2403/product.yml -index c27aaa8..36f3833 100644 ---- a/products/openeuler2403/product.yml -+++ b/products/openeuler2403/product.yml -@@ -8,6 +8,7 @@ benchmark_root: "../../linux_os/guide" - profiles_root: "./profiles" - - pkg_manager: "dnf" -+pkg_manager_config_file: "/etc/yum.conf" - - init_system: "systemd" - diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml -index 07f3df9..6c8ad28 100644 +index d2e7b75f..33f33490 100644 --- a/shared/applicability/package.yml +++ b/shared/applicability/package.yml -@@ -49,7 +49,7 @@ args: - pkgname: postfix +@@ -89,7 +89,7 @@ args: + pkgname: rsh-server shadow-utils: {{% if pkg_system == "rpm" %}} -- {{% if product in ["sle12", "sle15"] %}} -+ {{% if product in ["openeuler2203", "openeuler2403", "sle12", "sle15"] %}} +- {{% if product in ["kylinserver10", "openeuler2203", "sle12", "sle15", "slmicro5"] %}} ++ {{% if product in ["kylinserver10", "openeuler2203", "openeuler2403", "sle12", "sle15", "slmicro5"] %}} pkgname: shadow {{% else %}} pkgname: shadow-utils -- -2.21.0.windows.1 +2.48.1 diff --git a/add-openeuler-support.patch b/add-openeuler-support.patch index 678a010b28eb4dc730da056418d6c777558ee0c1..3c397e2b852d4659c2bd4a6e72e9de27db82025a 100644 --- a/add-openeuler-support.patch +++ b/add-openeuler-support.patch @@ -4,76 +4,13 @@ Date: Mon, 19 Feb 2024 18:59:26 +0800 Subject: [PATCH] add openeuler support --- - CMakeLists.txt | 10 ++++++ - controls/std_openeuler.yml | 34 +++++++++++++++++++ - .../services/ftp/package_ftp_removed/rule.yml | 2 +- - .../package_telnet-server_removed/rule.yml | 2 +- - .../telnet/package_telnet_removed/rule.yml | 2 +- - .../tftp/package_tftp-server_removed/rule.yml | 2 +- - .../tftp/package_tftp_removed/rule.yml | 2 +- - products/openeuler2203/CMakeLists.txt | 6 ++++ - products/openeuler2203/product.yml | 29 ++++++++++++++++ - .../openeuler2203/profiles/standard.profile | 14 ++++++++ - .../openeuler2203/transforms/constants.xslt | 9 +++++ - products/openeuler2403/CMakeLists.txt | 6 ++++ - products/openeuler2403/product.yml | 19 +++++++++++ - .../openeuler2403/profiles/standard.profile | 14 ++++++++ - .../openeuler2403/transforms/constants.xslt | 9 +++++ - .../oval/installed_OS_is_openeuler2203.xml | 26 ++++++++++++++ - .../oval/installed_OS_is_openeuler2403.xml | 26 ++++++++++++++ - .../oval/sysctl_kernel_ipv6_disable.xml | 1 + - ssg/constants.py | 6 ++++ - 19 files changed, 214 insertions(+), 5 deletions(-) + controls/std_openeuler.yml | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) create mode 100644 controls/std_openeuler.yml - create mode 100644 products/openeuler2203/CMakeLists.txt - create mode 100644 products/openeuler2203/product.yml - create mode 100644 products/openeuler2203/profiles/standard.profile - create mode 100644 products/openeuler2203/transforms/constants.xslt - create mode 100644 products/openeuler2403/CMakeLists.txt - create mode 100644 products/openeuler2403/product.yml - create mode 100644 products/openeuler2403/profiles/standard.profile - create mode 100644 products/openeuler2403/transforms/constants.xslt - create mode 100644 shared/checks/oval/installed_OS_is_openeuler2203.xml - create mode 100644 shared/checks/oval/installed_OS_is_openeuler2403.xml -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 7d1cffd..d911d05 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -83,6 +83,8 @@ option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${ - option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_OL9 "If enabled, the Oracle Linux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) -+option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT}) -+option(SSG_PRODUCT_OPENEULER2403 "If enabled, the openEuler 24.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) -@@ -277,6 +279,8 @@ message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}") - message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}") - message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}") - message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}") -+message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}") -+message(STATUS "openEuler 24.03 LTS: ${SSG_PRODUCT_OPENEULER2403}") - message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}") - message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}") - message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}") -@@ -374,6 +378,12 @@ endif() - if (SSG_PRODUCT_OL9) - add_subdirectory("products/ol9" "ol9") - endif() -+if (SSG_PRODUCT_OPENEULER2203) -+ add_subdirectory("products/openeuler2203" "openeuler2203") -+endif() -+if (SSG_PRODUCT_OPENEULER2403) -+ add_subdirectory("products/openeuler2403" "openeuler2403") -+endif() - if (SSG_PRODUCT_OPENSUSE) - add_subdirectory("products/opensuse" "opensuse") - endif() diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml new file mode 100644 -index 0000000..5599b04 +index 00000000..5599b049 --- /dev/null +++ b/controls/std_openeuler.yml @@ -0,0 +1,34 @@ @@ -111,341 +48,6 @@ index 0000000..5599b04 + rules: + - package_telnet_removed + - package_telnet-server_removed -diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml -index 1129ce7..ea1c772 100644 ---- a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml -+++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel9 -+prodtype: openeuler2203,openeuler2403,rhel9 - - title: 'Remove ftp Package' - -diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml -index 6b59559..26848b4 100644 ---- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Uninstall telnet-server Package' - -diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml -index 2571d50..8c77862 100644 ---- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - - title: 'Remove telnet Clients' - -diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml -index 93fd712..60c05ed 100644 ---- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Uninstall tftp-server Package' - -diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml -index 35e0a2f..6c078d3 100644 ---- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Remove tftp Daemon' - -diff --git a/products/openeuler2203/CMakeLists.txt b/products/openeuler2203/CMakeLists.txt -new file mode 100644 -index 0000000..258e195 ---- /dev/null -+++ b/products/openeuler2203/CMakeLists.txt -@@ -0,0 +1,6 @@ -+# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way. -+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") -+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") -+endif() -+ -+ssg_build_product("openeuler2203") -diff --git a/products/openeuler2203/product.yml b/products/openeuler2203/product.yml -new file mode 100644 -index 0000000..89e9f8b ---- /dev/null -+++ b/products/openeuler2203/product.yml -@@ -0,0 +1,29 @@ -+product: openeuler2203 -+full_name: openEuler 2203 -+type: platform -+ -+benchmark_id: OPENEULER2203 -+benchmark_root: "../../linux_os/guide" -+ -+profiles_root: "./profiles" -+ -+pkg_manager: "dnf" -+ -+init_system: "systemd" -+ -+cpes_root: "../../shared/applicability" -+cpes: -+ - openeuler2203lts: -+ name: "cpe:/o:openEuler:openEuler:22.03LTS:ga:server" -+ title: "openEuler 22.03 LTS" -+ check_id: installed_OS_is_openeuler2203 -+ -+ - openeuler2203lts-sp1: -+ name: "cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server" -+ title: "openEuler 22.03 LTS SP1" -+ check_id: installed_OS_is_openeuler2203 -+ -+ - openeuler2203lts-sp2: -+ name: "cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server" -+ title: "openEuler 22.03 LTS SP2" -+ check_id: installed_OS_is_openeuler2203 -diff --git a/products/openeuler2203/profiles/standard.profile b/products/openeuler2203/profiles/standard.profile -new file mode 100644 -index 0000000..8a7ae9c ---- /dev/null -+++ b/products/openeuler2203/profiles/standard.profile -@@ -0,0 +1,14 @@ -+documentation_complete: true -+ -+metadata: -+ version: 1.0 -+ -+title: 'Standard System Security Profile for openEuler 22.03 LTS' -+ -+description: |- -+ This profile contains rules to ensure standard security baseline -+ of an openEuler system. Regardless of your system's workload -+ all of these checks should pass. -+ -+selections: -+ - std_openeuler:all:base -diff --git a/products/openeuler2203/transforms/constants.xslt b/products/openeuler2203/transforms/constants.xslt -new file mode 100644 -index 0000000..666c119 ---- /dev/null -+++ b/products/openeuler2203/transforms/constants.xslt -@@ -0,0 +1,9 @@ -+ -+ -+ -+ -+openEuler2203 -+openEuler2203 -+openeuler2203 -+ -+ -diff --git a/products/openeuler2403/CMakeLists.txt b/products/openeuler2403/CMakeLists.txt -new file mode 100644 -index 0000000..4f7da6b ---- /dev/null -+++ b/products/openeuler2403/CMakeLists.txt -@@ -0,0 +1,6 @@ -+# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way. -+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") -+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") -+endif() -+ -+ssg_build_product("openeuler2403") -diff --git a/products/openeuler2403/product.yml b/products/openeuler2403/product.yml -new file mode 100644 -index 0000000..c27aaa8 ---- /dev/null -+++ b/products/openeuler2403/product.yml -@@ -0,0 +1,19 @@ -+product: openeuler2403 -+full_name: openEuler2403 -+type: platform -+ -+benchmark_id: OPENEULER2403 -+benchmark_root: "../../linux_os/guide" -+ -+profiles_root: "./profiles" -+ -+pkg_manager: "dnf" -+ -+init_system: "systemd" -+ -+cpes_root: "../../shared/applicability" -+cpes: -+ - openeuler2403: -+ name: "cpe:/o:openEuler:openEuler:24.03LTS:ga:server" -+ title: "openEuler 24.03 LTS" -+ check_id: installed_OS_is_openeuler2403 -diff --git a/products/openeuler2403/profiles/standard.profile b/products/openeuler2403/profiles/standard.profile -new file mode 100644 -index 0000000..e4e9450 ---- /dev/null -+++ b/products/openeuler2403/profiles/standard.profile -@@ -0,0 +1,14 @@ -+documentation_complete: true -+ -+metadata: -+ version: 1.0 -+ -+title: 'Standard System Security Profile for openEuler' -+ -+description: |- -+ This profile contains rules to ensure standard security baseline -+ of all openEuler systems. Regardless of your system's workload -+ all of these checks should pass. -+ -+selections: -+ - std_openeuler:all:base -diff --git a/products/openeuler2403/transforms/constants.xslt b/products/openeuler2403/transforms/constants.xslt -new file mode 100644 -index 0000000..60286a9 ---- /dev/null -+++ b/products/openeuler2403/transforms/constants.xslt -@@ -0,0 +1,9 @@ -+ -+ -+ -+ -+openEuler2403 -+openEuler2403 -+openeuler2403 -+ -+ -diff --git a/shared/checks/oval/installed_OS_is_openeuler2203.xml b/shared/checks/oval/installed_OS_is_openeuler2203.xml -new file mode 100644 -index 0000000..6a1ce97 ---- /dev/null -+++ b/shared/checks/oval/installed_OS_is_openeuler2203.xml -@@ -0,0 +1,26 @@ -+ -+ -+ -+ openEuler 22.03 LTS -+ -+ multi_platform_all -+ -+ The operating system installed on the system is openEuler 22.03 LTS. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^22\.03.*$ -+ -+ -+ openEuler-release -+ -+ -+ -diff --git a/shared/checks/oval/installed_OS_is_openeuler2403.xml b/shared/checks/oval/installed_OS_is_openeuler2403.xml -new file mode 100644 -index 0000000..31c6084 ---- /dev/null -+++ b/shared/checks/oval/installed_OS_is_openeuler2403.xml -@@ -0,0 +1,26 @@ -+ -+ -+ -+ openEuler -+ -+ multi_platform_all -+ -+ The operating system installed on the system is openEuler 24.03 LTS -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^24\.03.*$ -+ -+ -+ openEuler-release -+ -+ -+ -diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -index affb977..593ecda 100644 ---- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -@@ -8,6 +8,7 @@ - multi_platform_debian - multi_platform_example - multi_platform_fedora -+ multi_platform_openeuler - multi_platform_opensuse - multi_platform_ol - multi_platform_rhcos -diff --git a/ssg/constants.py b/ssg/constants.py -index f66ba00..ff5bb02 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -50,6 +50,7 @@ product_directories = [ - 'ocp4', - 'rhcos4', - 'ol7', 'ol8', 'ol9', -+ 'openeuler2203', 'openeuler2403', - 'opensuse', - 'rhel7', 'rhel8', 'rhel9', - 'rhv4', -@@ -207,6 +208,8 @@ FULL_NAME_TO_PRODUCT_MAPPING = { - "Oracle Linux 7": "ol7", - "Oracle Linux 8": "ol8", - "Oracle Linux 9": "ol9", -+ "openEuler 2203": "openeuler2203", -+ "openEuler 2403": "openeuler2403", - "openSUSE": "opensuse", - "Red Hat Enterprise Linux 7": "rhel7", - "Red Hat Enterprise Linux 8": "rhel8", -@@ -266,6 +269,7 @@ REFERENCES = dict( - - - MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", -+ "openeuler", - "opensuse", "sle", "ol", "ocp", "rhcos", - "example", "eks", "alinux", "uos", "anolis"] - -@@ -276,6 +280,7 @@ MULTI_PLATFORM_MAPPING = { - "multi_platform_example": ["example"], - "multi_platform_eks": ["eks"], - "multi_platform_fedora": ["fedora"], -+ "multi_platform_openeuler": ["openeuler2203", "openeuler2403"], - "multi_platform_opensuse": ["opensuse"], - "multi_platform_ol": ["ol7", "ol8", "ol9"], - "multi_platform_ocp": ["ocp4"], -@@ -447,6 +452,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = { - 'uos': 'UnionTech OS Server', - 'eap': 'JBoss Enterprise Application Platform', - 'fuse': 'JBoss Fuse', -+ 'openeuler': 'openEuler', - 'opensuse': 'openSUSE', - 'sle': 'SUSE Linux Enterprise', - 'example': 'Example', -- -2.21.0.windows.1 +2.48.1 diff --git a/optimize-rules-for-openEuler.patch b/optimize-rules-for-openEuler.patch index 5734d605acf6a5af4038444eb66b844284f71eca..4b59bfbebef5ffefb4c9dc0a2f168b762c306cf3 100644 --- a/optimize-rules-for-openEuler.patch +++ b/optimize-rules-for-openEuler.patch @@ -4,76 +4,88 @@ Date: Fri, 23 Feb 2024 20:03:16 +0800 Subject: [PATCH] imporve check command --- - controls/std_openeuler.yml | 265 ++++++++++++++---- - .../base/service_haveged_enabled/rule.yml | 29 ++ - .../rule.yml | 30 ++ + components/audit.yml | 1 + + components/cronie.yml | 1 + + components/filesystem.yml | 11 + + components/firewalld.yml | 1 + + components/iptables.yml | 3 + + components/kernel.yml | 6 + + components/nftables.yml | 2 + + components/openeuler.yml | 25 ++ + components/openssh.yml | 3 + + components/pam.yml | 7 + + components/rsyslog.yml | 4 + + components/sudo.yml | 1 + + controls/std_openeuler2203.yml | 259 ++++++++++++++---- + .../base/service_haveged_enabled/rule.yml | 27 ++ + .../rule.yml | 28 ++ .../oval/shared.xml | 25 ++ - .../sshd_configure_correct_interface/rule.yml | 26 ++ + .../sshd_configure_correct_interface/rule.yml | 24 ++ .../oval/shared.xml | 54 ++++ - .../rule.yml | 25 ++ + .../rule.yml | 23 ++ .../sshd_use_strong_pubkey/oval/shared.xml | 1 + - .../sshd_use_strong_pubkey/rule.yml | 13 + + .../sshd_use_strong_pubkey/rule.yml | 11 + .../oval/shared.xml | 32 +++ .../no_name_contained_in_password/rule.yml | 12 + .../verify_owner_password/oval/shared.xml | 60 ++++ .../verify_owner_password/rule.yml | 12 + .../account_unique_group_id/oval/shared.xml | 51 ++++ - .../account_unique_group_id/rule.yml | 11 + - .../accounts_are_necessary/rule.yml | 20 ++ - .../first_logging_change_password/rule.yml | 24 ++ - .../login_accounts_are_necessary/rule.yml | 31 ++ - .../rule.yml | 39 +++ + .../account_unique_group_id/rule.yml | 9 + + .../accounts_are_necessary/rule.yml | 18 ++ + .../first_logging_change_password/rule.yml | 22 ++ + .../login_accounts_are_necessary/rule.yml | 29 ++ + .../rule.yml | 37 +++ .../sce/shared.sh | 15 + .../oval/shared.xml | 25 ++ - .../configure_dump_journald_log/rule.yml | 25 ++ - .../configure_rsyslog_log_rotate/rule.yml | 48 ++++ - .../diasable_root_accessing_system/rule.yml | 51 ++++ + .../configure_dump_journald_log/rule.yml | 23 ++ + .../configure_rsyslog_log_rotate/rule.yml | 46 ++++ + .../diasable_root_accessing_system/rule.yml | 49 ++++ .../rsyslog_remote_loghost_openeuler/rule.yml | 19 ++ - .../rule.yml | 27 ++ - .../rule.yml | 27 ++ - .../rule.yml | 28 ++ - .../rule.yml | 21 ++ - .../rule.yml | 21 ++ + .../rule.yml | 25 ++ + .../rule.yml | 25 ++ + .../rule.yml | 26 ++ + .../rule.yml | 19 ++ + .../rule.yml | 19 ++ + .../rule.yml | 19 ++ + .../sysctl_net_ipv4_tcp_fin_timeout/rule.yml | 20 ++ .../rule.yml | 21 ++ - .../sysctl_net_ipv4_tcp_fin_timeout/rule.yml | 22 ++ + .../sysctl_net_ipv4_tcp_timestamps/rule.yml | 19 ++ + .../rule.yml | 22 ++ .../rule.yml | 23 ++ - .../sysctl_net_ipv4_tcp_timestamps/rule.yml | 21 ++ - .../rule.yml | 24 ++ - .../rule.yml | 25 ++ - .../define_ld_lib_path_correctly/rule.yml | 41 +++ - .../files/define_path_strictly/rule.yml | 44 +++ - .../files/file_empty_link_prohibit/rule.yml | 25 ++ + .../define_ld_lib_path_correctly/rule.yml | 39 +++ + .../files/define_path_strictly/rule.yml | 42 +++ + .../files/file_empty_link_prohibit/rule.yml | 23 ++ .../file_empty_link_prohibit/sce/shared.sh | 11 + - .../file_hidden_executable_prohibit/rule.yml | 16 ++ + .../file_hidden_executable_prohibit/rule.yml | 14 + .../sce/shared.sh | 11 + - .../files/file_opened_count_limited/rule.yml | 34 +++ - .../files/file_permission_minimum/rule.yml | 139 +++++++++ - .../removed_unnecessary_file_mount/rule.yml | 38 +++ - .../mount_nodev_mode_partitions/rule.yml | 47 ++++ - .../mount_noexec_mode_partitions/rule.yml | 23 ++ - .../rule.yml | 21 ++ - .../mounted_nosuid_mode_partitions/rule.yml | 31 ++ - .../rule.yml | 33 +++ - .../coredumps/coredump_limited/rule.yml | 27 ++ + .../files/file_opened_count_limited/rule.yml | 32 +++ + .../files/file_permission_minimum/rule.yml | 137 +++++++++ + .../removed_unnecessary_file_mount/rule.yml | 36 +++ + .../mount_nodev_mode_partitions/rule.yml | 45 +++ + .../mount_noexec_mode_partitions/rule.yml | 21 ++ + .../rule.yml | 19 ++ + .../mounted_nosuid_mode_partitions/rule.yml | 29 ++ + .../rule.yml | 31 +++ + .../coredumps/coredump_limited/rule.yml | 25 ++ .../coredumps/coredump_limited/sce/shared.sh | 17 ++ - .../coredumps/coredump_prohibit/rule.yml | 27 ++ + .../coredumps/coredump_prohibit/rule.yml | 25 ++ .../coredumps/coredump_prohibit/sce/shared.sh | 11 + - .../rule.yml | 19 ++ + .../rule.yml | 17 ++ .../sce/shared.sh | 19 ++ - .../system/software/debugging_tools/rule.yml | 35 +++ - .../rule.yml | 39 +++ - .../configure_ssh_crypto_policy/rule.yml | 2 +- - .../ima_verification/rule.yml | 55 ++++ - .../software/network_sniffing_tools/rule.yml | 24 ++ + .../system/software/debugging_tools/rule.yml | 33 +++ + .../rule.yml | 37 +++ + .../ima_verification/rule.yml | 53 ++++ + .../software/network_sniffing_tools/rule.yml | 22 ++ .../guide/system/software/polkit/group.yml | 6 + .../only_root_can_run_pkexec/oval/shared.xml | 23 ++ - .../polkit/only_root_can_run_pkexec/rule.yml | 17 ++ + .../polkit/only_root_can_run_pkexec/rule.yml | 15 + linux_os/guide/system/software/su/group.yml | 6 + .../su/su_always_set_path/oval/shared.xml | 23 ++ - .../software/su/su_always_set_path/rule.yml | 20 ++ - .../rule.yml | 33 +++ - .../package_python2_removed/rule.yml | 18 ++ - 69 files changed, 2080 insertions(+), 58 deletions(-) + .../software/su/su_always_set_path/rule.yml | 18 ++ + .../rule.yml | 31 +++ + .../package_python2_removed/rule.yml | 16 ++ + 80 files changed, 2050 insertions(+), 51 deletions(-) + create mode 100644 components/openeuler.yml create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml @@ -142,512 +154,683 @@ Subject: [PATCH] imporve check command create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml create mode 100644 linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml -diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml -index eb66293..b187420 100644 ---- a/controls/std_openeuler.yml -+++ b/controls/std_openeuler.yml -@@ -22,13 +22,19 @@ controls: +diff --git a/components/audit.yml b/components/audit.yml +index f3b96558..e749769c 100644 +--- a/components/audit.yml ++++ b/components/audit.yml +@@ -325,6 +325,7 @@ rules: + - package_audit-libs_installed + - package_audit_installed + - service_auditd_enabled ++- audit_privilege_escalation_command + templates: + - audit_file_contents + - audit_rules_dac_modification +diff --git a/components/cronie.yml b/components/cronie.yml +index 37264a89..a11918c2 100644 +--- a/components/cronie.yml ++++ b/components/cronie.yml +@@ -43,3 +43,4 @@ rules: + - service_atd_disabled + - service_cron_enabled + - service_crond_enabled ++- no_lowprivilege_users_writeable_cmds_in_crontab_file +diff --git a/components/filesystem.yml b/components/filesystem.yml +index b2c0d230..8fcd9997 100644 +--- a/components/filesystem.yml ++++ b/components/filesystem.yml +@@ -152,6 +152,17 @@ rules: + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_regular + - sysctl_fs_protected_symlinks ++- define_ld_lib_path_correctly ++- define_path_strictly ++- file_empty_link_prohibit ++- file_hidden_executable_prohibit ++- file_opened_count_limited ++- file_permission_minimum ++- mount_nodev_mode_partitions ++- mount_noexec_mode_partitions ++- mount_only_no_modified_partitionsread ++- mounted_nosuid_mode_partitions ++- partitions_manage_hard_drive_data + templates: + - mount + - mount_option +diff --git a/components/firewalld.yml b/components/firewalld.yml +index 4ef2a3d7..d6b0aa13 100644 +--- a/components/firewalld.yml ++++ b/components/firewalld.yml +@@ -20,3 +20,4 @@ rules: + - set_firewalld_appropriate_zone + - set_firewalld_default_zone + - unnecessary_firewalld_services_ports_disabled ++- set_firewalld_default_zone_openeuler +diff --git a/components/iptables.yml b/components/iptables.yml +index e603e3f4..38ca7dc9 100644 +--- a/components/iptables.yml ++++ b/components/iptables.yml +@@ -5,6 +5,7 @@ packages: + - iptables-nft + - iptables-persistent + - iptables-services ++- network-iptables + rules: + - directory_groupowner_etc_iptables + - directory_owner_etc_iptables +@@ -19,3 +20,5 @@ rules: + - service_ip6tables_enabled + - service_iptables_enabled + - ensure_iptables_are_flushed ++- iptables_input_policy_configured_corrently ++- iptables_output_policy_configured_corrently +diff --git a/components/kernel.yml b/components/kernel.yml +index 47a71ce1..93746587 100644 +--- a/components/kernel.yml ++++ b/components/kernel.yml +@@ -202,6 +202,12 @@ rules: + - sysctl_user_max_user_namespaces + - sysctl_user_max_user_namespaces_no_remediation + - sysctl_vm_mmap_min_addr ++- sysctl_net_ipv4_conf_all_proxy_arp ++- sysctl_net_ipv4_conf_default_proxy_arp ++- sysctl_net_ipv4_icmp_echo_ignore_all ++- sysctl_net_ipv4_tcp_fin_timeout ++- sysctl_net_ipv4_tcp_max_syn_backlog ++- sysctl_net_ipv4_tcp_timestamps + templates: + - kernel_build_config + - kernel_module_disabled +diff --git a/components/nftables.yml b/components/nftables.yml +index ada39845..7cc6b18c 100644 +--- a/components/nftables.yml ++++ b/components/nftables.yml +@@ -18,3 +18,5 @@ rules: + - set_nftables_new_connections + - set_nftables_table + - firewall_single_service_active ++- nftables_input_policy_configured_corrently ++- nftables_output_policy_configured_corrently +diff --git a/components/openeuler.yml b/components/openeuler.yml +new file mode 100644 +index 00000000..49af8cdf +--- /dev/null ++++ b/components/openeuler.yml +@@ -0,0 +1,25 @@ ++groups: ++- base ++- restrictions ++- mounting ++- system-tools ++- integrity ++- su ++name: openeuler ++packages: ++- haveged ++- systemd ++- util-linux ++rules: ++- service_haveged_enabled ++- coredump_limited ++- coredump_prohibit ++- historical_command_records_limited ++- removed_unnecessary_file_mount ++- debugging_tools ++- development_and_compliation_tools ++- su_always_set_path ++- package_python2_removed ++- network_sniffing_tools ++- only_root_can_run_pkexec ++- ima_verification +diff --git a/components/openssh.yml b/components/openssh.yml +index 0dac3e2e..4dda8541 100644 +--- a/components/openssh.yml ++++ b/components/openssh.yml +@@ -88,5 +88,8 @@ rules: + - sshd_x11_use_localhost + - sshd_include_crypto_policy + - harden_sshd_crypto_policy ++- sshd_configure_correct_interface ++- sshd_prohibit_preset_authorized_keys ++- sshd_use_strong_pubkey + templates: + - sshd_lineinfile +diff --git a/components/pam.yml b/components/pam.yml +index 06047160..a4a1b4aa 100644 +--- a/components/pam.yml ++++ b/components/pam.yml +@@ -242,5 +242,12 @@ rules: + - use_pam_wheel_group_for_su + - verify_use_mappers + - vlock_installed ++- no_name_contained_in_password ++- verify_owner_password ++- account_unique_group_id ++- accounts_are_necessary ++- first_logging_change_password ++- login_accounts_are_necessary ++- warning_banners + templates: + - pam_options +diff --git a/components/rsyslog.yml b/components/rsyslog.yml +index 2659542e..e8f532a3 100644 +--- a/components/rsyslog.yml ++++ b/components/rsyslog.yml +@@ -46,3 +46,7 @@ rules: + - systemd_journal_upload_url + - systemd_journal_upload_server_tls + - timer_logrotate_enabled ++- configure_dump_journald_log ++- configure_rsyslog_log_rotate ++- diasable_root_accessing_system ++- rsyslog_remote_loghost_openeuler +diff --git a/components/sudo.yml b/components/sudo.yml +index 752c426e..d1d592b0 100644 +--- a/components/sudo.yml ++++ b/components/sudo.yml +@@ -33,5 +33,6 @@ rules: + - sudoers_no_root_target + - sudoers_validate_passwd + - file_permissions_sudo ++- sudoers_disable_low_privileged_configure + templates: + - sudo_defaults_option +diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml +index 65badc0e..df69b488 100644 +--- a/controls/std_openeuler2203.yml ++++ b/controls/std_openeuler2203.yml +@@ -26,13 +26,19 @@ controls: title: Ensure No Empty Symlink levels: - - base + - l1_server - status: planned + status: automated + rules: + - file_empty_link_prohibit + - file_empty_link_prohibit.severity=high - - id: 1.1.3_no_hidden_exec_files + - id: 1.1.3 title: Ensure No Hidden Executable Files levels: - - base + - l1_server - status: planned + status: automated + rules: + - file_hidden_executable_prohibit + - file_hidden_executable_prohibit.severity=high - - id: 1.1.4_global_writable_dir_sticky_set + - id: 1.1.4 title: Ensure Sticky Set On Global Writable Folder -@@ -62,25 +68,37 @@ controls: +@@ -66,25 +72,37 @@ controls: title: Umount Unnecessary File System levels: - - base + - l1_server - status: planned + status: manual + rules: + - removed_unnecessary_file_mount + - removed_unnecessary_file_mount.severity=high - - id: 1.1.8_mount_as_readonly + - id: 1.1.8 title: Ensure Mount As Readonly If No Need To Write levels: - - base + - l1_server - status: planned + status: manual + rules: + - mount_only_no_modified_partitionsread + - mount_only_no_modified_partitionsread.severity=high - - id: 1.1.9_mount_as_nodev + - id: 1.1.9 title: Ensure Mount As Nodev levels: - - base + - l1_server - status: planned + status: manual + rules: + - mount_nodev_mode_partitions + - mount_nodev_mode_partitions.severity=high - - id: 1.1.10_mount_as_noexec + - id: 1.1.10 title: Ensure Mount As Noexec levels: - - base + - l1_server - status: planned + status: manual + rules: + - mount_noexec_mode_partitions + - mount_noexec_mode_partitions.severity=high - - id: 1.1.11_mount_as_noexec_nodev_for_removable + - id: 1.1.11 title: Ensure Mount As Noexec And Nodev For Removable Device -@@ -97,7 +115,10 @@ controls: +@@ -101,7 +119,10 @@ controls: title: Ensure Mount As Nosuid levels: - - base + - l1_server - status: planned + status: manual + rules: + - mounted_nosuid_mode_partitions + - mounted_nosuid_mode_partitions.severity=high - - id: 1.1.13_remove_unnecessary_suid_sgid + - id: 1.1.13 title: Ensure Remove Unnecessary SUID And SGID -@@ -114,13 +135,19 @@ controls: +@@ -118,13 +139,19 @@ controls: title: Ensure File Permission Minimize levels: - - base + - l1_server - status: planned + status: manual + rules: + - file_permission_minimum + - file_permission_minimum.severity=high - - id: 1.1.15_ulimit_correctly + - id: 1.1.15 title: Ensure Ulinmit Correctly levels: - - base + - l1_server - status: planned + status: manual + rules: + - file_opened_count_limited + - file_opened_count_limited.severity=high - - id: 1.1.16_symlinks_hardlinks_protected + - id: 1.1.16 title: Ensure Symlinks And Hardlinks Protected -@@ -146,19 +173,28 @@ controls: +@@ -150,19 +177,28 @@ controls: title: Ensure Different Data Store In Different Partitions levels: - - base + - l2_server - status: planned + status: manual + rules: + - partitions_manage_hard_drive_data + - partitions_manage_hard_drive_data.severity=high - - id: 1.1.19_library_path_correct + - id: 1.1.19 title: Ensure LD_LIBRARY_PATH Correct levels: - - base + - l1_server - status: planned + status: manual + rules: + - define_ld_lib_path_correctly + - define_ld_lib_path_correctly.severity=high - - id: 1.1.20_user_path_correct + - id: 1.1.20 title: Ensure User PATH Correct levels: - - base + - l1_server - status: planned + status: manual + rules: + - define_path_strictly + - define_path_strictly.severity=low - - id: 1.2.1_ftp_not_installed + - id: 1.2.1 title: Ensure FTP Not Installed -@@ -204,7 +240,10 @@ controls: +@@ -208,7 +244,10 @@ controls: title: Ensure Python2 Not Installed levels: - - base + - l1_server - status: planned + status: automated + rules: + - package_python2_removed + - package_python2_removed.severity=high - - id: 1.2.6_gpg_check_configured + - id: 1.2.6 title: Ensure GPG Check Configured -@@ -293,19 +332,28 @@ controls: +@@ -297,19 +336,28 @@ controls: title: Ensure Network Sniffing Software Removed levels: - - base + - l1_server - status: planned + status: manual + rules: + - network_sniffing_tools + - network_sniffing_tools.severity=high - - id: 1.2.16_no_debug_tools + - id: 1.2.16 title: Ensure Debug Tools Removed levels: - - base + - l1_server - status: planned + status: manual + rules: + - debugging_tools + - debugging_tools.severity=high - - id: 1.2.17_no_compiler_tools + - id: 1.2.17 title: Ensure Compiler Tools Removed levels: - - base + - l1_server - status: planned + status: manual + rules: + - development_and_compliation_tools + - development_and_compliation_tools.severity=high - - id: 1.2.18_xwindow_not_installed + - id: 1.2.18 title: Ensure X Window Not Installed -@@ -375,19 +423,28 @@ controls: +@@ -379,19 +427,28 @@ controls: title: Ensure All Login Accounts Are Necessary levels: - - base + - l1_server - status: planned + status: manual + rules: + - login_accounts_are_necessary + - login_accounts_are_necessary.severity=high - - id: 2.1.2_no_unused_accounts + - id: 2.1.2 title: Ensure No Unused Accounts levels: - - base + - l1_server - status: planned + status: manual + rules: + - accounts_are_necessary + - accounts_are_necessary.severity=high - - id: 2.1.3_different_accounts_have_different_groupid + - id: 2.1.3 title: Ensure Different Accounts Have Different GroupID levels: - - base + - l1_server - status: planned + status: automated + rules: + - account_unique_group_id + - account_unique_group_id.severity=high - - id: 2.1.4_no_uid_0_except_root + - id: 2.1.4 title: Ensure Only Root's UID Is 0 -@@ -578,13 +635,19 @@ controls: +@@ -582,13 +639,19 @@ controls: title: Ensure Old Password Verified levels: - - base + - l1_server - status: planned + status: automated + rules: + - verify_owner_password + - verify_owner_password.severity=high - - id: 2.2.4_no_username_in_password + - id: 2.2.4 title: Ensure Password Not Contain User Name levels: - - base + - l1_server - status: planned + status: automated + rules: + - no_name_contained_in_password + - no_name_contained_in_password.severity=high - - id: 2.2.5_strong_hash_algorithm_for_password + - id: 2.2.5 title: Ensure Using Strong Hash Algorithm To Encipher Password -@@ -655,7 +718,10 @@ controls: +@@ -660,7 +723,10 @@ controls: title: Ensure Password Changed At First Login levels: - - base + - l1_server - status: planned + status: manual + rules: + - first_logging_change_password + - first_logging_change_password.severity=high - - id: 2.3.1_account_lock_after_accessing_fail + - id: 2.3.1 title: Ensure Account Locked After Accessing Fail -@@ -720,7 +786,10 @@ controls: +@@ -725,7 +791,10 @@ controls: title: Ensure HISTSIZE Limited levels: - - base + - l2_server - status: planned + status: automated + rules: + - historical_command_records_limited + - historical_command_records_limited.severity=low - - id: 2.4.2_selinux_enforce + - id: 2.4.2 title: Ensure SELinux Enforce -@@ -762,25 +831,37 @@ controls: +@@ -767,25 +836,37 @@ controls: title: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User levels: - - base + - l1_server - status: planned + status: manual + rules: + - sudoers_disable_low_privileged_configure + - sudoers_disable_low_privileged_configure.severity=high - - id: 2.4.7_cannot_use_pkexec_escalate + - id: 2.4.7 title: Ensure Low-privilege User Cannot Escalate By Pkexec levels: - - base + - l1_server - status: planned + status: automated + rules: + - only_root_can_run_pkexec + - only_root_can_run_pkexec.severity=high - - id: 2.4.8_always_set_path_config + - id: 2.4.8 title: Ensure ALWAYS_SET_PATH Configurated levels: - - base + - l1_server - status: planned + status: automated + rules: + - su_always_set_path + - su_always_set_path.severity=high - - id: 2.4.9_root_can_not_login_local + - id: 2.4.9 title: Ensure Root Can Not Login Local levels: - - base + - l2_server - status: planned + status: manual + rules: + - diasable_root_accessing_system + - diasable_root_accessing_system.severity=low - - id: 2.4.10_not_use_unconfined_service_t + - id: 2.4.10 title: Ensure Not Run Files wiht unconfined_service_t Flag -@@ -791,17 +872,14 @@ controls: - - selinux_confinement_of_daemons - - selinux_confinement_of_daemons.severity=low - -- - id: 2.4.11_all_daemons_run_with_mini_permission -- title: Ensure All Daemons Run With Minimum Permission -- levels: -- - base -- status: planned -- - - id: 2.5.1_ima_enabled +@@ -800,7 +881,10 @@ controls: title: Ensure IMA Enabled levels: - - base + - l2_server - status: planned + status: manual + rules: + - ima_verification + - ima_verification.severity=low - - id: 2.5.2_aide_enabled + - id: 2.5.2 title: Ensure AIDE Enabled -@@ -818,7 +896,10 @@ controls: +@@ -817,7 +901,10 @@ controls: title: Ensure Haveged Enabled levels: - - base + - l2_server - status: planned + status: automated + rules: + - service_haveged_enabled + - service_haveged_enabled.severity=low - - id: 2.6.2_global_crypto_setting + - id: 2.6.2 title: Global Crypto Setting Correct -@@ -863,7 +944,10 @@ controls: +@@ -862,7 +949,10 @@ controls: title: Ensure Firewalld Set Default Zone Correctly levels: - - base + - l2_server - status: planned + status: manual -+ ruels: ++ rules: + - set_firewalld_default_zone_openeuler + - set_firewalld_default_zone_openeuler.severity=low - - id: 3.2.3_firewalld_interface_set_to_correct_zone + - id: 3.2.3 title: Ensure Firewalld Set Correct Interface Zone -@@ -918,13 +1002,19 @@ controls: +@@ -917,13 +1007,19 @@ controls: title: Ensure Iptables Input Rules Set levels: - - base + - l2_server - status: planned + status: manual + rules: + - iptables_input_policy_configured_corrently + - iptables_input_policy_configured_corrently.severity=low - - id: 3.2.9_iptables_output_rules + - id: 3.2.9 title: Ensure Iptables Output Rules Set levels: - - base + - l2_server - status: planned + status: manual + rules: + - iptables_output_policy_configured_corrently + - iptables_output_policy_configured_corrently.severity=low - - id: 3.2.10_iptables_input_output_connection_rules + - id: 3.2.10 title: Ensure Iptables Input Output Connection Rules Set -@@ -966,13 +1056,19 @@ controls: +@@ -965,13 +1061,19 @@ controls: title: Ensure Nftables Input Rules Set levels: - - base + - l2_server - status: planned + status: manual + rules: + - nftables_input_policy_configured_corrently + - nftables_input_policy_configured_corrently.severity=low - - id: 3.2.15_nftables_output_rules + - id: 3.2.15 title: Ensure Nftables Output Rules Set levels: - - base + - l2_server - status: planned + status: manual + rules: + - nftables_output_policy_configured_corrently + - nftables_output_policy_configured_corrently.severity=low - - id: 3.2.16_nftables_input_output_connection_rules + - id: 3.2.16 title: Ensure Nftables Input Output Connection Rules Set -@@ -1017,7 +1113,10 @@ controls: +@@ -1016,7 +1118,10 @@ controls: title: Ensure SSHd Pubkey Algorithm Correct levels: - - base + - l1_server - status: planned + status: automated + rules: + - sshd_use_strong_pubkey + - sshd_use_strong_pubkey.severity=high - - id: 3.3.5_sshd_pam_enabled + - id: 3.3.5 title: Ensure SSHd PAM Enabled -@@ -1050,7 +1149,10 @@ controls: +@@ -1049,7 +1154,10 @@ controls: title: Ensure SSHd Ciphers Algorithm Not Overwritten levels: - - base + - l1_server - status: planned + status: automated + rules: + - configure_ssh_crypto_policy + - configure_ssh_crypto_policy.severity=high - - id: 3.3.9_sshd_forbid_root_login + - id: 3.3.9 title: Ensure SSHd Forbid Root Login From Remote -@@ -1074,7 +1176,10 @@ controls: +@@ -1073,7 +1181,10 @@ controls: title: Ensure SSHd Listen Address Set Correct levels: - - base + - l2_server - status: planned + status: automated + rules: + - sshd_configure_correct_interface + - sshd_configure_correct_interface.severity=low - - id: 3.3.12_sshd_maxstartups_correct + - id: 3.3.12 title: Ensure SSHd MaxStartups Correct -@@ -1138,7 +1243,10 @@ controls: +@@ -1137,7 +1248,10 @@ controls: title: Ensure SSHd Authorized Keys Not Set levels: - - base + - l1_server - status: planned + status: automated + rules: + - sshd_prohibit_preset_authorized_keys + - sshd_prohibit_preset_authorized_keys.severity=high - - id: 3.3.19_sshd_known_hosts_forbidden + - id: 3.3.19 title: Ensure SSHd Known Hosts Not Set -@@ -1153,7 +1261,10 @@ controls: +@@ -1152,7 +1266,10 @@ controls: title: Ensure SSHd Has No Obsolete Configurations levels: - - base + - l1_server - status: planned + status: automated + rules: + - sshd_disable_rhosts_rsa + - sshd_disable_rhosts_rsa.severity=high - - id: 3.3.21_ssh_tcp_forward_disabled + - id: 3.3.21 title: Ensure SSHd TCP Forward Disabled -@@ -1168,7 +1279,10 @@ controls: +@@ -1173,7 +1290,10 @@ controls: title: Ensure Cron Not Run Low Privilege User Writable Bash levels: - - base + - l1_server - status: planned + status: manual + rules: + - no_lowprivilege_users_writeable_cmds_in_crontab_file + - no_lowprivilege_users_writeable_cmds_in_crontab_file.severity=high - - id: 3.4.2_cron_enabled + - id: 3.4.2 title: Ensure Cron Deamon Running -@@ -1327,7 +1441,10 @@ controls: +@@ -1332,7 +1452,10 @@ controls: title: Ensure Ignore All ICMP Request levels: - - base + - l2_server - status: planned + status: automated + rules: + - sysctl_net_ipv4_icmp_echo_ignore_all + - sysctl_net_ipv4_icmp_echo_ignore_all.severity=high - - id: 3.5.10_ignore_bogus_error_icmp_package + - id: 3.5.10 title: Ensure Ignore Bogus Error ICMP Package -@@ -1407,31 +1524,50 @@ controls: +@@ -1412,31 +1535,50 @@ controls: title: Ensure tcp_timestamps Disabled levels: - - base + - l1_server - status: planned + status: automated + rules: + - sysctl_net_ipv4_tcp_timestamps + - sysctl_net_ipv4_tcp_timestamps.severity=low - - id: 3.5.17_tcp_time_wait_config + - id: 3.5.17 title: Ensure TCP Time Wait Correct levels: - - base + - l1_server - status: planned + status: automated + rules: + - sysctl_net_ipv4_tcp_fin_timeout + - sysctl_net_ipv4_tcp_fin_timeout.severity=high - - id: 3.5.18_syn_recv_set_correct + - id: 3.5.18 title: Ensure SYN Recv Set Correct levels: - - base + - l1_server - status: planned + status: automated + rules: + - sysctl_net_ipv4_tcp_max_syn_backlog + - sysctl_net_ipv4_tcp_max_syn_backlog.severity=low - - id: 3.5.19_arp_proxy_disabled + - id: 3.5.19 title: Ensure No ARP Proxy levels: - - base + - l1_server - status: planned + status: automated + rules: @@ -656,10 +839,10 @@ index eb66293..b187420 100644 + - sysctl_net_ipv4_conf_all_proxy_arp + - sysctl_net_ipv4_conf_all_proxy_arp.severity=high - - id: 3.5.20_core_dump_set_correct + - id: 3.5.20 title: Ensure Core Dump Set Correct levels: - - base + - l1_server - status: planned + status: automated + rules: @@ -668,74 +851,72 @@ index eb66293..b187420 100644 + - coredump_prohibit + - coredump_prohibit.severity=high - - id: 3.5.21_sysrq_disabled + - id: 3.5.21 title: Ensure SysRq Key Disabled -@@ -1537,7 +1673,10 @@ controls: +@@ -1542,7 +1684,10 @@ controls: title: Ensure Escalation Audited levels: - - base + - l2_server - status: planned + status: automated + rules: + - audit_privilege_escalation_command + - audit_privilege_escalation_command.severity=low - - id: 4.1.6_audit_module + - id: 4.1.6 title: Ensure Module Changes Audited -@@ -1737,7 +1876,10 @@ controls: +@@ -1742,7 +1887,10 @@ controls: title: Ensure Mount Audited levels: - - base + - l2_server - status: planned + status: automated + rules: + - audit_rules_media_export + - audit_rules_media_export.severity=low - - id: 4.2.1_rsyslog_enabled + - id: 4.2.1 title: Ensure Rsyslog Enabled -@@ -1788,19 +1930,28 @@ controls: +@@ -1793,19 +1941,28 @@ controls: title: Ensure Journald Transfer Set Correct levels: - - base + - l1_server - status: planned + status: automated + rules: + - configure_dump_journald_log + - configure_dump_journald_log.severity=high - - id: 4.2.7_rsyslog_rotate + - id: 4.2.7 title: Ensure Rotate Setting In Rsyslog levels: - - base + - l1_server - status: planned + status: manual + rules: + - configure_rsyslog_log_rotate + - configure_rsyslog_log_rotate.severity=high - - id: 4.2.8_rsyslog_remote_server_config + - id: 4.2.8 title: Ensure Remote Log Server Correct levels: - - base + - l2_server - status: planned + status: manual + rules: + - rsyslog_remote_loghost_openeuler + - rsyslog_remote_loghost_openeuler.severity=low - - id: 4.2.9_rsyslog_only_specified_server_receive_logs + - id: 4.2.9 title: Ensure Only Specified Server Can Receive Logs diff --git a/linux_os/guide/services/base/service_haveged_enabled/rule.yml b/linux_os/guide/services/base/service_haveged_enabled/rule.yml new file mode 100644 -index 0000000..d05b072 +index 00000000..95bfd4b1 --- /dev/null +++ b/linux_os/guide/services/base/service_haveged_enabled/rule.yml -@@ -0,0 +1,29 @@ +@@ -0,0 +1,27 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Enable haveged service' + +description: |- @@ -764,14 +945,12 @@ index 0000000..d05b072 \ No newline at end of file diff --git a/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml b/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml new file mode 100644 -index 0000000..6f85e31 +index 00000000..d15d2f14 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml -@@ -0,0 +1,30 @@ +@@ -0,0 +1,28 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure All Commands/Bashes In Crontab File Are Not Writeable By Low-privilege Users' + +description: |- @@ -800,7 +979,7 @@ index 0000000..6f85e31 + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml new file mode 100644 -index 0000000..47510c8 +index 00000000..47510c81 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml @@ -0,0 +1,25 @@ @@ -832,14 +1011,12 @@ index 0000000..47510c8 \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml new file mode 100644 -index 0000000..8f1cfb7 +index 00000000..e12febd6 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml -@@ -0,0 +1,26 @@ +@@ -0,0 +1,24 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'SSH service interface should be configured correctly' + +description: |- @@ -865,7 +1042,7 @@ index 0000000..8f1cfb7 \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml new file mode 100644 -index 0000000..2939bf9 +index 00000000..2939bf94 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml @@ -0,0 +1,54 @@ @@ -925,14 +1102,12 @@ index 0000000..2939bf9 + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml new file mode 100644 -index 0000000..d2fa631 +index 00000000..93a92467 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml -@@ -0,0 +1,25 @@ +@@ -0,0 +1,23 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Prohibit SSH service pre setting authorized_Keys' + +description: |- @@ -957,21 +1132,19 @@ index 0000000..d2fa631 \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml new file mode 100644 -index 0000000..3c13a96 +index 00000000..3c13a963 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml @@ -0,0 +1 @@ +{{{ oval_sshd_config(parameter="PubkeyAcceptedKeyTypes", value="((ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512),?)+") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml new file mode 100644 -index 0000000..78c7e55 +index 00000000..5399e257 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml -@@ -0,0 +1,13 @@ +@@ -0,0 +1,11 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Use Only Strong Algorithms For Public Key' + +description: |- @@ -983,7 +1156,7 @@ index 0000000..78c7e55 +severity: high diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml new file mode 100644 -index 0000000..af4a11e +index 00000000..af4a11e9 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml @@ -0,0 +1,32 @@ @@ -1021,7 +1194,7 @@ index 0000000..af4a11e + diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml new file mode 100644 -index 0000000..fa84a3b +index 00000000..fa84a3bd --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml @@ -0,0 +1,12 @@ @@ -1039,7 +1212,7 @@ index 0000000..fa84a3b +severity: high diff --git a/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml new file mode 100644 -index 0000000..bfd0b01 +index 00000000..bfd0b01e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml @@ -0,0 +1,60 @@ @@ -1105,7 +1278,7 @@ index 0000000..bfd0b01 + diff --git a/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml new file mode 100644 -index 0000000..b03948a +index 00000000..b03948ae --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml @@ -0,0 +1,12 @@ @@ -1123,7 +1296,7 @@ index 0000000..b03948a +severity: high diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml new file mode 100644 -index 0000000..8d31f9a +index 00000000..8d31f9a4 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml @@ -0,0 +1,51 @@ @@ -1180,14 +1353,12 @@ index 0000000..8d31f9a + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml new file mode 100644 -index 0000000..c86e51a +index 00000000..80fee794 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml -@@ -0,0 +1,11 @@ +@@ -0,0 +1,9 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure All Accounts on the System Have Unique Master Group IDs' + +description: 'Change user master group IDs, or delete accounts.' @@ -1197,14 +1368,12 @@ index 0000000..c86e51a +severity: medium diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml new file mode 100644 -index 0000000..0216da2 +index 00000000..23b5714b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml -@@ -0,0 +1,20 @@ +@@ -0,0 +1,18 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'All Accounts Are Necessary' + +description: |- @@ -1223,14 +1392,12 @@ index 0000000..0216da2 + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/first_logging_change_password/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/first_logging_change_password/rule.yml new file mode 100644 -index 0000000..cf86e46 +index 00000000..be38652d --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/first_logging_change_password/rule.yml -@@ -0,0 +1,24 @@ +@@ -0,0 +1,22 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure that the account is forced to change the password when logging in for the first time' + +description: |- @@ -1254,14 +1421,12 @@ index 0000000..cf86e46 \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml new file mode 100644 -index 0000000..31e29c7 +index 00000000..64411ad5 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml -@@ -0,0 +1,31 @@ +@@ -0,0 +1,29 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'All Login Accounts Are Necessary' + +description: |- @@ -1291,14 +1456,12 @@ index 0000000..31e29c7 + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml new file mode 100644 -index 0000000..7cb6620 +index 00000000..46e780e3 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml -@@ -0,0 +1,39 @@ +@@ -0,0 +1,37 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Privilege escalation command audit rules should be configured' + +description: |- @@ -1337,7 +1500,7 @@ index 0000000..7cb6620 \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh new file mode 100644 -index 0000000..8cbd201 +index 00000000..8cbd2019 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh @@ -0,0 +1,15 @@ @@ -1358,7 +1521,7 @@ index 0000000..8cbd201 +exit "$XCCDF_RESULT_PASS" diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml new file mode 100644 -index 0000000..1e95b34 +index 00000000..1e95b349 --- /dev/null +++ b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml @@ -0,0 +1,25 @@ @@ -1390,14 +1553,12 @@ index 0000000..1e95b34 \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml new file mode 100644 -index 0000000..6121f9c +index 00000000..887d99fe --- /dev/null +++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml -@@ -0,0 +1,25 @@ +@@ -0,0 +1,23 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Make sure rsyslog dump journald log is configured' + +description: |- @@ -1422,14 +1583,12 @@ index 0000000..6121f9c \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml new file mode 100644 -index 0000000..318493d +index 00000000..12dedd77 --- /dev/null +++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml -@@ -0,0 +1,48 @@ +@@ -0,0 +1,46 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure that Rsyslog log rotate is configured' + +description: |- @@ -1476,14 +1635,12 @@ index 0000000..318493d +severity: high diff --git a/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml new file mode 100644 -index 0000000..400c2e3 +index 00000000..ba3253d7 --- /dev/null +++ b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml -@@ -0,0 +1,51 @@ +@@ -0,0 +1,49 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Prevent root users from accessing the system locally' + +description: |- @@ -1534,7 +1691,7 @@ index 0000000..400c2e3 \ No newline at end of file diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost_openeuler/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost_openeuler/rule.yml new file mode 100644 -index 0000000..5557c92 +index 00000000..5557c92a --- /dev/null +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost_openeuler/rule.yml @@ -0,0 +1,19 @@ @@ -1560,14 +1717,12 @@ index 0000000..5557c92 \ No newline at end of file diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone_openeuler/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone_openeuler/rule.yml new file mode 100644 -index 0000000..df9cd73 +index 00000000..5de8ca88 --- /dev/null +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone_openeuler/rule.yml -@@ -0,0 +1,27 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Set Default firewalld Zone for Incoming Packets' + +description: |- @@ -1594,14 +1749,12 @@ index 0000000..df9cd73 \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..70f713e +index 00000000..c0740804 --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml -@@ -0,0 +1,27 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure that the iptables input policy configuration is correct' + +description: |- @@ -1628,14 +1781,12 @@ index 0000000..70f713e \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..56ad54c +index 00000000..0408c9d2 --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml -@@ -0,0 +1,28 @@ +@@ -0,0 +1,26 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure that the iptables output policy configuration is correct' + +description: |- @@ -1663,14 +1814,12 @@ index 0000000..56ad54c \ No newline at end of file diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml new file mode 100644 -index 0000000..7ae68d8 +index 00000000..6952e415 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml -@@ -0,0 +1,21 @@ +@@ -0,0 +1,19 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Disable Kernel Parameter for ARP Proxy' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.proxy_arp", value="0") }}}' @@ -1690,14 +1839,12 @@ index 0000000..7ae68d8 + datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml new file mode 100644 -index 0000000..6b77815 +index 00000000..3a8ea72b --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml -@@ -0,0 +1,21 @@ +@@ -0,0 +1,19 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Disable Kernel Parameter for ARP Proxy by Default' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.default.proxy_arp", value="0") }}}' @@ -1717,14 +1864,12 @@ index 0000000..6b77815 + datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml new file mode 100644 -index 0000000..6d80ef3 +index 00000000..d1484481 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml -@@ -0,0 +1,21 @@ +@@ -0,0 +1,19 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Set Kernel Parameter for Ignoring All ICMP' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_all", value="1") }}}' @@ -1744,14 +1889,12 @@ index 0000000..6d80ef3 + datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml new file mode 100644 -index 0000000..2c1681d +index 00000000..cfc0340e --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml -@@ -0,0 +1,22 @@ +@@ -0,0 +1,20 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Set Kernel Parameter for TCP TIME_WAIT' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_fin_timeout", value="60") }}}' @@ -1772,14 +1915,12 @@ index 0000000..2c1681d + datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml new file mode 100644 -index 0000000..89391a7 +index 00000000..71359626 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml -@@ -0,0 +1,23 @@ +@@ -0,0 +1,21 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Set Kernel Parameter for TCP SYN_RECV' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_max_syn_backlog", value="256") }}}' @@ -1801,14 +1942,12 @@ index 0000000..89391a7 + datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml new file mode 100644 -index 0000000..ec7d3af +index 00000000..dc0c1ae3 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml -@@ -0,0 +1,21 @@ +@@ -0,0 +1,19 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Disable Kernel Parameter for TCP Timestamps' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_timestamps", value="0") }}}' @@ -1828,14 +1967,12 @@ index 0000000..ec7d3af + datatype: int diff --git a/linux_os/guide/system/network/network-nftables/nftables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_input_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..f5091bf +index 00000000..2a780ba9 --- /dev/null +++ b/linux_os/guide/system/network/network-nftables/nftables_input_policy_configured_corrently/rule.yml -@@ -0,0 +1,24 @@ +@@ -0,0 +1,22 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Configure nftables input strategy' + +description: |- @@ -1859,14 +1996,12 @@ index 0000000..f5091bf \ No newline at end of file diff --git a/linux_os/guide/system/network/network-nftables/nftables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_output_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..ad82a61 +index 00000000..0b797c6a --- /dev/null +++ b/linux_os/guide/system/network/network-nftables/nftables_output_policy_configured_corrently/rule.yml -@@ -0,0 +1,25 @@ +@@ -0,0 +1,23 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Configure nftables output strategy' + +description: |- @@ -1891,14 +2026,12 @@ index 0000000..ad82a61 \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml new file mode 100644 -index 0000000..c0ab21e +index 00000000..7dbf80b9 --- /dev/null +++ b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml -@@ -0,0 +1,41 @@ +@@ -0,0 +1,39 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly' + +description: |- @@ -1939,14 +2072,12 @@ index 0000000..c0ab21e \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml new file mode 100644 -index 0000000..d9735e8 +index 00000000..5d5a7231 --- /dev/null +++ b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml -@@ -0,0 +1,44 @@ +@@ -0,0 +1,42 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure the user PATH variable is strictly defined' + +description: |- @@ -1990,14 +2121,12 @@ index 0000000..d9735e8 \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/file_empty_link_prohibit/rule.yml b/linux_os/guide/system/permissions/files/file_empty_link_prohibit/rule.yml new file mode 100644 -index 0000000..fd6551d +index 00000000..b3fd0748 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_empty_link_prohibit/rule.yml -@@ -0,0 +1,25 @@ +@@ -0,0 +1,23 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Empty link files are prohibited' + +description: |- @@ -2021,7 +2150,7 @@ index 0000000..fd6551d +severity: high diff --git a/linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh b/linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh new file mode 100644 -index 0000000..12165ee +index 00000000..12165eec --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh @@ -0,0 +1,11 @@ @@ -2038,14 +2167,12 @@ index 0000000..12165ee +exit "$XCCDF_RESULT_FAIL" diff --git a/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml new file mode 100644 -index 0000000..6200a9c +index 00000000..09c54f49 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml -@@ -0,0 +1,16 @@ +@@ -0,0 +1,14 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Disallow hidden executable files' + +description: |- @@ -2060,7 +2187,7 @@ index 0000000..6200a9c + diff --git a/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh new file mode 100644 -index 0000000..6d78520 +index 00000000..6d785202 --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh @@ -0,0 +1,11 @@ @@ -2077,14 +2204,12 @@ index 0000000..6d78520 +exit "$XCCDF_RESULT_FAIL" diff --git a/linux_os/guide/system/permissions/files/file_opened_count_limited/rule.yml b/linux_os/guide/system/permissions/files/file_opened_count_limited/rule.yml new file mode 100644 -index 0000000..1875b4f +index 00000000..3236043f --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_opened_count_limited/rule.yml -@@ -0,0 +1,34 @@ +@@ -0,0 +1,32 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Opened Files Count Limited' + +description: |- @@ -2117,14 +2242,12 @@ index 0000000..1875b4f + diff --git a/linux_os/guide/system/permissions/files/file_permission_minimum/rule.yml b/linux_os/guide/system/permissions/files/file_permission_minimum/rule.yml new file mode 100644 -index 0000000..910e607 +index 00000000..2f824e9f --- /dev/null +++ b/linux_os/guide/system/permissions/files/file_permission_minimum/rule.yml -@@ -0,0 +1,139 @@ +@@ -0,0 +1,137 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure All Files Have Minimum Permission' + +description: |- @@ -2262,14 +2385,12 @@ index 0000000..910e607 + diff --git a/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount/rule.yml b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount/rule.yml new file mode 100644 -index 0000000..a58f76c +index 00000000..dd32884f --- /dev/null +++ b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount/rule.yml -@@ -0,0 +1,38 @@ +@@ -0,0 +1,36 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure that unneeded file system mount is removed' + +description: |- @@ -2307,14 +2428,12 @@ index 0000000..a58f76c \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/mount_nodev_mode_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_nodev_mode_partitions/rule.yml new file mode 100644 -index 0000000..58292b1 +index 00000000..4ba3dfa2 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_nodev_mode_partitions/rule.yml -@@ -0,0 +1,47 @@ +@@ -0,0 +1,45 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Mounting in nodev mode does not require mounting the device' + +description: |- @@ -2361,14 +2480,12 @@ index 0000000..58292b1 \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/mount_noexec_mode_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_noexec_mode_partitions/rule.yml new file mode 100644 -index 0000000..3c890df +index 00000000..7be2a33c --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_noexec_mode_partitions/rule.yml -@@ -0,0 +1,23 @@ +@@ -0,0 +1,21 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Mount a partition without executable files in noexec mode' + +description: |- @@ -2391,14 +2508,12 @@ index 0000000..3c890df \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/mount_only_no_modified_partitionsread/rule.yml b/linux_os/guide/system/permissions/partitions/mount_only_no_modified_partitionsread/rule.yml new file mode 100644 -index 0000000..ee56ae3 +index 00000000..343b7607 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_only_no_modified_partitionsread/rule.yml -@@ -0,0 +1,21 @@ +@@ -0,0 +1,19 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Partitions that do not need to be modified are mounted read-only.' + +description: |- @@ -2419,14 +2534,12 @@ index 0000000..ee56ae3 \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/mounted_nosuid_mode_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mounted_nosuid_mode_partitions/rule.yml new file mode 100644 -index 0000000..fe80bca +index 00000000..f1353a98 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mounted_nosuid_mode_partitions/rule.yml -@@ -0,0 +1,31 @@ +@@ -0,0 +1,29 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Make sure partitions that do not require SUID/SGID are mounted in nosuid mode' + +description: |- @@ -2457,14 +2570,12 @@ index 0000000..fe80bca \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml new file mode 100644 -index 0000000..eaf1b4f +index 00000000..277fa569 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml -@@ -0,0 +1,33 @@ +@@ -0,0 +1,31 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Hard drive data should be managed in partitions' + +description: |- @@ -2497,14 +2608,12 @@ index 0000000..eaf1b4f \ No newline at end of file diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/rule.yml new file mode 100644 -index 0000000..d8928f5 +index 00000000..59042aa1 --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/rule.yml -@@ -0,0 +1,27 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Limit the use of coredump' + +description: |- @@ -2530,7 +2639,7 @@ index 0000000..d8928f5 + diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/sce/shared.sh b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/sce/shared.sh new file mode 100644 -index 0000000..059efff +index 00000000..059efff6 --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_limited/sce/shared.sh @@ -0,0 +1,17 @@ @@ -2553,14 +2662,12 @@ index 0000000..059efff +exit "$XCCDF_RESULT_PASS" diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/rule.yml new file mode 100644 -index 0000000..4fca98e +index 00000000..1c7de3a9 --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/rule.yml -@@ -0,0 +1,27 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Use of coredumps is prohibited' + +description: |- @@ -2586,7 +2693,7 @@ index 0000000..4fca98e + diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/sce/shared.sh b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/sce/shared.sh new file mode 100644 -index 0000000..2671563 +index 00000000..2671563c --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_prohibit/sce/shared.sh @@ -0,0 +1,11 @@ @@ -2603,14 +2710,12 @@ index 0000000..2671563 +exit "$XCCDF_RESULT_FAIL" diff --git a/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/rule.yml b/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/rule.yml new file mode 100644 -index 0000000..2a03f2f +index 00000000..d929ae26 --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/rule.yml -@@ -0,0 +1,19 @@ +@@ -0,0 +1,17 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Limit the number of historical command records' + +description: |- @@ -2629,7 +2734,7 @@ index 0000000..2a03f2f \ No newline at end of file diff --git a/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/sce/shared.sh b/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/sce/shared.sh new file mode 100644 -index 0000000..c24729a +index 00000000..c24729ac --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/historical_command_records_limited/sce/shared.sh @@ -0,0 +1,19 @@ @@ -2655,14 +2760,12 @@ index 0000000..c24729a \ No newline at end of file diff --git a/linux_os/guide/system/software/debugging_tools/rule.yml b/linux_os/guide/system/software/debugging_tools/rule.yml new file mode 100644 -index 0000000..077064a +index 00000000..1a1629e1 --- /dev/null +++ b/linux_os/guide/system/software/debugging_tools/rule.yml -@@ -0,0 +1,35 @@ +@@ -0,0 +1,33 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'uninstall debugging tools' + +description: |- @@ -2697,14 +2800,12 @@ index 0000000..077064a \ No newline at end of file diff --git a/linux_os/guide/system/software/development_and_compliation_tools/rule.yml b/linux_os/guide/system/software/development_and_compliation_tools/rule.yml new file mode 100644 -index 0000000..8e9adb1 +index 00000000..2a5d5670 --- /dev/null +++ b/linux_os/guide/system/software/development_and_compliation_tools/rule.yml -@@ -0,0 +1,39 @@ +@@ -0,0 +1,37 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Uninstall development and compilation tools' + +description: |- @@ -2741,28 +2842,14 @@ index 0000000..8e9adb1 + +severity: high \ No newline at end of file -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -index 8fe6ac0..1b82841 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle12,sle15,uos20,openeuler2203,openeuler2403 - - title: 'Configure SSH to use System Crypto Policy' - diff --git a/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml new file mode 100644 -index 0000000..5e03b6d +index 00000000..cb0d3ce8 --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml -@@ -0,0 +1,55 @@ +@@ -0,0 +1,53 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'IMA metrics should be enabled' + +description: |- @@ -2817,14 +2904,12 @@ index 0000000..5e03b6d \ No newline at end of file diff --git a/linux_os/guide/system/software/network_sniffing_tools/rule.yml b/linux_os/guide/system/software/network_sniffing_tools/rule.yml new file mode 100644 -index 0000000..c4deefd +index 00000000..d2faa28a --- /dev/null +++ b/linux_os/guide/system/software/network_sniffing_tools/rule.yml -@@ -0,0 +1,24 @@ +@@ -0,0 +1,22 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Uninstall network sniffing Package' + +description: |- @@ -2848,7 +2933,7 @@ index 0000000..c4deefd \ No newline at end of file diff --git a/linux_os/guide/system/software/polkit/group.yml b/linux_os/guide/system/software/polkit/group.yml new file mode 100644 -index 0000000..37662e9 +index 00000000..37662e9d --- /dev/null +++ b/linux_os/guide/system/software/polkit/group.yml @@ -0,0 +1,6 @@ @@ -2860,7 +2945,7 @@ index 0000000..37662e9 + Polkit, which provides privilege escalation capabilities. diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml new file mode 100644 -index 0000000..ae03bd4 +index 00000000..ae03bd4e --- /dev/null +++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml @@ -0,0 +1,23 @@ @@ -2889,14 +2974,12 @@ index 0000000..ae03bd4 + diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml new file mode 100644 -index 0000000..a4c1ebb +index 00000000..1c59b5e1 --- /dev/null +++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml -@@ -0,0 +1,17 @@ +@@ -0,0 +1,15 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure Only Root Can Run The Command of Pkexec' + +description: |- @@ -2912,7 +2995,7 @@ index 0000000..a4c1ebb +severity: high diff --git a/linux_os/guide/system/software/su/group.yml b/linux_os/guide/system/software/su/group.yml new file mode 100644 -index 0000000..aa6e29d +index 00000000..aa6e29dc --- /dev/null +++ b/linux_os/guide/system/software/su/group.yml @@ -0,0 +1,6 @@ @@ -2924,7 +3007,7 @@ index 0000000..aa6e29d + Su, which provides the ability to switch to root or other users. diff --git a/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml new file mode 100644 -index 0000000..942df37 +index 00000000..942df370 --- /dev/null +++ b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml @@ -0,0 +1,23 @@ @@ -2953,14 +3036,12 @@ index 0000000..942df37 + diff --git a/linux_os/guide/system/software/su/su_always_set_path/rule.yml b/linux_os/guide/system/software/su/su_always_set_path/rule.yml new file mode 100644 -index 0000000..9249bfe +index 00000000..f643b105 --- /dev/null +++ b/linux_os/guide/system/software/su/su_always_set_path/rule.yml -@@ -0,0 +1,20 @@ +@@ -0,0 +1,18 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Ensure Always Set Path is Set to YES' + +description: |- @@ -2979,14 +3060,12 @@ index 0000000..9249bfe +severity: high diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml new file mode 100644 -index 0000000..f73c428 +index 00000000..4a834755 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml -@@ -0,0 +1,33 @@ +@@ -0,0 +1,31 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Make sure sudoers cannot configure scripts writable by low-privileged users' + +description: |- @@ -3019,14 +3098,12 @@ index 0000000..f73c428 \ No newline at end of file diff --git a/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml new file mode 100644 -index 0000000..a3826b8 +index 00000000..572cfb84 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,16 @@ +documentation_complete: true + -+prodtype: openeuler2203,openeuler2403 -+ +title: 'Uninstall All Python2 Packages' + +description: |- @@ -3042,5 +3119,5 @@ index 0000000..a3826b8 + vars: + pkgname: python2 -- -2.42.0.windows.2 +2.48.1 diff --git a/remove-oval_sshd_config.patch b/remove-oval_sshd_config.patch new file mode 100644 index 0000000000000000000000000000000000000000..40de5262656358054bf7c739a875314e762cd764 --- /dev/null +++ b/remove-oval_sshd_config.patch @@ -0,0 +1,37 @@ +From 67b836e09d850d4173d750a75154f86a10df12e7 Mon Sep 17 00:00:00 2001 +From: wk333 <13474090681@163.com> +Date: Mon, 28 Apr 2025 20:02:49 +0800 +Subject: remove oval_sshd_config + +--- + .../ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml | 1 - + .../ssh/ssh_server/sshd_use_strong_pubkey/rule.yml | 8 ++++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml +deleted file mode 100644 +index 3c13a963..00000000 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml ++++ /dev/null +@@ -1 +0,0 @@ +-{{{ oval_sshd_config(parameter="PubkeyAcceptedKeyTypes", value="((ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512),?)+") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml +index 5399e257..7fa6a3c5 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml +@@ -9,3 +9,11 @@ rationale: |- + Week algorithms will introduce risks. + + severity: high ++ ++template: ++ name: sshd_lineinfile ++ vars: ++ parameter: PubkeyAcceptedKeyTypes ++ value: '((ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512),?)+' ++ datatype: string ++ is_default_value: 'true' +-- +2.48.1 + diff --git a/remove-rule-audit_privilege_escalation_command.patch b/remove-rule-audit_privilege_escalation_command.patch new file mode 100644 index 0000000000000000000000000000000000000000..5dd54ea5cd2117b3cff697a688f917950605fea3 --- /dev/null +++ b/remove-rule-audit_privilege_escalation_command.patch @@ -0,0 +1,110 @@ +From c9fc4952375d68d1fbaf1145829111e458c6adc7 Mon Sep 17 00:00:00 2001 +From: wk333 <13474090681@163.com> +Date: Tue, 6 May 2025 17:20:47 +0800 +Subject: [PATCH 1/1] remove rule audit_privilege_escalation_command + +--- + components/audit.yml | 1 - + controls/std_openeuler2203.yml | 5 +-- + .../rule.yml | 37 ------------------- + .../sce/shared.sh | 15 -------- + 4 files changed, 1 insertion(+), 57 deletions(-) + delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml + delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh + +diff --git a/components/audit.yml b/components/audit.yml +index e749769c..f3b96558 100644 +--- a/components/audit.yml ++++ b/components/audit.yml +@@ -325,7 +325,6 @@ rules: + - package_audit-libs_installed + - package_audit_installed + - service_auditd_enabled +-- audit_privilege_escalation_command + templates: + - audit_file_contents + - audit_rules_dac_modification +diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml +index 970a6e00..bae6ebc6 100644 +--- a/controls/std_openeuler2203.yml ++++ b/controls/std_openeuler2203.yml +@@ -1688,10 +1688,7 @@ controls: + title: Ensure Escalation Audited + levels: + - l2_server +- status: automated +- rules: +- - audit_privilege_escalation_command +- - audit_privilege_escalation_command.severity=low ++ status: planned + + - id: 4.1.6 + title: Ensure Module Changes Audited +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml +deleted file mode 100644 +index 46e780e3..00000000 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml ++++ /dev/null +@@ -1,37 +0,0 @@ +-documentation_complete: true +- +-title: 'Privilege escalation command audit rules should be configured' +- +-description: |- +- Ordinary users can obtain super administrator privileges by calling privilege +- escalation commands (with SUID/SGID set). +- +-

It is recommended to audit and monitor privilege escalation commands to facilitate +- traceability afterwards.

+-

openEuler does not configure audit rules for privilege escalation commands by +- default. It is recommended that users configure corresponding rules based on actual +- business scenarios.

+-

It can not be scanned automatically, please check it manually.

+-
    +-
  • You can use below cli command to check the audit rules for privilege escalation commands: +- 
    #!/bin/bash
+-    
+-    array=`find / -xdev -type f \( -perm -4000 -o -perm -2000 \) | awk '{print $1}'`
+-    
+-    for element in ${array[@]}
+-    do
+-        ret=`auditctl -l | grep "$element "`
+-        if [ $? -ne 0 ]; then
+-            echo "$element not set"
+-        else
+-            echo $ret
+-        fi
+-    done
    +-
    • +-
+- +-rationale: |- +- The use of privilege escalation +- commands carries high risks and is often used by attackers to attack the system. +- +-severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh +deleted file mode 100644 +index 8cbd2019..00000000 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh ++++ /dev/null +@@ -1,15 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_openeuler +-# check-import = stdout +- +-array=`find / -xdev -type f \( -perm -4000 -o -perm -2000 \) | awk '{print $1}'` +- +-for element in ${array[@]} +-do +- ret=`auditctl -l | grep "$element "` +- if [ $? -ne 0 ]; then +- else +- exit "$XCCDF_RESULT_FAIL" +- fi +-done +-exit "$XCCDF_RESULT_PASS" +-- +2.48.1 + diff --git a/scap-is-modified-to-be-consistent-with-the-specif.patch b/scap-is-modified-to-be-consistent-with-the-specif.patch index b8d02e4e02cf885a8b80f6d167f5a148e408a4f5..cc1af79eea50943352ee99c786301ef86b9f9982 100644 --- a/scap-is-modified-to-be-consistent-with-the-specif.patch +++ b/scap-is-modified-to-be-consistent-with-the-specif.patch @@ -4,17 +4,17 @@ Date: Tue, 10 Dec 2024 19:25:41 +0800 Subject: [PATCH] the ssg is modified to be consistent with the specifications --- - controls/std_openeuler.yml | 1 + + controls/std_openeuler2203.yml | 1 + .../bash/shared.sh | 6 ++++++ .../oval/shared.xml | 4 ++++ .../var_auditd_space_left.var | 1 + 4 files changed, 12 insertions(+) -diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml -index 6985d6d..3068afb 100644 ---- a/controls/std_openeuler.yml -+++ b/controls/std_openeuler.yml -@@ -1752,6 +1752,7 @@ controls: +diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml +index f5d74498..970a6e00 100644 +--- a/controls/std_openeuler2203.yml ++++ b/controls/std_openeuler2203.yml +@@ -1763,6 +1763,7 @@ controls: rules: - auditd_data_retention_space_left - auditd_data_retention_space_left.severity=low @@ -22,10 +22,10 @@ index 6985d6d..3068afb 100644 - auditd_data_retention_space_left_action - auditd_data_retention_space_left_action.severity=low - var_auditd_space_left_action=syslog -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh -index 4233f10..293dc77 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh +diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh +index 4233f10e..293dc771 100644 +--- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh ++++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh @@ -2,6 +2,12 @@ {{{ bash_instantiate_variables("var_auditd_admin_space_left_percentage") }}} @@ -39,10 +39,10 @@ index 4233f10..293dc77 100644 sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage%/g" /etc/audit/auditd.conf || \ echo "admin_space_left = $var_auditd_admin_space_left_percentage%" >> /etc/audit/auditd.conf +{{% endif %}} -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml -index 16d7433..b2acd8f 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml +diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml +index 16d74331..b2acd8f4 100644 +--- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml ++++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml @@ -17,7 +17,11 @@ /etc/audit/auditd.conf @@ -55,10 +55,10 @@ index 16d7433..b2acd8f 100644 1 -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var -index 4a3acba..3d86ed4 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var +diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left.var +index 4a3acbae..3d86ed49 100644 +--- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left.var ++++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left.var @@ -10,6 +10,7 @@ interactive: false options: @@ -68,5 +68,5 @@ index 4a3acba..3d86ed4 100644 250MB: 250 500MB: 500 -- -2.33.0 +2.48.1 diff --git a/scap-security-guide-0.1.68-port-to-newer-cmake.patch b/scap-security-guide-0.1.68-port-to-newer-cmake.patch deleted file mode 100644 index f3ff312e1397b5cb7d2f77de11db19747b350b54..0000000000000000000000000000000000000000 --- a/scap-security-guide-0.1.68-port-to-newer-cmake.patch +++ /dev/null @@ -1,780 +0,0 @@ ---- scap-security-guide-0.1.68/CMakeLists.txt.orig 2025-03-07 13:32:46.470078614 +0800 -+++ scap-security-guide-0.1.68/CMakeLists.txt 2025-03-07 13:46:57.640067759 +0800 -@@ -1,4 +1,4 @@ --cmake_minimum_required(VERSION 2.8.12) -+cmake_minimum_required(VERSION 3.12) - - # Inspired and referenced from https://blog.kitware.com/cmake-and-the-default-build-type - if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES) -@@ -128,7 +128,7 @@ - - - set(Python_ADDITIONAL_VERSIONS 3 2) --find_package(PythonInterp REQUIRED) -+find_package(Python REQUIRED) - - find_python_module(yaml REQUIRED) - find_python_module(jinja2 REQUIRED) -@@ -217,7 +217,7 @@ - message(STATUS " ") - - message(STATUS "Tools:") --message(STATUS "python: ${PYTHON_EXECUTABLE} (version: ${PYTHON_VERSION_STRING})") -+message(STATUS "python: ${Python_EXECUTABLE} (version: ${Python_VERSION})") - message(STATUS "python yaml module: ${PY_YAML}") - message(STATUS "python jinja2 module: ${PY_JINJA2}") - message(STATUS "oscap: ${OPENSCAP_OSCAP_EXECUTABLE} (version: ${OSCAP_VERSION})") ---- scap-security-guide-0.1.68/tests/CMakeLists.txt.orig 2025-03-07 13:45:00.575405586 +0800 -+++ scap-security-guide-0.1.68/tests/CMakeLists.txt 2025-03-07 13:46:03.949305417 +0800 -@@ -5,7 +5,7 @@ - macro(ssg_python_unit_tests PYTHON_COMPONENT_ID RELATIVE_PYTHONPATH) - add_test( - NAME "python-unit-${PYTHON_COMPONENT_ID}" -- COMMAND "${PYTHON_EXECUTABLE}" -m pytest ${PYTEST_COVERAGE_OPTIONS} "${CMAKE_SOURCE_DIR}/tests/unit/${PYTHON_COMPONENT_ID}" -+ COMMAND "${Python_EXECUTABLE}" -m pytest ${PYTEST_COVERAGE_OPTIONS} "${CMAKE_SOURCE_DIR}/tests/unit/${PYTHON_COMPONENT_ID}" - ) - set_tests_properties ("python-unit-${PYTHON_COMPONENT_ID}" PROPERTIES ENVIRONMENT - "PYTHONPATH=${CMAKE_SOURCE_DIR}/${RELATIVE_PYTHONPATH}:$ENV{PYTHONPATH}" -@@ -22,74 +22,74 @@ - - add_test( - NAME "max-path-len" -- COMMAND "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/ensure_paths_are_short.py" -+ COMMAND "${Python_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/ensure_paths_are_short.py" - ) - set_tests_properties("max-path-len" PROPERTIES LABELS quick) - - add_test( - NAME "test-rule-dir-json" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/rule_dir_json.py" "--root" "${CMAKE_SOURCE_DIR}" "--output" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/rule_dir_json.py" "--root" "${CMAKE_SOURCE_DIR}" "--output" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" - ) - set_tests_properties("test-rule-dir-json" PROPERTIES LABELS quick) - set_tests_properties("test-rule-dir-json" PROPERTIES FIXTURES_SETUP "rule-dir-json") - - add_test( - NAME "validate-parse-affected" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_parse_affected.py" "${CMAKE_SOURCE_DIR}" "${CMAKE_BINARY_DIR}/build_config.yml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_parse_affected.py" "${CMAKE_SOURCE_DIR}" "${CMAKE_BINARY_DIR}/build_config.yml" - ) - - add_test( - NAME "validate-parse-platform" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_parse_platform.py" "${CMAKE_SOURCE_DIR}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_parse_platform.py" "${CMAKE_SOURCE_DIR}" - ) - set_tests_properties("validate-parse-platform" PROPERTIES LABELS quick) - - add_test( - NAME "stable-profile-ids" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/stable_profile_ids.py" "${CMAKE_BINARY_DIR}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/stable_profile_ids.py" "${CMAKE_BINARY_DIR}" - ) - set_tests_properties("stable-profile-ids" PROPERTIES LABELS quick) - - add_test( - NAME "shorthand-to-oval" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/shorthand_to_oval.py" "${CMAKE_CURRENT_SOURCE_DIR}/data/utils/shorthand_oval.xml" "${CMAKE_CURRENT_BINARY_DIR}/oval.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/shorthand_to_oval.py" "${CMAKE_CURRENT_SOURCE_DIR}/data/utils/shorthand_oval.xml" "${CMAKE_CURRENT_BINARY_DIR}/oval.xml" - ) - set_tests_properties("shorthand-to-oval" PROPERTIES LABELS quick) - - add_test( - NAME "stable-profiles" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_profile_stability.py" "${CMAKE_BINARY_DIR}" "${CMAKE_CURRENT_SOURCE_DIR}/data/profile_stability" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_profile_stability.py" "${CMAKE_BINARY_DIR}" "${CMAKE_CURRENT_SOURCE_DIR}/data/profile_stability" - ) - set_tests_properties("stable-profiles" PROPERTIES LABELS quick) - - add_test( - NAME "stable-products" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_product_stability.py" "${CMAKE_BINARY_DIR}" "${CMAKE_CURRENT_SOURCE_DIR}/data/product_stability" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_product_stability.py" "${CMAKE_BINARY_DIR}" "${CMAKE_CURRENT_SOURCE_DIR}/data/product_stability" - ) - set_tests_properties("stable-products" PROPERTIES LABELS quick) - - add_test( - NAME "machine-only-rules" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_machine_only_rules.py" --source_dir "${CMAKE_SOURCE_DIR}" --build_dir "${CMAKE_BINARY_DIR}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_machine_only_rules.py" --source_dir "${CMAKE_SOURCE_DIR}" --build_dir "${CMAKE_BINARY_DIR}" - ) - set_tests_properties("machine-only-rules" PROPERTIES LABELS quick) - - if (SSG_BATS_TESTS_ENABLED AND BATS_EXECUTABLE) - add_test( - NAME "bash-unit-tests" -- COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/unit/bash/execute_tests.sh" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_CURRENT_SOURCE_DIR}/unit/bash" "${CMAKE_BINARY_DIR}/tests" -+ COMMAND "${CMAKE_CURRENT_SOURCE_DIR}/unit/bash/execute_tests.sh" "${Python_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_CURRENT_SOURCE_DIR}/unit/bash" "${CMAKE_BINARY_DIR}/tests" - ) - set_tests_properties("bash-unit-tests" PROPERTIES LABELS quick) - endif() - add_test( - NAME "macros-oval" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_macros_oval.py" "--verbose" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_macros_oval.py" "--verbose" - ) - set_tests_properties("macros-oval" PROPERTIES LABELS quick) - - add_test( - NAME "fix_rules-empty_identifiers" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "empty_identifiers" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "empty_identifiers" - ) - set_tests_properties("fix_rules-empty_identifiers" PROPERTIES LABELS quick) - set_tests_properties("fix_rules-empty_identifiers" PROPERTIES DEPENDS "test-rule-dir-json") -@@ -97,7 +97,7 @@ - - add_test( - NAME "fix_rules-invalid_identifiers" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "invalid_identifiers" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "invalid_identifiers" - ) - set_tests_properties("fix_rules-invalid_identifiers" PROPERTIES LABELS quick) - set_tests_properties("fix_rules-invalid_identifiers" PROPERTIES DEPENDS "test-rule-dir-json") -@@ -105,7 +105,7 @@ - - add_test( - NAME "fix_rules-int_identifiers" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "int_identifiers" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "int_identifiers" - ) - set_tests_properties("fix_rules-int_identifiers" PROPERTIES LABELS quick) - set_tests_properties("fix_rules-int_identifiers" PROPERTIES DEPENDS "test-rule-dir-json") -@@ -113,7 +113,7 @@ - - add_test( - NAME "fix_rules-empty_references" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "empty_references" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "empty_references" - ) - set_tests_properties("fix_rules-empty_references" PROPERTIES LABELS quick) - set_tests_properties("fix_rules-empty_references" PROPERTIES DEPENDS "test-rule-dir-json") -@@ -121,7 +121,7 @@ - - add_test( - NAME "fix_rules-int_references" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "int_references" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "int_references" - ) - set_tests_properties("fix_rules-int_references" PROPERTIES LABELS quick) - set_tests_properties("fix_rules-int_references" PROPERTIES DEPENDS "test-rule-dir-json") -@@ -129,7 +129,7 @@ - - add_test( - NAME "fix_rules-duplicate_subkeys" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "duplicate_subkeys" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "duplicate_subkeys" - ) - set_tests_properties("fix_rules-duplicate_subkeys" PROPERTIES LABELS quick) - set_tests_properties("fix_rules-duplicate_subkeys" PROPERTIES DEPENDS "test-rule-dir-json") -@@ -137,7 +137,7 @@ - - add_test( - NAME "fix_rules-sort_subkeys" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "sort_subkeys" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "sort_subkeys" - ) - set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick) - set_tests_properties("fix_rules-sort_subkeys" PROPERTIES DEPENDS "test-rule-dir-json") -@@ -145,7 +145,7 @@ - - add_test( - NAME "fix_rules-sort_prodtypes" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "sort_prodtypes" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/fix_rules.py" "--dry-run" "--root" "${CMAKE_SOURCE_DIR}" "--json" "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" "sort_prodtypes" - ) - set_tests_properties("fix_rules-sort_prodtypes" PROPERTIES LABELS quick) - set_tests_properties("fix_rules-sort_prodtypes" PROPERTIES DEPENDS "test-rule-dir-json") -@@ -155,12 +155,12 @@ - if (PY_PYTEST) - add_test( - NAME "test-function-check_playbook_file_removed_and_added" -- COMMAND "${PYTHON_EXECUTABLE}" -m pytest ${PYTEST_COVERAGE_OPTIONS} "${CMAKE_CURRENT_SOURCE_DIR}/test_check_playbook_file_removed_and_added.py" -+ COMMAND "${Python_EXECUTABLE}" -m pytest ${PYTEST_COVERAGE_OPTIONS} "${CMAKE_CURRENT_SOURCE_DIR}/test_check_playbook_file_removed_and_added.py" - ) - endif() - add_test( - NAME "ansible-file-removed-and-added" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_ansible_file_removed_and_added.py" --ansible_dir "${CMAKE_BINARY_DIR}/ansible" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_ansible_file_removed_and_added.py" --ansible_dir "${CMAKE_BINARY_DIR}/ansible" - ) - set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick) - endif() -@@ -169,7 +169,7 @@ - if (PY_MYPY) - add_test( - NAME "test-mypy-${SCRIPT}" -- COMMAND env "${PYTHON_EXECUTABLE}" -m mypy "${CMAKE_SOURCE_DIR}/${SCRIPT}" -+ COMMAND env "${Python_EXECUTABLE}" -m mypy "${CMAKE_SOURCE_DIR}/${SCRIPT}" - ) - set_tests_properties("test-mypy-${SCRIPT}" PROPERTIES LABELS quick) - set_tests_properties("test-mypy-${SCRIPT}" PROPERTIES LABELS mypy) -@@ -179,10 +179,10 @@ - mypy_test("utils/import_srg_spreadsheet.py") - mypy_test("utils/check_eof.py") - --if (PYTHON_VERSION_MAJOR GREATER 2 AND PY_OPENPYXL AND PY_PANDAS AND SSG_PRODUCT_RHEL9) -+if (Python_VERSION_MAJOR GREATER 2 AND PY_OPENPYXL AND PY_PANDAS AND SSG_PRODUCT_RHEL9) - add_test( - NAME "srg-export-rhel9-xlsx" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_srg_export.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --control "${CMAKE_SOURCE_DIR}/controls/srg_gpos.yml" --product rhel9 --out-format "xlsx" --output "${CMAKE_BINARY_DIR}/cac_stig_output.xlsx" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_srg_export.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --control "${CMAKE_SOURCE_DIR}/controls/srg_gpos.yml" --product rhel9 --out-format "xlsx" --output "${CMAKE_BINARY_DIR}/cac_stig_output.xlsx" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" - ) - set_tests_properties("srg-export-rhel9-xlsx" PROPERTIES LABELS quick) - set_tests_properties("srg-export-rhel9-xlsx" PROPERTIES FIXTURES_SETUP "rhel9-cac-xlsx") -@@ -192,7 +192,7 @@ - - add_test( - NAME "srg-export-rhel9-md" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_srg_export.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --control "${CMAKE_SOURCE_DIR}/controls/srg_gpos.yml" --product rhel9 --out-format "md" --output "${CMAKE_BINARY_DIR}/cac_stig_output.md" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_srg_export.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --control "${CMAKE_SOURCE_DIR}/controls/srg_gpos.yml" --product rhel9 --out-format "md" --output "${CMAKE_BINARY_DIR}/cac_stig_output.md" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" - ) - set_tests_properties("srg-export-rhel9-md" PROPERTIES LABELS quick) - set_tests_properties("srg-export-rhel9-md" PROPERTIES FIXTURES_REQUIRED "rule-dir-json") -@@ -201,7 +201,7 @@ - - add_test( - NAME "srg-export-rhel9-csv" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_srg_export.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --control "${CMAKE_SOURCE_DIR}/controls/srg_gpos.yml" --product rhel9 --out-format csv --output "${CMAKE_BINARY_DIR}/cac_stig_output.csv" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_srg_export.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --control "${CMAKE_SOURCE_DIR}/controls/srg_gpos.yml" --product rhel9 --out-format csv --output "${CMAKE_BINARY_DIR}/cac_stig_output.csv" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" - ) - set_tests_properties("srg-export-rhel9-csv" PROPERTIES LABELS quick) - set_tests_properties("srg-export-rhel9-csv" PROPERTIES FIXTURES_REQUIRED "rule-dir-json") -@@ -209,7 +209,7 @@ - - add_test( - NAME "srg-export-rhel9-html" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_srg_export.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --control "${CMAKE_SOURCE_DIR}/controls/srg_gpos.yml" --product rhel9 --out-format html --output "${CMAKE_BINARY_DIR}/cac_stig_output.html" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_srg_export.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --control "${CMAKE_SOURCE_DIR}/controls/srg_gpos.yml" --product rhel9 --out-format html --output "${CMAKE_BINARY_DIR}/cac_stig_output.html" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" - ) - set_tests_properties("srg-export-rhel9-html" PROPERTIES LABELS quick) - set_tests_properties("srg-export-rhel9-html" PROPERTIES FIXTURES_REQUIRED "rule-dir-json") -@@ -218,7 +218,7 @@ - - add_test( - NAME "srg-diff-rhel9" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/srg_diff.py" --base "${CMAKE_SOURCE_DIR}/tests/data/utils/rhel9_stig_diff_base.xlsx" --target "${CMAKE_BINARY_DIR}/cac_stig_output.xlsx" --product rhel9 -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/srg_diff.py" --base "${CMAKE_SOURCE_DIR}/tests/data/utils/rhel9_stig_diff_base.xlsx" --target "${CMAKE_BINARY_DIR}/cac_stig_output.xlsx" --product rhel9 - ) - set_tests_properties("srg-diff-rhel9" PROPERTIES LABELS quick) - set_tests_properties("srg-diff-rhel9" PROPERTIES FIXTURES_REQUIRED "rhel9-cac-xlsx") -@@ -227,27 +227,27 @@ - - file(GLOB RHEL8_DISA_STIG_REF "${SSG_SHARED_REFS}/disa-stig-rhel8-v[0-9]*r[0-9]*-xccdf-manual.xml") - --if (PYTHON_VERSION_MAJOR GREATER 2) -+if (Python_VERSION_MAJOR GREATER 2) - add_test( - NAME "test-compare_ds" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/compare_ds.py" "${CMAKE_SOURCE_DIR}/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml" "${RHEL8_DISA_STIG_REF}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/compare_ds.py" "${CMAKE_SOURCE_DIR}/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml" "${RHEL8_DISA_STIG_REF}" - ) - set_tests_properties("test-compare_ds" PROPERTIES LABELS quick) - endif() - --if (PYTHON_VERSION_MAJOR GREATER 2 AND GIT_EXECUTABLE AND EXISTS "${CMAKE_SOURCE_DIR}/.git") -+if (Python_VERSION_MAJOR GREATER 2 AND GIT_EXECUTABLE AND EXISTS "${CMAKE_SOURCE_DIR}/.git") - add_test( - NAME "test-generate_contributors" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/generate_contributors.py" "--dry-run" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/generate_contributors.py" "--dry-run" - ) - set_tests_properties("test-generate_contributors" PROPERTIES LABELS quick) - endif() - - --if (PYTHON_VERSION_MAJOR GREATER 2 AND SSG_PRODUCT_RHEL8) -+if (Python_VERSION_MAJOR GREATER 2 AND SSG_PRODUCT_RHEL8) - add_test( - NAME "test-create_scap_delta_tailoring" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --dry-run --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_BINARY_DIR}/rule_dirs.json" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --reference "stigid" --output "${CMAKE_BINARY_DIR}/rhel8_stig_tailoring.xml" --product rhel8 --manual "${RHEL8_DISA_STIG_REF}" -B "${CMAKE_BINARY_DIR}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --dry-run --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_BINARY_DIR}/rule_dirs.json" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --reference "stigid" --output "${CMAKE_BINARY_DIR}/rhel8_stig_tailoring.xml" --product rhel8 --manual "${RHEL8_DISA_STIG_REF}" -B "${CMAKE_BINARY_DIR}" - ) - set_tests_properties("test-create_scap_delta_tailoring" PROPERTIES FIXTURES_REQUIRED "rule-dir-json") - set_tests_properties("test-create_scap_delta_tailoring" PROPERTIES DEPENDS "test-rule-dir-json") -@@ -255,29 +255,29 @@ - - add_test( - NAME "test-create_scap_delta_tailoring_resolved" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --dry-run --root "${CMAKE_SOURCE_DIR}" --resolved-rules-dir --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --reference "stigid" --output "${CMAKE_BINARY_DIR}/rhel8_stig_tailoring.xml" --product rhel8 --manual "${RHEL8_DISA_STIG_REF}" -B "${CMAKE_BINARY_DIR}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --dry-run --root "${CMAKE_SOURCE_DIR}" --resolved-rules-dir --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --reference "stigid" --output "${CMAKE_BINARY_DIR}/rhel8_stig_tailoring.xml" --product rhel8 --manual "${RHEL8_DISA_STIG_REF}" -B "${CMAKE_BINARY_DIR}" - ) - set_tests_properties("test-create_scap_delta_tailoring_resolved" PROPERTIES FIXTURES_REQUIRED "rule-dir-json") - set_tests_properties("test-create_scap_delta_tailoring_resolved" PROPERTIES DEPENDS "test-rule-dir-json") - endif() - - --if (PYTHON_VERSION_MAJOR GREATER 2 AND PYTHON_VERSION_MINOR GREATER 6) -+if (Python_VERSION_MAJOR GREATER 2 AND Python_VERSION_MINOR GREATER 6) - add_test( - NAME "test-controleval-directory" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/controleval.py" "--controls-dir" "${CMAKE_SOURCE_DIR}/tests/unit/ssg-module/data/controls_dir" "stats" "--level" "high" "--product" "rhel9" "--id" "qrst-levels" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/controleval.py" "--controls-dir" "${CMAKE_SOURCE_DIR}/tests/unit/ssg-module/data/controls_dir" "stats" "--level" "high" "--product" "rhel9" "--id" "qrst-levels" - ) - set_tests_properties("test-controleval-directory" PROPERTIES LABELS quick) - - add_test( - NAME "test-controleval-onefile" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/controleval.py" "--controls-dir" "${CMAKE_SOURCE_DIR}/tests/unit/ssg-module/data/controls_dir" "stats" "--level" "low" "--product" "rhel8" "--id" "abcd-levels" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/controleval.py" "--controls-dir" "${CMAKE_SOURCE_DIR}/tests/unit/ssg-module/data/controls_dir" "stats" "--level" "low" "--product" "rhel8" "--id" "abcd-levels" - ) - set_tests_properties("test-controleval-onefile" PROPERTIES LABELS quick) - - add_test( - NAME "test-controleval-json" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/controleval.py" "--controls-dir" "${CMAKE_SOURCE_DIR}/tests/unit/ssg-module/data/controls_dir" "stats" "--level" "medium" "--product" "rhel8" "--id" "qrst-levels" "--output-format" "json" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/controleval.py" "--controls-dir" "${CMAKE_SOURCE_DIR}/tests/unit/ssg-module/data/controls_dir" "stats" "--level" "medium" "--product" "rhel8" "--id" "qrst-levels" "--output-format" "json" - ) - set_tests_properties("test-controleval-json" PROPERTIES LABELS quick) - endif() -@@ -285,14 +285,14 @@ - macro(ssg_refcheck_test PRODUCT PROFILE KEY) - add_test( - NAME "refchecker-${PRODUCT}-${PROFILE}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/refchecker.py" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" "${PRODUCT}" "${PROFILE}" "${KEY}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/refchecker.py" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" "${PRODUCT}" "${PROFILE}" "${KEY}" - ) - set_tests_properties("refchecker-${PRODUCT}-${PROFILE}" PROPERTIES FIXTURES_REQUIRED "rule-dir-json") - set_tests_properties("refchecker-${PRODUCT}-${PROFILE}" PROPERTIES DEPENDS "test-rule-dir-json") - set_tests_properties("refchecker-${PRODUCT}-${PROFILE}" PROPERTIES LABELS quick) - endmacro() - --if (PYTHON_VERSION_MAJOR GREATER 2 AND SSG_PRODUCT_RHEL8) -+if (Python_VERSION_MAJOR GREATER 2 AND SSG_PRODUCT_RHEL8) - ssg_refcheck_test("rhel8" "cis_workstation_l1" "cis") - ssg_refcheck_test("rhel8" "cis_workstation_l2" "cis") - ssg_refcheck_test("rhel8" "cis_server_l1" "cis") -@@ -300,26 +300,26 @@ - endif() - - --if (PYTHON_VERSION_MAJOR GREATER 2 AND SSG_PRODUCT_RHEL7) -+if (Python_VERSION_MAJOR GREATER 2 AND SSG_PRODUCT_RHEL7) - ssg_refcheck_test("rhel7" "cis_workstation_l1" "cis") - ssg_refcheck_test("rhel7" "cis_workstation_l2" "cis") - ssg_refcheck_test("rhel7" "cis_server_l1" "cis") - ssg_refcheck_test("rhel7" "cis" "cis") - endif() - --if (PYTHON_VERSION_MAJOR GREATER 2) -+if (Python_VERSION_MAJOR GREATER 2) - add_test( - NAME "test-compare-disa-xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/compare_disa_xml.py" "${CMAKE_SOURCE_DIR}/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml" "${RHEL8_DISA_STIG_REF}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/compare_disa_xml.py" "${CMAKE_SOURCE_DIR}/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml" "${RHEL8_DISA_STIG_REF}" - ) - set_tests_properties("test-compare-disa-xml" PROPERTIES LABELS quick) - endif() - - macro(ssg_controlrefcheck_test PRODUCT CONTROL KEY) -- if (PYTHON_VERSION_MAJOR GREATER 2) -+ if (Python_VERSION_MAJOR GREATER 2) - add_test( - NAME "controlrefchecker-${PRODUCT}-${CONTROL}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/controlrefcheck.py" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" "${PRODUCT}" "${CONTROL}" "${KEY}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/controlrefcheck.py" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" "${PRODUCT}" "${CONTROL}" "${KEY}" - ) - set_tests_properties("controlrefchecker-${PRODUCT}-${CONTROL}" PROPERTIES FIXTURES_REQUIRED "rule-dir-json") - set_tests_properties("controlrefchecker-${PRODUCT}-${CONTROL}" PROPERTIES DEPENDS "test-rule-dir-json") -@@ -338,10 +338,10 @@ - endif() - - --if (PYTHON_VERSION_MAJOR GREATER 2) -+if (Python_VERSION_MAJOR GREATER 2) - add_test( - NAME "test-check-eof" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/check_eof.py" "${CMAKE_SOURCE_DIR}/ssg" "${CMAKE_SOURCE_DIR}/linux_os" "${CMAKE_SOURCE_DIR}/utils" "${CMAKE_SOURCE_DIR}/tests" "${CMAKE_SOURCE_DIR}/products" "${CMAKE_SOURCE_DIR}/shared" "${CMAKE_SOURCE_DIR}/docs" "${CMAKE_SOURCE_DIR}/apple_os" "${CMAKE_SOURCE_DIR}/applications" "${CMAKE_SOURCE_DIR}/build-scripts" "${CMAKE_SOURCE_DIR}/cmake" "${CMAKE_SOURCE_DIR}/Dockerfiles" "${CMAKE_SOURCE_DIR}/tests" "${CMAKE_SOURCE_DIR}/controls" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/check_eof.py" "${CMAKE_SOURCE_DIR}/ssg" "${CMAKE_SOURCE_DIR}/linux_os" "${CMAKE_SOURCE_DIR}/utils" "${CMAKE_SOURCE_DIR}/tests" "${CMAKE_SOURCE_DIR}/products" "${CMAKE_SOURCE_DIR}/shared" "${CMAKE_SOURCE_DIR}/docs" "${CMAKE_SOURCE_DIR}/apple_os" "${CMAKE_SOURCE_DIR}/applications" "${CMAKE_SOURCE_DIR}/build-scripts" "${CMAKE_SOURCE_DIR}/cmake" "${CMAKE_SOURCE_DIR}/Dockerfiles" "${CMAKE_SOURCE_DIR}/tests" "${CMAKE_SOURCE_DIR}/controls" - ) - endif() - ---- scap-security-guide-0.1.68/cmake/FindPythonModule.cmake.orig 2025-03-07 13:55:15.882142187 +0800 -+++ scap-security-guide-0.1.68/cmake/FindPythonModule.cmake 2025-03-07 13:55:30.395348258 +0800 -@@ -8,7 +8,7 @@ - set(PY_${module}_FIND_REQUIRED TRUE) - endif() - if($ENV{SSG_USE_PIP_PACKAGES}) -- execute_process(COMMAND "${PYTHON_EXECUTABLE}" "-c" -+ execute_process(COMMAND "${Python_EXECUTABLE}" "-c" - "import platform; print(''.join('python'+platform.python_version()[:-2]))" - RESULT_VARIABLE _python_version_status - OUTPUT_VARIABLE _python_version -@@ -20,7 +20,7 @@ - endif() - # A module's location is usually a directory, but for binary modules - # it's a .so file. -- execute_process(COMMAND "${PYTHON_EXECUTABLE}" "-c" -+ execute_process(COMMAND "${Python_EXECUTABLE}" "-c" - "import re, ${module}; print(re.compile('/__init__.py.*').sub('',${module}.__file__))" - RESULT_VARIABLE _${module}_status - OUTPUT_VARIABLE _${module}_location ---- scap-security-guide-0.1.68/cmake/SSGCommon.cmake.orig 2025-03-07 13:55:48.905611080 +0800 -+++ scap-security-guide-0.1.68/cmake/SSGCommon.cmake 2025-03-07 13:56:08.803893612 +0800 -@@ -79,7 +79,7 @@ - macro(ssg_build_man_page) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/scap-security-guide.8" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/generate_man_page.py" --template "${CMAKE_SOURCE_DIR}/docs/man_page_template.jinja" --input_dir "${CMAKE_BINARY_DIR}" --output "${CMAKE_BINARY_DIR}/scap-security-guide.8" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/generate_man_page.py" --template "${CMAKE_SOURCE_DIR}/docs/man_page_template.jinja" --input_dir "${CMAKE_BINARY_DIR}" --output "${CMAKE_BINARY_DIR}/scap-security-guide.8" - COMMENT "[man-page] generating man page" - ) - add_custom_target( -@@ -96,7 +96,7 @@ - - add_custom_command( - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/product.yml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/compile_product.py" --product-yaml "${CMAKE_SOURCE_DIR}/products/${PRODUCT}/product.yml" --compiled-product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/compile_product.py" --product-yaml "${CMAKE_SOURCE_DIR}/products/${PRODUCT}/product.yml" --compiled-product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" - COMMENT "[${PRODUCT}-content] compiling product yaml" - ) - -@@ -104,7 +104,7 @@ - add_custom_command( - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/profiles" - COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_CURRENT_BINARY_DIR}/profiles" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/compile_all.py" --resolved-base "${CMAKE_CURRENT_BINARY_DIR}" --controls-dir "${CMAKE_SOURCE_DIR}/controls" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --sce-metadata "${CMAKE_CURRENT_BINARY_DIR}/checks/sce/metadata.json" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/compile_all.py" --resolved-base "${CMAKE_CURRENT_BINARY_DIR}" --controls-dir "${CMAKE_SOURCE_DIR}/controls" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --sce-metadata "${CMAKE_CURRENT_BINARY_DIR}/checks/sce/metadata.json" - DEPENDS generate-internal-${PRODUCT}-sce-metadata.json - DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/product.yml" - COMMENT "[${PRODUCT}-content] compiling everything" -@@ -113,7 +113,7 @@ - add_custom_command( - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/profiles" - COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_CURRENT_BINARY_DIR}/profiles" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/compile_all.py" --resolved-base "${CMAKE_CURRENT_BINARY_DIR}" --controls-dir "${CMAKE_SOURCE_DIR}/controls" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --sce-metadata "${CMAKE_CURRENT_BINARY_DIR}/checks/sce/metadata.json" --stig-references "${STIG_REFERENCE_FILE}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/compile_all.py" --resolved-base "${CMAKE_CURRENT_BINARY_DIR}" --controls-dir "${CMAKE_SOURCE_DIR}/controls" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --sce-metadata "${CMAKE_CURRENT_BINARY_DIR}/checks/sce/metadata.json" --stig-references "${STIG_REFERENCE_FILE}" - DEPENDS generate-internal-${PRODUCT}-sce-metadata.json - DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/product.yml" - COMMENT "[${PRODUCT}-content] compiling everything" -@@ -130,7 +130,7 @@ - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_xccdf.py" --resolved-base "${CMAKE_CURRENT_BINARY_DIR}" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --xccdf "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" --oval "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" --ocil "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_xccdf.py" --resolved-base "${CMAKE_CURRENT_BINARY_DIR}" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --xccdf "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" --oval "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" --ocil "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" - COMMAND sync - DEPENDS ${PRODUCT}-compile-all - DEPENDS generate-internal-${PRODUCT}-all-fixes -@@ -153,7 +153,7 @@ - set(BUILD_REMEDIATIONS_DIR "${CMAKE_CURRENT_BINARY_DIR}/fixes_from_templates") - add_custom_command( - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/templated-content-${PRODUCT}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_templated_content.py" --resolved-rules-dir "${CMAKE_CURRENT_BINARY_DIR}/rules" --templates-dir "${SSG_SHARED}/templates" --platforms-dir "${CMAKE_CURRENT_BINARY_DIR}/platforms" --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" --checks-dir "${BUILD_CHECKS_DIR}" --remediations-dir "${BUILD_REMEDIATIONS_DIR}" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_templated_content.py" --resolved-rules-dir "${CMAKE_CURRENT_BINARY_DIR}/rules" --templates-dir "${SSG_SHARED}/templates" --platforms-dir "${CMAKE_CURRENT_BINARY_DIR}/platforms" --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" --checks-dir "${BUILD_CHECKS_DIR}" --remediations-dir "${BUILD_REMEDIATIONS_DIR}" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" - COMMAND ${CMAKE_COMMAND} -E touch "${CMAKE_CURRENT_BINARY_DIR}/templated-content-${PRODUCT}" - # Actually we mean that it depends on resolved rules. - DEPENDS ${PRODUCT}-compile-all -@@ -172,7 +172,7 @@ - endforeach() - add_custom_command( - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/collect-remediations-${PRODUCT}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/collect_remediations.py" --resolved-rules-dir "${CMAKE_CURRENT_BINARY_DIR}/rules" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" ${REMEDIATION_TYPE_OPTIONS} --output-dir "${CMAKE_CURRENT_BINARY_DIR}/fixes" --fixes-from-templates-dir "${BUILD_REMEDIATIONS_DIR}" --platforms-dir "${CMAKE_CURRENT_BINARY_DIR}/platforms" --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/collect_remediations.py" --resolved-rules-dir "${CMAKE_CURRENT_BINARY_DIR}/rules" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" ${REMEDIATION_TYPE_OPTIONS} --output-dir "${CMAKE_CURRENT_BINARY_DIR}/fixes" --fixes-from-templates-dir "${BUILD_REMEDIATIONS_DIR}" --platforms-dir "${CMAKE_CURRENT_BINARY_DIR}/platforms" --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" - COMMAND ${CMAKE_COMMAND} -E touch "${CMAKE_CURRENT_BINARY_DIR}/collect-remediations-${PRODUCT}" - # Acutally we mean that it depends on resolved rules. - DEPENDS ${PRODUCT}-compile-all -@@ -199,7 +199,7 @@ - set(ANSIBLE_PLAYBOOKS_DIR "${CMAKE_CURRENT_BINARY_DIR}/playbooks") - add_custom_command( - OUTPUT "${ANSIBLE_PLAYBOOKS_DIR}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_rule_playbooks.py" --input-dir "${CMAKE_CURRENT_BINARY_DIR}/fixes/ansible" --ssg-root "${CMAKE_SOURCE_DIR}" --product "${PRODUCT}" --resolved-rules-dir "${CMAKE_CURRENT_BINARY_DIR}/rules" --resolved-profiles-dir "${CMAKE_CURRENT_BINARY_DIR}/profiles" --output-dir "${ANSIBLE_PLAYBOOKS_DIR}" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_rule_playbooks.py" --input-dir "${CMAKE_CURRENT_BINARY_DIR}/fixes/ansible" --ssg-root "${CMAKE_SOURCE_DIR}" --product "${PRODUCT}" --resolved-rules-dir "${CMAKE_CURRENT_BINARY_DIR}/rules" --resolved-profiles-dir "${CMAKE_CURRENT_BINARY_DIR}/profiles" --output-dir "${ANSIBLE_PLAYBOOKS_DIR}" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" - DEPENDS generate-internal-${PRODUCT}-all-fixes - COMMENT "[${PRODUCT}-content] Generating Ansible Playbooks" - ) -@@ -209,13 +209,13 @@ - ) - add_test( - NAME "${PRODUCT}-ansible-playbooks-generated-for-all-rules" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/tests/ansible_playbooks_generated_for_all_rules.py" --build-dir "${CMAKE_BINARY_DIR}" --product "${PRODUCT}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/tests/ansible_playbooks_generated_for_all_rules.py" --build-dir "${CMAKE_BINARY_DIR}" --product "${PRODUCT}" - ) - set_tests_properties("${PRODUCT}-ansible-playbooks-generated-for-all-rules" PROPERTIES LABELS quick) - if("${PRODUCT}" MATCHES "rhel") - add_test( - NAME "${PRODUCT}-ansible-assert-playbooks-schema" -- COMMAND sh -c "${PYTHON_EXECUTABLE} $@" _ "${CMAKE_SOURCE_DIR}/tests/assert_ansible_schema.py" ${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/all/* -+ COMMAND sh -c "${Python_EXECUTABLE} $@" _ "${CMAKE_SOURCE_DIR}/tests/assert_ansible_schema.py" ${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/all/* - ) - endif() - endmacro() -@@ -272,7 +272,7 @@ - set(OVAL_COMBINE_PATHS "${SSG_SHARED}/checks/oval" "${BUILD_CHECKS_DIR}/oval") - add_custom_command( - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/combine_ovals.py" --include-benchmark --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --output "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" --build-ovals-dir "${CMAKE_CURRENT_BINARY_DIR}/checks/oval" ${OVAL_COMBINE_PATHS} -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/combine_ovals.py" --include-benchmark --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --output "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" --build-ovals-dir "${CMAKE_CURRENT_BINARY_DIR}/checks/oval" ${OVAL_COMBINE_PATHS} - COMMAND "${XMLLINT_EXECUTABLE}" --format --output "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" - DEPENDS generate-internal-templated-content-${PRODUCT} - COMMENT "[${PRODUCT}-content] generating oval-unlinked.xml" -@@ -286,7 +286,7 @@ - macro(ssg_build_cpe_oval_unlinked PRODUCT) - add_custom_command( - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/cpe-oval-unlinked.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/combine_ovals.py" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --output "${CMAKE_CURRENT_BINARY_DIR}/cpe-oval-unlinked.xml" --build-ovals-dir "${CMAKE_CURRENT_BINARY_DIR}/checks/oval" "${CMAKE_CURRENT_BINARY_DIR}/checks_from_templates/cpe-oval" "${SSG_SHARED}/checks/oval" "${SSG_SHARED}/applicability/oval" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/combine_ovals.py" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --output "${CMAKE_CURRENT_BINARY_DIR}/cpe-oval-unlinked.xml" --build-ovals-dir "${CMAKE_CURRENT_BINARY_DIR}/checks/oval" "${CMAKE_CURRENT_BINARY_DIR}/checks_from_templates/cpe-oval" "${SSG_SHARED}/checks/oval" "${SSG_SHARED}/applicability/oval" - COMMAND "${XMLLINT_EXECUTABLE}" --format --output "${CMAKE_CURRENT_BINARY_DIR}/cpe-oval-unlinked.xml" "${CMAKE_CURRENT_BINARY_DIR}/cpe-oval-unlinked.xml" - DEPENDS generate-internal-templated-content-${PRODUCT} - COMMENT "[${PRODUCT}-content] generating cpe-oval-unlinked.xml" -@@ -319,7 +319,7 @@ - # the XCCDF, so we'd have a dependency circle. - add_custom_command( - OUTPUT "${BUILD_CHECKS_DIR}/sce/metadata.json" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_sce.py" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --templates-dir "${SSG_SHARED}/templates" --output "${BUILD_CHECKS_DIR}/sce" ${SCE_COMBINE_PATHS} -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_sce.py" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --templates-dir "${SSG_SHARED}/templates" --output "${BUILD_CHECKS_DIR}/sce" ${SCE_COMBINE_PATHS} - COMMENT "[${PRODUCT}-content] generating sce/metadata.json" - DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/product.yml" - ) -@@ -352,7 +352,7 @@ - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/cpe_generate.py" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" ssg "${CMAKE_BINARY_DIR}" "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" "${CMAKE_CURRENT_BINARY_DIR}/cpe-oval-unlinked.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/cpe_generate.py" --product-yaml "${CMAKE_CURRENT_BINARY_DIR}/product.yml" --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" ssg "${CMAKE_BINARY_DIR}" "${CMAKE_CURRENT_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" "${CMAKE_CURRENT_BINARY_DIR}/cpe-oval-unlinked.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" - DEPENDS generate-${PRODUCT}-xccdf-oval-ocil -@@ -445,7 +445,7 @@ - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/compose_ds.py" --xccdf "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" --oval "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" --ocil "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" --cpe-dict "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" --cpe-oval "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" --output-12 "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" --output-13 "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ${COMPOSE_EXTRA_ARGS} -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/compose_ds.py" --xccdf "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" --oval "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" --ocil "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" --cpe-dict "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" --cpe-oval "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" --output-12 "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" --output-13 "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ${COMPOSE_EXTRA_ARGS} - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf.xml -@@ -462,7 +462,7 @@ - else() - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/compose_ds.py" --xccdf "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" --oval "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" --ocil "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" --cpe-dict "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" --cpe-oval "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" --output-13 "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ${COMPOSE_EXTRA_ARGS} -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/compose_ds.py" --xccdf "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" --oval "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" --ocil "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" --cpe-dict "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" --cpe-oval "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" --output-13 "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ${COMPOSE_EXTRA_ARGS} - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf.xml - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -486,12 +486,12 @@ - if("${PRODUCT}" MATCHES "sle(12|15)") - add_test( - NAME "missing-cces-${PRODUCT}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/tests/missing_cces.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "-p anssi,hipaa,pci,stig" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/tests/missing_cces.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "-p anssi,hipaa,pci,stig" - ) - else() - add_test( - NAME "missing-cces-${PRODUCT}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/tests/missing_cces.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/tests/missing_cces.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - ) - endif() - set_tests_properties("missing-cces-${PRODUCT}" PROPERTIES LABELS quick) -@@ -531,7 +531,7 @@ - ) - add_test( - NAME "verify-references-ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/verify_references.py" --rules-with-invalid-checks --base-dir "${CMAKE_BINARY_DIR}" --ovaldefs-unused "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/verify_references.py" --rules-with-invalid-checks --base-dir "${CMAKE_BINARY_DIR}" --ovaldefs-unused "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - ) - set_tests_properties("verify-references-ssg-${PRODUCT}-ds.xml" PROPERTIES LABELS quick) - if("${PRODUCT}" MATCHES "rhel") -@@ -542,7 +542,7 @@ - endif() - add_test( - NAME "missing-references-ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${CMAKE_SOURCE_DIR}/tests/missing_refs.sh" "${PYTHON_EXECUTABLE}" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ${REFERENCES_CHECK_PROFILE_LIST} -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${CMAKE_SOURCE_DIR}/tests/missing_refs.sh" "${Python_EXECUTABLE}" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ${REFERENCES_CHECK_PROFILE_LIST} - ) - set_tests_properties("missing-references-ssg-${PRODUCT}-ds.xml" PROPERTIES LABELS quick) - -@@ -550,7 +550,7 @@ - if(("${PRODUCT}" MATCHES "ubuntu2" OR "${PRODUCT}" MATCHES "rhel8") AND SSG_SCE_ENABLED) - add_test( - NAME "ds-sce-${PRODUCT}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/tests/test_ds_sce.py" "${CMAKE_BINARY_DIR}" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/tests/test_ds_sce.py" "${CMAKE_BINARY_DIR}" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - ) - endif() - endmacro() -@@ -561,7 +561,7 @@ - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/guides/ssg-${PRODUCT}-guide-index.html" - COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/guides" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_all_guides.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/guides" build -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_all_guides.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/guides" build - DEPENDS generate-ssg-${PRODUCT}-ds.xml - COMMENT "[${PRODUCT}-guides] generating HTML guides for all profiles in ssg-${PRODUCT}-ds.xml" - ) -@@ -581,7 +581,7 @@ - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/bash/all-profile-bash-scripts-${PRODUCT}" - COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/bash" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_profile_remediations.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/bash" --template "urn:xccdf:fix:script:sh" --extension "sh" build -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_profile_remediations.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/bash" --template "urn:xccdf:fix:script:sh" --extension "sh" build - COMMAND ${CMAKE_COMMAND} -E touch "${CMAKE_BINARY_DIR}/bash/all-profile-bash-scripts-${PRODUCT}" - DEPENDS generate-ssg-${PRODUCT}-ds.xml - COMMENT "[${PRODUCT}-bash-scripts] generating Bash remediation scripts for all profiles in ssg-${PRODUCT}-ds.xml" -@@ -598,7 +598,7 @@ - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ansible/all-profile-playbooks-${PRODUCT}" - COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/ansible" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_profile_remediations.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ansible" --template "urn:xccdf:fix:script:ansible" --extension "yml" build -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_profile_remediations.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ansible" --template "urn:xccdf:fix:script:ansible" --extension "yml" build - COMMAND ${CMAKE_COMMAND} -E touch "${CMAKE_BINARY_DIR}/ansible/all-profile-playbooks-${PRODUCT}" - DEPENDS generate-ssg-${PRODUCT}-ds.xml - COMMENT "[${PRODUCT}-playbooks] generating Ansible Playbooks for all profiles in ssg-${PRODUCT}-ds.xml" -@@ -615,13 +615,13 @@ - macro(ssg_make_stats_for_product PRODUCT) - add_custom_target(${PRODUCT}-stats - COMMAND ${CMAKE_COMMAND} -E echo "Benchmark statistics for '${PRODUCT}':" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/profile_tool.py" stats --benchmark "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --profile all -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/profile_tool.py" stats --benchmark "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --profile all - DEPENDS generate-ssg-${PRODUCT}-ds.xml - COMMENT "[${PRODUCT}-stats] generating benchmark statistics" - ) - add_custom_target(${PRODUCT}-profile-stats - COMMAND ${CMAKE_COMMAND} -E echo "Per profile statistics for '${PRODUCT}':" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/profile_tool.py" stats --benchmark "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/profile_tool.py" stats --benchmark "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - DEPENDS generate-ssg-${PRODUCT}-ds.xml - COMMENT "[${PRODUCT}-profile-stats] generating per profile statistics" - ) -@@ -630,12 +630,12 @@ - # As above - macro(ssg_make_html_stats_for_product PRODUCT) - add_custom_target(${PRODUCT}-html-stats -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/profile_tool.py" stats --format html --benchmark "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --profile all --output "${CMAKE_BINARY_DIR}/${PRODUCT}/product-statistics/" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/profile_tool.py" stats --format html --benchmark "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --profile all --output "${CMAKE_BINARY_DIR}/${PRODUCT}/product-statistics/" - DEPENDS generate-ssg-${PRODUCT}-ds.xml - COMMENT "[${PRODUCT}-html-stats] generating benchmark html statistics" - ) - add_custom_target(${PRODUCT}-html-profile-stats -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/profile_tool.py" stats --format html --benchmark "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/profile-statistics/" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/profile_tool.py" stats --format html --benchmark "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/profile-statistics/" - DEPENDS generate-ssg-${PRODUCT}-ds.xml - COMMENT "[${PRODUCT}-html-profile-stats] generating per profile html statistics" - ) -@@ -645,7 +645,7 @@ - foreach(CONTROL_FILE IN LISTS CONTROL_FILES) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/rendered-policies/${CONTROL_FILE}.html" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_UTILS_SCRIPTS}/render-policy.py" --build-dir "${CMAKE_BINARY_DIR}" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/rendered-policies/${CONTROL_FILE}.html" ${PRODUCT} "${CMAKE_SOURCE_DIR}/controls/${CONTROL_FILE}.yml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_UTILS_SCRIPTS}/render-policy.py" --build-dir "${CMAKE_BINARY_DIR}" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/rendered-policies/${CONTROL_FILE}.html" ${PRODUCT} "${CMAKE_SOURCE_DIR}/controls/${CONTROL_FILE}.yml" - DEPENDS generate-ssg-${PRODUCT}-ds.xml - COMMENT "[${PRODUCT}-render-policy-${CONTROL_FILE}] generating rendered policy for ${CONTROL_FILE}" - ) -@@ -660,7 +660,7 @@ - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/tables/tables-${PRODUCT}-all.html" - COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_tables.py" --build-dir "${CMAKE_BINARY_DIR}" --output-type html --output "${CMAKE_BINARY_DIR}/tables/tables-${PRODUCT}-all.html" "${PRODUCT}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_tables.py" --build-dir "${CMAKE_BINARY_DIR}" --output-type html --output "${CMAKE_BINARY_DIR}/tables/tables-${PRODUCT}-all.html" "${PRODUCT}" - # Actually we mean that it depends on resolved rules - see also ssg_build_templated_content - DEPENDS ${PRODUCT}-compile-all - ) -@@ -674,7 +674,7 @@ - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml" - COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --root "${CMAKE_SOURCE_DIR}" --product "${PRODUCT}" --manual "${DISA_SCAP_REF}" --profile "${PROFILE}" --reference "stigid" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml" --quiet --build-root ${CMAKE_BINARY_DIR} --resolved-rules-dir -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --root "${CMAKE_SOURCE_DIR}" --product "${PRODUCT}" --manual "${DISA_SCAP_REF}" --profile "${PROFILE}" --reference "stigid" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml" --quiet --build-root ${CMAKE_BINARY_DIR} --resolved-rules-dir - DEPENDS "${PRODUCT}-content" - COMMENT "[${PRODUCT}-generate-ssg-delta] generating disa tailoring file" - ) -@@ -909,7 +909,7 @@ - - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-xccdf.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-xccdf.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-xccdf.xml" "${CMAKE_CURRENT_BINARY_DIR}/product.yml" ${DERIVATIVE} --id-name ssg --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-xccdf.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-xccdf.xml" "${CMAKE_CURRENT_BINARY_DIR}/product.yml" ${DERIVATIVE} --id-name ssg --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" - DEPENDS generate-ssg-${ORIGINAL}-xccdf.xml - DEPENDS ${PRODUCT}-compile-all - COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-xccdf.xml" -@@ -921,7 +921,7 @@ - - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_BINARY_DIR}/product.yml" ${DERIVATIVE} --id-name ssg --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_BINARY_DIR}/product.yml" ${DERIVATIVE} --id-name ssg --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" - DEPENDS generate-ssg-${ORIGINAL}-ds.xml - DEPENDS ${PRODUCT}-compile-all -@@ -935,7 +935,7 @@ - if (SSG_BUILD_SCAP_12_DS) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_BINARY_DIR}/product.yml" ${DERIVATIVE} --id-name ssg --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_BINARY_DIR}/product.yml" ${DERIVATIVE} --id-name ssg --cpe-items-dir "${CMAKE_CURRENT_BINARY_DIR}/cpe_items" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" - DEPENDS generate-ssg-${ORIGINAL}-ds.xml - DEPENDS ${PRODUCT}-compile-all -@@ -1066,7 +1066,7 @@ - add_custom_command( - OUTPUT ${OUTPUTS_LIST} - COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_multiple_reference_tables.py" --build-dir "${CMAKE_BINARY_DIR}" "${PRODUCT}" "${CMAKE_BINARY_DIR}/tables/${OUTPUT_TEMPLATE}.html" ${REFERENCES} -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_multiple_reference_tables.py" --build-dir "${CMAKE_BINARY_DIR}" "${PRODUCT}" "${CMAKE_BINARY_DIR}/tables/${OUTPUT_TEMPLATE}.html" ${REFERENCES} - DEPENDS ${PRODUCT}-compile-all - COMMENT "[${PRODUCT}-tables] generating HTML refs table for ${REFS_STR} references" - ) -@@ -1089,7 +1089,7 @@ - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/tables/${BASENAME}.html" - COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_profile_table.py" --build-dir "${CMAKE_BINARY_DIR}" --output "${CMAKE_BINARY_DIR}/tables/${BASENAME}.html" "${PRODUCT}" "${REFERENCE}" "${PROFILE}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_profile_table.py" --build-dir "${CMAKE_BINARY_DIR}" --output "${CMAKE_BINARY_DIR}/tables/${BASENAME}.html" "${PRODUCT}" "${REFERENCE}" "${PROFILE}" - DEPENDS ${PRODUCT}-compile-all - COMMENT "[${PRODUCT}-tables] generating HTML refs table for ${PROFILE} profile" - ) -@@ -1136,7 +1136,7 @@ - OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" - OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" - COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_srg_table.py" --build-dir "${CMAKE_BINARY_DIR}" "${PRODUCT}" "${SSG_SHARED_REFS}/disa-os-srg-v2r3.xml" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_srg_table.py" --build-dir "${CMAKE_BINARY_DIR}" "${PRODUCT}" "${SSG_SHARED_REFS}/disa-os-srg-v2r3.xml" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" - DEPENDS ${PRODUCT}-compile-all - COMMENT "[${PRODUCT}-tables] generating HTML SRG map tables" - ) -@@ -1163,14 +1163,14 @@ - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-manual.html" - COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_stig_table.py" "${DISA_STIG_REF}" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-manual.html" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_stig_table.py" "${DISA_STIG_REF}" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-manual.html" - DEPENDS "${DISA_STIG_REF}" - COMMENT "[${PRODUCT}-tables] generating HTML MANUAL STIG table" - ) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml" - COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create-stig-overlay.py" --quiet --disa-xccdf="${DISA_STIG_REF}" --ssg-xccdf="${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" -o "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create-stig-overlay.py" --quiet --disa-xccdf="${DISA_STIG_REF}" --ssg-xccdf="${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" -o "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml" - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" - DEPENDS "${DISA_STIG_REF}" - COMMENT "[${PRODUCT}-tables] generating STIG XML overlay" -@@ -1188,7 +1188,7 @@ - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig.html" - COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_stig_table.py" "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig.html" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_stig_table.py" "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig.html" - DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" - COMMENT "[${PRODUCT}-tables] generating HTML STIG table" - ) -@@ -1212,7 +1212,7 @@ - macro(rule_dir_json) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/rule_dirs.json" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/rule_dir_json.py" "--root" "${CMAKE_SOURCE_DIR}" "--output" "${CMAKE_BINARY_DIR}/rule_dirs.json" --quiet -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/rule_dir_json.py" "--root" "${CMAKE_SOURCE_DIR}" "--output" "${CMAKE_BINARY_DIR}/rule_dirs.json" --quiet - COMMENT "[rule-dir-json] creating build/rule_dirs.json" - ) - add_custom_target( -@@ -1229,7 +1229,7 @@ - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - DEPENDS "${CMAKE_BINARY_DIR}/rule_dirs.json" - COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/${PRODUCT}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_srg_export.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_BINARY_DIR}/rule_dirs.json" --control "${CMAKE_SOURCE_DIR}/controls/${CONTROL}.yml" --product "${PRODUCT}" --out-format xlsx --output "${CMAKE_BINARY_DIR}/${PRODUCT}/${PRODUCT}_${CONTROL}_srg_export.xlsx" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_srg_export.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_BINARY_DIR}/rule_dirs.json" --control "${CMAKE_SOURCE_DIR}/controls/${CONTROL}.yml" --product "${PRODUCT}" --out-format xlsx --output "${CMAKE_BINARY_DIR}/${PRODUCT}/${PRODUCT}_${CONTROL}_srg_export.xlsx" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" - COMMENT "[${PRODUCT}-tables] generating XLSX SRG Export" - ) - add_custom_target( diff --git a/scap-security-guide-0.1.68.tar.bz2 b/scap-security-guide-0.1.77.tar.bz2 similarity index 44% rename from scap-security-guide-0.1.68.tar.bz2 rename to scap-security-guide-0.1.77.tar.bz2 index c769fc2437209cfb8f21299a23a238093d770ffb..a1c6f81dca0e921652f296244b9d1852e6a517d0 100644 Binary files a/scap-security-guide-0.1.68.tar.bz2 and b/scap-security-guide-0.1.77.tar.bz2 differ diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 0ce81f0968c7421c028d96d63548ccab40f14ce5..043eaab87e40c2263b1f1bc5a7b2d131a402bfff 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -2,19 +2,20 @@ %global _vpath_builddir build Name: scap-security-guide -Version: 0.1.68 -Release: 8 +Version: 0.1.77 +Release: 1 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 -Patch0001: add-openeuler-support.patch -Patch0002: add-openeuler-control-rules.patch -Patch0003: optimize-rules-for-openEuler.patch -Patch0004: add-openeuler-automatic-hardening.patch -Patch0005: scap-is-modified-to-be-consistent-with-the-specif.patch -Patch0006: scap-security-guide-0.1.68-port-to-newer-cmake.patch +Patch0001: add-openeuler-support.patch +Patch0002: add-openeuler-control-rules.patch +Patch0003: optimize-rules-for-openEuler.patch +Patch0004: add-openeuler-automatic-hardening.patch +Patch0005: scap-is-modified-to-be-consistent-with-the-specif.patch +Patch0006: remove-rule-audit_privilege_escalation_command.patch +Patch0007: remove-oval_sshd_config.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.12, python3-jinja2, python3-PyYAML @@ -69,6 +70,9 @@ rm -f %{buildroot}%{_docdir}/%{name}/LICENSE %doc %{_docdir}/%{name}/tables/*.html %changelog +* Mon Apr 28 2025 wangkai <13474090681@163.com> - 0.1.77-1 +- Update to 0.1.77 + * Fri Mar 07 2025 Funda Wang - 0.1.68-8 - fix build with cmake 4.0