diff --git a/Support-for-2509-configuration-check.patch b/Support-for-2509-configuration-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..f25d7216a4a7db14f072035f29a1dd6a4053612c --- /dev/null +++ b/Support-for-2509-configuration-check.patch @@ -0,0 +1,2196 @@ +From 517ce3c78134a5189f6f4251f34c3424f7c6c4d1 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Wed, 3 Sep 2025 11:42:46 +0800 +Subject: [PATCH] Support for 2509 configuration check + +--- + CMakeLists.txt | 5 + + build_product | 1 + + controls/std_openeuler2509.yml | 1978 +++++++++++++++++ + products/openeuler2509/CMakeLists.txt | 6 + + products/openeuler2509/product.yml | 30 + + .../openeuler2509/profiles/standard.profile | 14 + + .../openeuler2509/transforms/constants.xslt | 9 + + .../oval/installed_OS_is_openeuler2509.xml | 26 + + ssg/constants.py | 4 +- + 9 files changed, 2072 insertions(+), 1 deletion(-) + create mode 100644 controls/std_openeuler2509.yml + create mode 100644 products/openeuler2509/CMakeLists.txt + create mode 100644 products/openeuler2509/product.yml + create mode 100644 products/openeuler2509/profiles/standard.profile + create mode 100644 products/openeuler2509/transforms/constants.xslt + create mode 100644 shared/checks/oval/installed_OS_is_openeuler2509.xml + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index a3101424..a002c393 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -108,6 +108,7 @@ option(SSG_PRODUCT_OL9 "If enabled, the Oracle Linux 9 SCAP content will be buil + option(SSG_PRODUCT_OL10 "If enabled, the Oracle Linux 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_OPENEMBEDDED "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT}) ++option(SSG_PRODUCT_OPENEULER2509 "If enabled, the openEuler 25.09 LTS content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +@@ -347,6 +348,7 @@ message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}") + message(STATUS "Oracle Linux 10: ${SSG_PRODUCT_OL10}") + message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OPENEMBEDDED}") + message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}") ++message(STATUS "openEuler 25.09 LTS: ${SSG_PRODUCT_OPENEULER2509}") + message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}") + message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}") + message(STATUS "RHEL 9: ${SSG_PRODUCT_RHEL9}") +@@ -452,6 +454,9 @@ endif() + if(SSG_PRODUCT_OPENEULER2203) + add_subdirectory("products/openeuler2203" "openeuler2203") + endif() ++if(SSG_PRODUCT_OPENEULER2509) ++ add_subdirectory("products/openeuler2509" "openeuler2509") ++endif() + if(SSG_PRODUCT_OPENSUSE) + add_subdirectory("products/opensuse" "opensuse") + endif() +diff --git a/build_product b/build_product +index 90b25237..ef353b85 100755 +--- a/build_product ++++ b/build_product +@@ -382,6 +382,7 @@ all_cmake_products=( + OL10 + OPENEMBEDDED + OPENEULER2203 ++ OPENEULER2509 + OPENSUSE + RHCOS4 + RHEL8 +diff --git a/controls/std_openeuler2509.yml b/controls/std_openeuler2509.yml +new file mode 100644 +index 00000000..f2c5e083 +--- /dev/null ++++ b/controls/std_openeuler2509.yml +@@ -0,0 +1,1978 @@ ++--- ++policy: 'Standard Benchmark for openEuler' ++title: 'Standard Benchmark for openEuler' ++id: std_openeuler2509 ++version: '1.0' ++source: https://gitee.com/openeuler/security-committee/blob/master/secure-configuration-benchmark/release/ ++levels: ++ - id: l1_server ++ - id: l2_server ++ inherits_from: ++ - l1_server ++ ++controls: ++ - id: 1.1.1 ++ title: Ensure All Files Have Owner And Group ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - no_files_unowned_by_user ++ - no_files_unowned_by_user.severity=high ++ - file_permissions_ungroupowned ++ - file_permissions_ungroupowned.severity=high ++ ++ - id: 1.1.2 ++ title: Ensure No Empty Symlink ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - file_empty_link_prohibit ++ - file_empty_link_prohibit.severity=high ++ ++ - id: 1.1.3 ++ title: Ensure No Hidden Executable Files ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - file_hidden_executable_prohibit ++ - file_hidden_executable_prohibit.severity=high ++ ++ - id: 1.1.4 ++ title: Ensure Sticky Set On Global Writable Folder ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - dir_perms_world_writable_sticky_bits ++ - dir_perms_world_writable_sticky_bits.severity=high ++ ++ - id: 1.1.5 ++ title: Ensure UMASK Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_bashrc.severity=high ++ - var_accounts_user_umask=027 ++ ++ - id: 1.1.6 ++ title: Ensure No Global Writable File ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - file_permissions_unauthorized_world_writable ++ - file_permissions_unauthorized_world_writable.severity=high ++ ++ - id: 1.1.7 ++ title: Umount Unnecessary File System ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - removed_unnecessary_file_mount ++ - removed_unnecessary_file_mount.severity=high ++ ++ - id: 1.1.8 ++ title: Ensure Mount As Readonly If No Need To Write ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - mount_only_no_modified_partitionsread ++ - mount_only_no_modified_partitionsread.severity=high ++ ++ - id: 1.1.9 ++ title: Ensure Mount As Nodev ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - mount_nodev_mode_partitions ++ - mount_nodev_mode_partitions.severity=high ++ ++ - id: 1.1.10 ++ title: Ensure Mount As Noexec ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - mount_noexec_mode_partitions ++ - mount_noexec_mode_partitions.severity=high ++ ++ - id: 1.1.11 ++ title: Ensure Mount As Noexec And Nodev For Removable Device ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - mount_option_noexec_removable_partitions ++ - mount_option_noexec_removable_partitions.severity=high ++ - mount_option_nodev_removable_partitions ++ - mount_option_nodev_removable_partitions.severity=high ++ ++ - id: 1.1.12 ++ title: Ensure Mount As Nosuid ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - mounted_nosuid_mode_partitions ++ - mounted_nosuid_mode_partitions.severity=high ++ ++ - id: 1.1.13 ++ title: Ensure Remove Unnecessary SUID And SGID ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - file_permissions_unauthorized_suid ++ - file_permissions_unauthorized_suid.severity=high ++ - file_permissions_unauthorized_sgid ++ - file_permissions_unauthorized_sgid.severity=high ++ ++ - id: 1.1.14 ++ title: Ensure File Permission Minimize ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - file_permission_minimum ++ - file_permission_minimum.severity=high ++ ++ - id: 1.1.15 ++ title: Ensure Ulinmit Correctly ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - file_opened_count_limited ++ - file_opened_count_limited.severity=high ++ ++ - id: 1.1.16 ++ title: Ensure Symlinks And Hardlinks Protected ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_fs_protected_symlinks ++ - sysctl_fs_protected_symlinks.severity=high ++ - sysctl_fs_protected_hardlinks ++ - sysctl_fs_protected_hardlinks.severity=high ++ ++ - id: 1.1.17 ++ title: Ensure USB Disabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - kernel_module_usb-storage_disabled ++ - kernel_module_usb-storage_disabled.severity=low ++ ++ - id: 1.1.18 ++ title: Ensure Different Data Store In Different Partitions ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - partitions_manage_hard_drive_data ++ - partitions_manage_hard_drive_data.severity=high ++ ++ - id: 1.1.19 ++ title: Ensure LD_LIBRARY_PATH Correct ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - define_ld_lib_path_correctly ++ - define_ld_lib_path_correctly.severity=high ++ ++ - id: 1.1.20 ++ title: Ensure User PATH Correct ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - define_path_strictly ++ - define_path_strictly.severity=low ++ ++ - id: 1.2.1 ++ title: Ensure FTP Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_ftp_removed ++ - package_ftp_removed.severity=high ++ ++ - id: 1.2.2 ++ title: Ensure TFTP Server Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_tftp_removed ++ - package_tftp_removed.severity=high ++ - package_tftp-server_removed ++ - package_tftp-server_removed.severity=high ++ ++ - id: 1.2.3 ++ title: Ensure Telnet Server Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_telnet_removed ++ - package_telnet_removed.severity=high ++ - package_telnet-server_removed ++ - package_telnet-server_removed.severity=high ++ ++ - id: 1.2.4 ++ title: Ensure SNMP Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_net-snmp_removed ++ - package_net-snmp_removed.severity=high ++ ++ - id: 1.2.5 ++ title: Ensure Python2 Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_python2_removed ++ - package_python2_removed.severity=high ++ ++ - id: 1.2.6 ++ title: Ensure GPG Check Configured ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - ensure_gpgcheck_globally_activated ++ - ensure_gpgcheck_globally_activated.severity=high ++ - ensure_gpgcheck_never_disabled ++ - ensure_gpgcheck_never_disabled.severity=high ++ ++ - id: 1.2.7 ++ title: Ensure Debug-Shell Disabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - service_debug-shell_disabled ++ - service_debug-shell_disabled.severity=high ++ ++ - id: 1.2.8 ++ title: Ensure Rsync Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - service_rsyncd_disabled ++ - service_rsyncd_disabled.severity=high ++ ++ - id: 1.2.9 ++ title: Ensure Avahi Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_avahi_removed ++ - package_avahi_removed.severity=high ++ ++ - id: 1.2.10 ++ title: Ensure LDAP Server Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_openldap-servers_removed ++ - package_openldap-servers_removed.severity=high ++ ++ - id: 1.2.11 ++ title: Ensure CUPS Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_cups_removed ++ - package_cups_removed.severity=high ++ ++ - id: 1.2.12 ++ title: Ensure NIS Server Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_ypserv_removed ++ - package_ypserv_removed.severity=high ++ ++ - id: 1.2.13 ++ title: Ensure NIS Client Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_ypbind_removed ++ - package_ypbind_removed.severity=high ++ ++ - id: 1.2.14 ++ title: Ensure LDAP Client Not Installed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_openldap-clients_removed ++ - package_openldap-clients_removed.severity=high ++ ++ - id: 1.2.15 ++ title: Ensure Network Sniffing Software Removed ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - network_sniffing_tools ++ - network_sniffing_tools.severity=high ++ ++ - id: 1.2.16 ++ title: Ensure Debug Tools Removed ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - debugging_tools ++ - debugging_tools.severity=high ++ ++ - id: 1.2.17 ++ title: Ensure Compiler Tools Removed ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - development_and_compliation_tools ++ - development_and_compliation_tools.severity=high ++ ++ - id: 1.2.18 ++ title: Ensure X Window Not Installed ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - xwindows_remove_packages ++ - xwindows_remove_packages.severity=low ++ ++ - id: 1.2.19 ++ title: Ensure Http Service Not Installed ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - package_httpd_removed ++ - package_httpd_removed.severity=low ++ ++ - id: 1.2.20 ++ title: Ensure Samba Service Not Installed ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - package_samba_removed ++ - package_samba_removed.severity=low ++ ++ - id: 1.2.21 ++ title: Ensure DNS Service Disabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - service_named_disabled ++ - service_named_disabled.severity=low ++ ++ - id: 1.2.22 ++ title: Ensure NFS Service Disabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - service_nfs_disabled ++ - service_nfs_disabled.severity=low ++ ++ - id: 1.2.23 ++ title: Ensure RPC Service Disabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - service_rpcbind_disabled ++ - service_rpcbind_disabled.severity=low ++ ++ - id: 1.2.24 ++ title: Ensure DHCP Service Disabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - service_dhcpd_disabled ++ - service_dhcpd_disabled.severity=low ++ ++ ++ - id: 2.1.1 ++ title: Ensure All Login Accounts Are Necessary ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - login_accounts_are_necessary ++ - login_accounts_are_necessary.severity=high ++ ++ - id: 2.1.2 ++ title: Ensure No Unused Accounts ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - accounts_are_necessary ++ - accounts_are_necessary.severity=high ++ ++ - id: 2.1.3 ++ title: Ensure Different Accounts Have Different GroupID ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - account_unique_group_id ++ - account_unique_group_id.severity=high ++ ++ - id: 2.1.4 ++ title: Ensure Only Root's UID Is 0 ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - accounts_no_uid_except_zero ++ - accounts_no_uid_except_zero.severity=high ++ ++ - id: 2.1.5 ++ title: Ensure Account Related Files Have Correct Permission ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - file_owner_etc_passwd ++ - file_owner_etc_passwd.severity=high ++ - file_groupowner_etc_passwd ++ - file_groupowner_etc_passwd.severity=high ++ - file_owner_etc_shadow ++ - file_owner_etc_shadow.severity=high ++ - file_groupowner_etc_shadow ++ - file_groupowner_etc_shadow.severity=high ++ - file_owner_etc_group ++ - file_owner_etc_group.severity=high ++ - file_groupowner_etc_group ++ - file_groupowner_etc_group.severity=high ++ - file_owner_etc_gshadow ++ - file_owner_etc_gshadow.severity=high ++ - file_groupowner_etc_gshadow ++ - file_groupowner_etc_gshadow.severity=high ++ - file_owner_backup_etc_passwd ++ - file_owner_backup_etc_passwd.severity=high ++ - file_groupowner_backup_etc_passwd ++ - file_groupowner_backup_etc_passwd.severity=high ++ - file_owner_backup_etc_shadow ++ - file_owner_backup_etc_shadow.severity=high ++ - file_groupowner_backup_etc_shadow ++ - file_groupowner_backup_etc_shadow.severity=high ++ - file_owner_backup_etc_group ++ - file_owner_backup_etc_group.severity=high ++ - file_groupowner_backup_etc_group ++ - file_groupowner_backup_etc_group.severity=high ++ - file_owner_backup_etc_gshadow ++ - file_owner_backup_etc_gshadow.severity=high ++ - file_groupowner_backup_etc_gshadow ++ - file_groupowner_backup_etc_gshadow.severity=high ++ - file_permissions_etc_passwd ++ - file_permissions_etc_passwd.severity=high ++ - file_permissions_etc_shadow ++ - file_permissions_etc_shadow.severity=high ++ - file_permissions_etc_group ++ - file_permissions_etc_group.severity=high ++ - file_permissions_etc_gshadow ++ - file_permissions_etc_gshadow.severity=high ++ - file_permissions_backup_etc_passwd ++ - file_permissions_backup_etc_passwd.severity=high ++ - file_permissions_backup_etc_shadow ++ - file_permissions_backup_etc_shadow.severity=high ++ - file_permissions_backup_etc_group ++ - file_permissions_backup_etc_group.severity=high ++ - file_permissions_backup_etc_gshadow ++ - file_permissions_backup_etc_gshadow.severity=high ++ ++ - id: 2.1.6 ++ title: Ensure All Accounts Have Own Home Folder ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - accounts_user_interactive_home_directory_exists ++ - accounts_user_interactive_home_directory_exists.severity=high ++ ++ - id: 2.1.7 ++ title: Ensure All Groups Existed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - gid_passwd_group_same ++ - gid_passwd_group_same.severity=high ++ ++ - id: 2.1.8 ++ title: Ensure UID Unique ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - account_unique_id ++ - account_unique_id.severity=high ++ ++ - id: 2.1.9 ++ title: Ensure Account Name Unique ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - account_unique_name ++ - account_unique_name.severity=high ++ ++ - id: 2.1.10 ++ title: Ensure Group Unique ID ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - group_unique_id ++ - group_unique_id.severity=high ++ ++ - id: 2.1.11 ++ title: Ensure Group Unique Name ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - group_unique_name ++ - group_unique_name.severity=high ++ ++ - id: 2.1.12 ++ title: Ensure Account Expire Date Correct ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - account_temp_expire_date ++ - account_temp_expire_date.severity=low ++ ++ - id: 2.1.13 ++ title: Ensure No .forward Files In Home Folder ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - no_forward_files ++ - no_forward_files.severity=low ++ ++ - id: 2.1.14 ++ title: Ensure No .netrc Files In Home Folder ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - no_netrc_files ++ - no_netrc_files.severity=low ++ ++ - id: 2.2.1 ++ title: Ensure Set Correct Password Complexity ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - accounts_password_pam_minlen ++ - accounts_password_pam_minlen.severity=high ++ - var_password_pam_minlen=8 ++ - accounts_password_pam_minclass ++ - accounts_password_pam_minclass.severity=high ++ - var_password_pam_minclass=3 ++ - accounts_password_pam_retry ++ - accounts_password_pam_retry.severity=high ++ - var_password_pam_retry=3 ++ - accounts_password_pam_dcredit ++ - accounts_password_pam_dcredit.severity=high ++ - var_password_pam_dcredit=0 ++ - accounts_password_pam_ucredit ++ - accounts_password_pam_ucredit.severity=high ++ - var_password_pam_ucredit=0 ++ - accounts_password_pam_lcredit ++ - accounts_password_pam_lcredit.severity=high ++ - var_password_pam_lcredit=0 ++ - accounts_password_pam_ocredit ++ - accounts_password_pam_ocredit.severity=high ++ - var_password_pam_ocredit=0 ++ - accounts_password_pam_enforce_root ++ - accounts_password_pam_enforce_root.severity=high ++ ++ - id: 2.2.2 ++ title: Ensure No History Password Used ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - accounts_password_pam_unix_remember ++ - accounts_password_pam_unix_remember.severity=high ++ - var_password_pam_unix_remember=5 ++ ++ - id: 2.2.3 ++ title: Ensure Old Password Verified ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - verify_owner_password ++ - verify_owner_password.severity=high ++ ++ - id: 2.2.4 ++ title: Ensure Password Not Contain User Name ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - no_name_contained_in_password ++ - no_name_contained_in_password.severity=high ++ ++ - id: 2.2.5 ++ title: Ensure Using Strong Hash Algorithm To Encipher Password ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - set_password_hashing_algorithm_systemauth ++ - set_password_hashing_algorithm_systemauth.severity=high ++ - set_password_hashing_algorithm_passwordauth ++ - set_password_hashing_algorithm_passwordauth.severity=high ++ - var_password_hashing_algorithm_pam=sha512 ++ ++ - id: 2.2.6 ++ title: Ensure Password Dictionary Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - accounts_password_pam_dictcheck ++ - accounts_password_pam_dictcheck.severity=high ++ ++ - id: 2.2.7 ++ title: Ensure Password Expire Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - accounts_maximum_age_login_defs ++ - accounts_maximum_age_login_defs.severity=high ++ - var_accounts_maximum_age_login_defs=90 ++ - accounts_password_warn_age_login_defs ++ - accounts_password_warn_age_login_defs.severity=high ++ - var_accounts_password_warn_age_login_defs=7 ++ - accounts_minimum_age_login_defs ++ - accounts_minimum_age_login_defs.severity=high ++ - var_accounts_minimum_age_login_defs=0 ++ ++ - id: 2.2.8 ++ title: Ensure No Empty Password ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_disable_empty_passwords ++ - sshd_disable_empty_passwords.severity=high ++ ++ - id: 2.2.9 ++ title: Ensure Grub Password Set ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - grub2_password ++ - grub2_password.severity=high ++ - grub2_uefi_password ++ - grub2_uefi_password.severity=high ++ ++ - id: 2.2.10 ++ title: Ensure Password Set In Single User Mode ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - require_singleuser_auth ++ - require_singleuser_auth.severity=high ++ - require_emergency_target_auth ++ - require_emergency_target_auth.severity=high ++ ++ - id: 2.2.11 ++ title: Ensure Password Changed At First Login ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - first_logging_change_password ++ - first_logging_change_password.severity=high ++ ++ - id: 2.3.1 ++ title: Ensure Account Locked After Accessing Fail ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - accounts_passwords_pam_faillock_deny ++ - accounts_passwords_pam_faillock_deny.severity=high ++ - var_accounts_passwords_pam_faillock_deny=3 ++ - accounts_passwords_pam_faillock_unlock_time ++ - accounts_passwords_pam_faillock_unlock_time.severity=high ++ - var_accounts_passwords_pam_faillock_unlock_time=300 ++ ++ - id: 2.3.2 ++ title: Ensure TIMOUT Set Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - accounts_tmout ++ - accounts_tmout.severity=high ++ - var_accounts_tmout=5_min ++ ++ - id: 2.3.3 ++ title: Ensure Warning Banners Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - warning_banners ++ - warning_banners.severity=high ++ - file_groupowner_etc_issue ++ - file_groupowner_etc_issue.severity=high ++ - file_groupowner_etc_issue_net ++ - file_groupowner_etc_issue_net.severity=high ++ - file_groupowner_etc_motd ++ - file_groupowner_etc_motd.severity=high ++ - file_owner_etc_issue ++ - file_owner_etc_issue.severity=high ++ - file_owner_etc_issue_net ++ - file_owner_etc_issue_net.severity=high ++ - file_owner_etc_motd ++ - file_owner_etc_motd.severity=high ++ - file_permissions_etc_issue ++ - file_permissions_etc_issue.severity=high ++ - file_permissions_etc_issue_net ++ - file_permissions_etc_issue_net.severity=high ++ - file_permissions_etc_motd ++ - file_permissions_etc_motd.severity=high ++ ++ - id: 2.3.4 ++ title: Ensure Warning Path Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_enable_warning_banner_net ++ - sshd_enable_warning_banner_net.severity=high ++ ++ - id: 2.4.1 ++ title: Ensure HISTSIZE Limited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - historical_command_records_limited ++ - historical_command_records_limited.severity=low ++ ++ - id: 2.4.2 ++ title: Ensure SELinux Enforce ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - selinux_state ++ - selinux_state.severity=low ++ ++ - id: 2.4.3 ++ title: Ensure SELinux Configurate Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - selinux_policytype ++ - selinux_policytype.severity=low ++ ++ - id: 2.4.4 ++ title: Ensure SU Usage Limited ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - use_pam_wheel_for_su ++ - use_pam_wheel_for_su.severity=high ++ ++ - id: 2.4.5 ++ title: Ensure Use Sudo To Run ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sudo_restrict_privilege_elevation_to_authorized ++ - sudo_restrict_privilege_elevation_to_authorized.severity=high ++ ++ - id: 2.4.6 ++ title: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - sudoers_disable_low_privileged_configure ++ - sudoers_disable_low_privileged_configure.severity=high ++ ++ - id: 2.4.7 ++ title: Ensure Low-privilege User Cannot Escalate By Pkexec ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - only_root_can_run_pkexec ++ - only_root_can_run_pkexec.severity=high ++ ++ - id: 2.4.8 ++ title: Ensure ALWAYS_SET_PATH Configurated ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - su_always_set_path ++ - su_always_set_path.severity=high ++ ++ - id: 2.4.9 ++ title: Ensure Root Can Not Login Local ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - diasable_root_accessing_system ++ - diasable_root_accessing_system.severity=low ++ ++ - id: 2.4.10 ++ title: Ensure Not Run Files wiht unconfined_service_t Flag ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - selinux_confinement_of_daemons ++ - selinux_confinement_of_daemons.severity=low ++ ++ - id: 2.5.1 ++ title: Ensure IMA Enabled ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - ima_verification ++ - ima_verification.severity=low ++ ++ - id: 2.5.2 ++ title: Ensure AIDE Enabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - package_aide_installed ++ - package_aide_installed.severity=low ++ - aide_build_database ++ - aide_build_database.severity=low ++ ++ - id: 2.6.1 ++ title: Ensure Haveged Enabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - service_haveged_enabled ++ - service_haveged_enabled.severity=low ++ ++ - id: 2.6.2 ++ title: Global Crypto Setting Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - configure_crypto_policy ++ - configure_crypto_policy.severity=low ++ ++ ++ - id: 3.1.1 ++ title: Ensure No Unusual Network Service ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - kernel_module_sctp_disabled ++ - kernel_module_sctp_disabled.severity=low ++ - kernel_module_tipc_disabled ++ - kernel_module_tipc_disabled.severity=low ++ ++ - id: 3.1.2 ++ title: Ensure No WIFI ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - wireless_disable_interfaces ++ - wireless_disable_interfaces.severity=low ++ ++ - id: 3.2.1 ++ title: Ensure Firewalld Enabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - service_firewalld_enabled ++ - service_firewalld_enabled.severity=low ++ ++ - id: 3.2.2 ++ title: Ensure Firewalld Set Default Zone Correctly ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - set_firewalld_default_zone_openeuler ++ - set_firewalld_default_zone_openeuler.severity=low ++ ++ - id: 3.2.3 ++ title: Ensure Firewalld Set Correct Interface Zone ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - set_firewalld_appropriate_zone ++ - set_firewalld_appropriate_zone.severity=low ++ ++ - id: 3.2.4 ++ title: Ensure Unnecessary Service And Port Disabled ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - unnecessary_firewalld_services_ports_disabled ++ - unnecessary_firewalld_services_ports_disabled.severity=low ++ ++ - id: 3.2.5 ++ title: Ensure Iptables Enabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - service_iptables_enabled ++ - service_iptables_enabled.severity=low ++ - service_ip6tables_enabled ++ - service_ip6tables_enabled.severity=low ++ ++ - id: 3.2.6 ++ title: Ensure Iptables Default Refuse Rules Set ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - set_iptables_default_rule ++ - set_iptables_default_rule.severity=low ++ ++ - id: 3.2.7 ++ title: Ensure Iptables Loopback Rules Set ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - set_loopback_traffic ++ - set_loopback_traffic.severity=low ++ - set_ipv6_loopback_traffic ++ - set_ipv6_loopback_traffic.severity=low ++ ++ - id: 3.2.8 ++ title: Ensure Iptables Input Rules Set ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - iptables_input_policy_configured_corrently ++ - iptables_input_policy_configured_corrently.severity=low ++ ++ - id: 3.2.9 ++ title: Ensure Iptables Output Rules Set ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - iptables_output_policy_configured_corrently ++ - iptables_output_policy_configured_corrently.severity=low ++ ++ - id: 3.2.10 ++ title: Ensure Iptables Input Output Connection Rules Set ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - set_iptables_outbound_n_established ++ - set_iptables_outbound_n_established.severity=low ++ ++ - id: 3.2.11 ++ title: Ensure Nftables Enabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - service_nftables_enabled ++ - service_nftables_enabled.severity=low ++ ++ - id: 3.2.12 ++ title: Ensure Nftables Default Refuse Rules Set ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - nftables_ensure_default_deny_policy ++ - nftables_ensure_default_deny_policy.severity=low ++ ++ - id: 3.2.13 ++ title: Ensure Nftables Loopback Rules Set ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - set_nftables_loopback_traffic ++ - set_nftables_loopback_traffic.severity=low ++ ++ - id: 3.2.14 ++ title: Ensure Nftables Input Rules Set ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - nftables_input_policy_configured_corrently ++ - nftables_input_policy_configured_corrently.severity=low ++ ++ - id: 3.2.15 ++ title: Ensure Nftables Output Rules Set ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - nftables_output_policy_configured_corrently ++ - nftables_output_policy_configured_corrently.severity=low ++ ++ - id: 3.2.16 ++ title: Ensure Nftables Input Output Connection Rules Set ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - set_nftables_new_connections ++ - set_nftables_new_connections.severity=low ++ ++ - id: 3.3.1 ++ title: Ensure SSHd Protocol Version Is 2 ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_allow_only_protocol2 ++ - sshd_allow_only_protocol2.severity=high ++ ++ - id: 3.3.2 ++ title: Ensure SSHd Authentication Setting Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_disable_rhosts ++ - sshd_disable_rhosts.severity=high ++ - disable_host_auth ++ - disable_host_auth.severity=high ++ ++ - id: 3.3.3 ++ title: Ensure SSHd Key Exchange Algorithm Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_use_strong_kex ++ - sshd_use_strong_kex.severity=high ++ - sshd_strong_kex=std_openeuler ++ ++ - id: 3.3.4 ++ title: Ensure SSHd Pubkey Algorithm Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_use_strong_pubkey ++ - sshd_use_strong_pubkey.severity=high ++ ++ - id: 3.3.5 ++ title: Ensure SSHd PAM Enabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_enable_pam ++ - sshd_enable_pam.severity=high ++ ++ - id: 3.3.6 ++ title: Ensure SSHd MACs Algorithm Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_use_strong_macs ++ - sshd_use_strong_macs.severity=high ++ ++ - id: 3.3.7 ++ title: Ensure SSHd Ciphers Algorithm Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_use_strong_ciphers ++ - sshd_use_strong_ciphers.severity=high ++ ++ - id: 3.3.8 ++ title: Ensure SSHd Ciphers Algorithm Not Overwritten ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - configure_ssh_crypto_policy ++ - configure_ssh_crypto_policy.severity=high ++ ++ - id: 3.3.9 ++ title: Ensure SSHd Forbid Root Login From Remote ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_disable_root_login ++ - sshd_disable_root_login.severity=low ++ ++ - id: 3.3.10 ++ title: Ensure SSHd Log Level Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - sshd_set_loglevel_verbose ++ - sshd_set_loglevel_verbose.severity=low ++ ++ - id: 3.3.11 ++ title: Ensure SSHd Listen Address Set Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - sshd_configure_correct_interface ++ - sshd_configure_correct_interface.severity=low ++ ++ - id: 3.3.12 ++ title: Ensure SSHd MaxStartups Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - sshd_set_maxstartups ++ - sshd_set_maxstartups.severity=low ++ - var_sshd_set_maxstartups=10:30:60 ++ ++ - id: 3.3.13 ++ title: Ensure SSHd Maxsessions Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - sshd_set_max_sessions ++ - sshd_set_max_sessions.severity=low ++ - var_sshd_max_sessions=10 ++ ++ - id: 3.3.14 ++ title: Ensure SSHd X11 Forwarding Forbidden ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_disable_x11_forwarding ++ - sshd_disable_x11_forwarding.severity=high ++ ++ - id: 3.3.15 ++ title: Ensure SSHd MaxAuthTries Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - sshd_set_max_auth_tries ++ - sshd_set_max_auth_tries.severity=low ++ - sshd_max_auth_tries_value=3 ++ ++ - id: 3.3.16 ++ title: Ensure SSHd PermitUserEnvironment Forbidden ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_do_not_permit_user_env ++ - sshd_do_not_permit_user_env.severity=high ++ ++ - id: 3.3.17 ++ title: Ensure SSHd LoginGraceTime Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - sshd_set_login_grace_time ++ - sshd_set_login_grace_time.severity=low ++ - var_sshd_set_login_grace_time=60 ++ ++ - id: 3.3.18 ++ title: Ensure SSHd Authorized Keys Not Set ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_prohibit_preset_authorized_keys ++ - sshd_prohibit_preset_authorized_keys.severity=high ++ ++ - id: 3.3.19 ++ title: Ensure SSHd Known Hosts Not Set ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_disable_user_known_hosts ++ - sshd_disable_user_known_hosts.severity=high ++ ++ - id: 3.3.20 ++ title: Ensure SSHd Has No Obsolete Configurations ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_disable_rhosts_rsa ++ - sshd_disable_rhosts_rsa.severity=high ++ ++ - id: 3.3.21 ++ title: Ensure SSHd TCP Forward Disabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sshd_disable_tcp_forwarding ++ - sshd_disable_tcp_forwarding.severity=high ++ ++ - id: 3.3.22 ++ title: Ensure SSHd Has Correct White and Black Access List ++ levels: ++ - l2_server ++ status: planned ++ ++ - id: 3.4.1 ++ title: Ensure Cron Not Run Low Privilege User Writable Bash ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - no_lowprivilege_users_writeable_cmds_in_crontab_file ++ - no_lowprivilege_users_writeable_cmds_in_crontab_file.severity=high ++ ++ - id: 3.4.2 ++ title: Ensure Cron Deamon Running ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - service_crond_enabled ++ - service_crond_enabled.severity=high ++ ++ - id: 3.4.3 ++ title: Ensure AT And Cron Set Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - file_groupowner_cron_d ++ - file_groupowner_cron_d.severity=high ++ - file_groupowner_cron_daily ++ - file_groupowner_cron_daily.severity=high ++ - file_groupowner_cron_hourly ++ - file_groupowner_cron_hourly.severity=high ++ - file_groupowner_cron_monthly ++ - file_groupowner_cron_monthly.severity=high ++ - file_groupowner_cron_weekly ++ - file_groupowner_cron_weekly.severity=high ++ - file_groupowner_crontab ++ - file_groupowner_crontab.severity=high ++ - file_owner_cron_d ++ - file_owner_cron_d.severity=high ++ - file_owner_cron_daily ++ - file_owner_cron_daily.severity=high ++ - file_owner_cron_hourly ++ - file_owner_cron_hourly.severity=high ++ - file_owner_cron_monthly ++ - file_owner_cron_monthly.severity=high ++ - file_owner_cron_weekly ++ - file_owner_cron_weekly.severity=high ++ - file_owner_crontab ++ - file_owner_crontab.severity=high ++ - file_permissions_cron_d ++ - file_permissions_cron_d.severity=high ++ - file_permissions_cron_daily ++ - file_permissions_cron_daily.severity=high ++ - file_permissions_cron_hourly ++ - file_permissions_cron_hourly.severity=high ++ - file_permissions_cron_monthly ++ - file_permissions_cron_monthly.severity=high ++ - file_permissions_cron_weekly ++ - file_permissions_cron_weekly.severity=high ++ - file_permissions_crontab ++ - file_permissions_crontab.severity=high ++ - file_at_deny_not_exist ++ - file_at_deny_not_exist.severity=high ++ - file_cron_deny_not_exist ++ - file_cron_deny_not_exist.severity=high ++ - file_groupowner_at_allow ++ - file_groupowner_at_allow.severity=high ++ - file_groupowner_cron_allow ++ - file_groupowner_cron_allow.severity=high ++ - file_owner_at_allow ++ - file_owner_at_allow.severity=high ++ - file_owner_cron_allow ++ - file_owner_cron_allow.severity=high ++ - file_permissions_at_allow ++ - file_permissions_at_allow.severity=high ++ - file_permissions_cron_allow ++ - file_permissions_cron_allow.severity=high ++ ++ - id: 3.5.1 ++ title: Ensure KASLR Enabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_kernel_randomize_va_space ++ - sysctl_kernel_randomize_va_space.severity=high ++ ++ - id: 3.5.2 ++ title: Ensure Dmesg Access Permission Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_kernel_dmesg_restrict ++ - sysctl_kernel_dmesg_restrict.severity=high ++ ++ - id: 3.5.3 ++ title: Ensure Kptr_restrict Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_kernel_kptr_restrict ++ - sysctl_kernel_kptr_restrict.severity=high ++ - sysctl_kernel_kptr_restrict_value=1 ++ ++ - id: 3.5.4 ++ title: Ensure Kernel SMAP Enabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - grub2_nosmap_argument_absent ++ - grub2_nosmap_argument_absent.severity=high ++ ++ - id: 3.5.5 ++ title: Ensure Kernel SMEP Enabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - grub2_nosmep_argument_absent ++ - grub2_nosmep_argument_absent.severity=high ++ ++ - id: 3.5.6 ++ title: Ensure ICMP Broadcast Package Not Responsed ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high ++ ++ - id: 3.5.7 ++ title: Ensure ICMP Redirect Package Not Received ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects.severity=high ++ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects.severity=high ++ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects.severity=high ++ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects.severity=high ++ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled ++ ++ - id: 3.5.8 ++ title: Ensure No ICMP Redirect Package Forwarded ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_all_send_redirects.severity=high ++ - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects.severity=high ++ ++ - id: 3.5.9 ++ title: Ensure Ignore All ICMP Request ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_icmp_echo_ignore_all ++ - sysctl_net_ipv4_icmp_echo_ignore_all.severity=high ++ ++ - id: 3.5.10 ++ title: Ensure Ignore Bogus Error ICMP Package ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled ++ ++ - id: 3.5.11 ++ title: Ensure Reverse Proxy Filter Enabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_all_rp_filter.severity=high ++ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled ++ - sysctl_net_ipv4_conf_default_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter.severity=high ++ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled ++ ++ - id: 3.5.12 ++ title: Ensure IP Forwarding Disabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv4_ip_forward.severity=high ++ - sysctl_net_ipv6_conf_all_forwarding ++ - sysctl_net_ipv6_conf_all_forwarding.severity=high ++ - sysctl_net_ipv6_conf_all_forwarding_value=disabled ++ ++ - id: 3.5.13 ++ title: Ensure Source Route Disabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_accept_source_route.severity=high ++ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route.severity=high ++ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route.severity=high ++ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route.severity=high ++ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled ++ ++ - id: 3.5.14 ++ title: Ensure TCP-SYN Cookie Enabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_tcp_syncookies.severity=high ++ ++ - id: 3.5.15 ++ title: Ensure Source Route And Redirectly Logged ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_all_log_martians.severity=high ++ - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians.severity=high ++ ++ - id: 3.5.16 ++ title: Ensure tcp_timestamps Disabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_timestamps ++ - sysctl_net_ipv4_tcp_timestamps.severity=low ++ ++ - id: 3.5.17 ++ title: Ensure TCP Time Wait Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_fin_timeout ++ - sysctl_net_ipv4_tcp_fin_timeout.severity=high ++ ++ - id: 3.5.18 ++ title: Ensure SYN Recv Set Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_max_syn_backlog ++ - sysctl_net_ipv4_tcp_max_syn_backlog.severity=low ++ ++ - id: 3.5.19 ++ title: Ensure No ARP Proxy ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_default_proxy_arp ++ - sysctl_net_ipv4_conf_default_proxy_arp.severity=high ++ - sysctl_net_ipv4_conf_all_proxy_arp ++ - sysctl_net_ipv4_conf_all_proxy_arp.severity=high ++ ++ - id: 3.5.20 ++ title: Ensure Core Dump Set Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - coredump_limited ++ - coredump_limited.severity=high ++ - coredump_prohibit ++ - coredump_prohibit.severity=high ++ ++ - id: 3.5.21 ++ title: Ensure SysRq Key Disabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - sysctl_kernel_sysrq ++ - sysctl_kernel_sysrq.severity=high ++ ++ - id: 3.5.22 ++ title: Ensure ptrace_scope Set Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - sysctl_kernel_yama_ptrace_scope ++ - sysctl_kernel_yama_ptrace_scope.severity=low ++ ++ - id: 3.5.23 ++ title: Ensure Seccomp Enabled ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - kernel_config_seccomp ++ - kernel_config_seccomp.severity=low ++ ++ - id: 3.6.1 ++ title: Ensure Ntpd Configuration Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - service_ntpd_enabled ++ - service_ntpd_enabled.severity=low ++ - ntpd_configure_restrictions ++ - ntpd_configure_restrictions.severity=low ++ - ntpd_specify_remote_server ++ - ntpd_specify_remote_server.severity=low ++ ++ - id: 3.6.2 ++ title: Ensure Chrony Configuration Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - service_chronyd_enabled ++ - service_chronyd_enabled.severity=low ++ - chronyd_specify_remote_server ++ - chronyd_specify_remote_server.severity=low ++ ++ ++ - id: 4.1.1 ++ title: Ensure Auditd Enabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - package_audit_installed ++ - package_audit_installed.severity=high ++ - service_auditd_enabled ++ - service_auditd_enabled.severity=high ++ ++ - id: 4.1.2 ++ title: Ensure Auditd Rotate Enabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_max_log_file_action.severity=high ++ - var_auditd_max_log_file_action=rotate ++ - auditd_data_retention_num_logs ++ - auditd_data_retention_num_logs.severity=high ++ - var_auditd_num_logs=5 ++ ++ - id: 4.1.3 ++ title: Ensure Lastlog Recorded ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_login_events_lastlog ++ - audit_rules_login_events_lastlog.severity=low ++ ++ - id: 4.1.4 ++ title: Ensure Account Info Changing Audited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_group.severity=low ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_gshadow.severity=low ++ - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_opasswd.severity=low ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_passwd.severity=low ++ - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_shadow.severity=low ++ ++ - id: 4.1.5 ++ title: Ensure Escalation Audited ++ levels: ++ - l2_server ++ status: planned ++ ++ - id: 4.1.6 ++ title: Ensure Module Changes Audited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_privileged_commands_modprobe ++ - audit_rules_privileged_commands_modprobe.severity=low ++ - audit_rules_privileged_commands_insmod ++ - audit_rules_privileged_commands_insmod.severity=low ++ - audit_rules_privileged_commands_rmmod ++ - audit_rules_privileged_commands_rmmod.severity=low ++ - audit_rules_kernel_module_loading ++ - audit_rules_kernel_module_loading.severity=low ++ ++ - id: 4.1.7 ++ title: Ensure Sudo Operation Audited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_privileged_commands_sudo ++ - audit_rules_privileged_commands_sudo.severity=low ++ ++ - id: 4.1.8 ++ title: Ensure Auditd Enabled During Boot ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - grub2_audit_argument ++ - grub2_audit_argument.severity=low ++ ++ - id: 4.1.9 ++ title: Ensure Audit Backlog Limit Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - grub2_audit_backlog_limit_argument ++ - grub2_audit_backlog_limit_argument.severity=low ++ ++ - id: 4.1.10 ++ title: Ensure Auditctl Not Used ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_immutable ++ - audit_rules_immutable.severity=low ++ ++ - id: 4.1.11 ++ title: Ensure Audit Log Size Set Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - auditd_data_retention_max_log_file ++ - auditd_data_retention_max_log_file.severity=high ++ - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_max_log_file_action.severity=high ++ ++ - id: 4.1.12 ++ title: Ensure Audit Disk Space Set Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - auditd_data_retention_space_left ++ - auditd_data_retention_space_left.severity=low ++ - var_auditd_space_left=75MB ++ - auditd_data_retention_space_left_action ++ - auditd_data_retention_space_left_action.severity=low ++ - var_auditd_space_left_action=syslog ++ - auditd_data_retention_admin_space_left_percentage ++ - auditd_data_retention_admin_space_left_percentage.severity=low ++ - var_auditd_admin_space_left_percentage=50pc ++ - auditd_data_retention_admin_space_left_action ++ - auditd_data_retention_admin_space_left_action.severity=low ++ - var_auditd_admin_space_left_action=suspend ++ - auditd_audispd_disk_full_action ++ - auditd_audispd_disk_full_action.severity=low ++ - auditd_data_disk_full_action ++ - auditd_data_disk_full_action.severity=low ++ - var_auditd_disk_full_action=suspend ++ - auditd_data_disk_error_action ++ - auditd_data_disk_error_action.severity=low ++ - var_auditd_disk_error_action=suspend ++ ++ - id: 4.1.13 ++ title: Ensure Sudoers Audited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_sudoers ++ - audit_rules_sudoers.severity=low ++ ++ - id: 4.1.14 ++ title: Ensure Session Audited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_session_events ++ - audit_rules_session_events.severity=low ++ ++ - id: 4.1.15 ++ title: Ensure Time Changing Audited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_time_adjtimex ++ - audit_rules_time_adjtimex.severity=low ++ - audit_rules_time_settimeofday ++ - audit_rules_time_settimeofday.severity=low ++ - audit_rules_time_clock_settime ++ - audit_rules_time_clock_settime.severity=low ++ ++ - id: 4.1.16 ++ title: Ensure SELinux Audited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_mac_modification ++ - audit_rules_mac_modification.severity=low ++ - audit_rules_mac_modification_usr_share ++ - audit_rules_mac_modification_usr_share.severity=low ++ ++ - id: 4.1.17 ++ title: Ensure Network Audited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_networkconfig_modification ++ - audit_rules_networkconfig_modification.severity=low ++ ++ - id: 4.1.18 ++ title: Ensure Successful File Access Audited ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - audit_rules_successful_file_modification_chmod ++ - audit_rules_successful_file_modification_chmod.severity=low ++ - audit_rules_successful_file_modification_fchmod ++ - audit_rules_successful_file_modification_fchmod.severity=low ++ - audit_rules_successful_file_modification_fchmodat ++ - audit_rules_successful_file_modification_fchmodat.severity=low ++ - audit_rules_successful_file_modification_chown ++ - audit_rules_successful_file_modification_chown.severity=low ++ - audit_rules_successful_file_modification_fchown ++ - audit_rules_successful_file_modification_fchown.severity=low ++ - audit_rules_successful_file_modification_fchownat ++ - audit_rules_successful_file_modification_fchownat.severity=low ++ - audit_rules_successful_file_modification_setxattr ++ - audit_rules_successful_file_modification_setxattr.severity=low ++ - audit_rules_successful_file_modification_lsetxattr ++ - audit_rules_successful_file_modification_lsetxattr.severity=low ++ - audit_rules_successful_file_modification_fsetxattr ++ - audit_rules_successful_file_modification_fsetxattr.severity=low ++ - audit_rules_successful_file_modification_removexattr ++ - audit_rules_successful_file_modification_removexattr.severity=low ++ - audit_rules_successful_file_modification_lremovexattr ++ - audit_rules_successful_file_modification_lremovexattr.severity=low ++ - audit_rules_successful_file_modification_fremovexattr ++ - audit_rules_successful_file_modification_fremovexattr.severity=low ++ ++ - id: 4.1.19 ++ title: Ensure Unsuccessful File Access Audited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_unsuccessful_file_modification ++ - audit_rules_unsuccessful_file_modification.severity=low ++ ++ - id: 4.1.20 ++ title: Ensure File Delete Audited ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - audit_rules_successful_file_modification_rename ++ - audit_rules_successful_file_modification_rename.severity=low ++ - audit_rules_successful_file_modification_renameat ++ - audit_rules_successful_file_modification_renameat.severity=low ++ - audit_rules_successful_file_modification_unlink ++ - audit_rules_successful_file_modification_unlink.severity=low ++ - audit_rules_successful_file_modification_unlinkat ++ - audit_rules_successful_file_modification_unlinkat.severity=low ++ ++ - id: 4.1.21 ++ title: Ensure Mount Audited ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - audit_rules_media_export ++ - audit_rules_media_export.severity=low ++ ++ - id: 4.2.1 ++ title: Ensure Rsyslog Enabled ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - service_rsyslog_enabled ++ - service_rsyslog_enabled.severity=high ++ ++ - id: 4.2.2 ++ title: Ensure Authentication Logged ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - rsyslog_remote_access_monitoring ++ - rsyslog_remote_access_monitoring.severity=high ++ ++ - id: 4.2.3 ++ title: Ensure Cron Logged ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - rsyslog_cron_logging ++ - rsyslog_cron_logging.severity=high ++ ++ - id: 4.2.4 ++ title: Ensure Rsyslog's Files Permission Correct ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - rsyslog_filecreatemode ++ - rsyslog_filecreatemode.severity=low ++ ++ - id: 4.2.5 ++ title: Ensure Important Services Logged ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - rsyslog_logging_configured ++ - rsyslog_logging_configured.severity=low ++ ++ - id: 4.2.6 ++ title: Ensure Journald Transfer Set Correct ++ levels: ++ - l1_server ++ status: automated ++ rules: ++ - configure_dump_journald_log ++ - configure_dump_journald_log.severity=high ++ ++ - id: 4.2.7 ++ title: Ensure Rotate Setting In Rsyslog ++ levels: ++ - l1_server ++ status: manual ++ rules: ++ - configure_rsyslog_log_rotate ++ - configure_rsyslog_log_rotate.severity=high ++ ++ - id: 4.2.8 ++ title: Ensure Remote Log Server Correct ++ levels: ++ - l2_server ++ status: manual ++ rules: ++ - rsyslog_remote_loghost_openeuler ++ - rsyslog_remote_loghost_openeuler.severity=low ++ ++ - id: 4.2.9 ++ title: Ensure Only Specified Server Can Receive Logs ++ levels: ++ - l2_server ++ status: automated ++ rules: ++ - rsyslog_accept_remote_messages_tcp ++ - rsyslog_accept_remote_messages_tcp.severity=low ++ - rsyslog_accept_remote_messages_udp ++ - rsyslog_accept_remote_messages_udp.severity=low +diff --git a/products/openeuler2509/CMakeLists.txt b/products/openeuler2509/CMakeLists.txt +new file mode 100644 +index 00000000..968bcb0c +--- /dev/null ++++ b/products/openeuler2509/CMakeLists.txt +@@ -0,0 +1,6 @@ ++# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way. ++if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") ++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") ++endif() ++ ++ssg_build_product("openeuler2509") +diff --git a/products/openeuler2509/product.yml b/products/openeuler2509/product.yml +new file mode 100644 +index 00000000..cb2f5fdc +--- /dev/null ++++ b/products/openeuler2509/product.yml +@@ -0,0 +1,30 @@ ++product: openeuler2509 ++full_name: openEuler 2509 ++type: platform ++ ++benchmark_id: OPENEULER2509 ++benchmark_root: "../../linux_os/guide" ++ ++profiles_root: "./profiles" ++ ++pkg_manager: "dnf" ++pkg_manager_config_file: "/etc/yum.conf" ++ ++init_system: "systemd" ++ ++cpes_root: "../../shared/applicability" ++cpes: ++ - openeuler2509lts: ++ name: "cpe:/o:openEuler:openEuler:25.09LTS:ga:server" ++ title: "openEuler 25.09 LTS" ++ check_id: installed_OS_is_openeuler2509 ++ ++ - openeuler2509lts-sp1: ++ name: "cpe:/o:openEuler:openEuler:25.09LTS_SP1:ga:server" ++ title: "openEuler 25.09 LTS SP1" ++ check_id: installed_OS_is_openeuler2509 ++ ++ - openeuler2509lts-sp2: ++ name: "cpe:/o:openEuler:openEuler:25.09LTS_SP2:ga:server" ++ title: "openEuler 25.09 LTS SP2" ++ check_id: installed_OS_is_openeuler2509 +diff --git a/products/openeuler2509/profiles/standard.profile b/products/openeuler2509/profiles/standard.profile +new file mode 100644 +index 00000000..f0c4767d +--- /dev/null ++++ b/products/openeuler2509/profiles/standard.profile +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0 ++ ++title: 'Standard System Security Profile for openEuler 25.09 LTS' ++ ++description: |- ++ This profile contains rules to ensure standard security baseline ++ of an openEuler system. Regardless of your system's workload ++ all of these checks should pass. ++ ++selections: ++ - std_openeuler2509:all:l2_server +diff --git a/products/openeuler2509/transforms/constants.xslt b/products/openeuler2509/transforms/constants.xslt +new file mode 100644 +index 00000000..c8d854bc +--- /dev/null ++++ b/products/openeuler2509/transforms/constants.xslt +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++openEuler2509 ++openEuler2509 ++openeuler2509 ++ ++ +diff --git a/shared/checks/oval/installed_OS_is_openeuler2509.xml b/shared/checks/oval/installed_OS_is_openeuler2509.xml +new file mode 100644 +index 00000000..67b8b255 +--- /dev/null ++++ b/shared/checks/oval/installed_OS_is_openeuler2509.xml +@@ -0,0 +1,26 @@ ++ ++ ++ ++ openEuler 25.09 LTS ++ ++ multi_platform_all ++ ++ The operating system installed on the system is openEuler 25.09 LTS. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^25\.09.*$ ++ ++ ++ openEuler-release ++ ++ ++ +diff --git a/ssg/constants.py b/ssg/constants.py +index a0265a9d..28b9c445 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -55,6 +55,7 @@ product_directories = [ + 'rhcos4', + 'ol7', 'ol8', 'ol9', 'ol10', + 'openeuler2203', ++ 'openeuler2509', + 'opensuse', + 'openembedded', + 'rhel8', 'rhel9', 'rhel10', +@@ -230,6 +231,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = { + "Oracle Linux 9": "ol9", + "Oracle Linux 10": "ol10", + "openEuler 2203": "openeuler2203", ++ "openEuler 2509": "openeuler2509", + "openSUSE": "opensuse", + "Red Hat Enterprise Linux 8": "rhel8", + "Red Hat Enterprise Linux 9": "rhel9", +@@ -309,7 +311,7 @@ MULTI_PLATFORM_MAPPING = { + "multi_platform_eks": ["eks"], + "multi_platform_fedora": ["fedora"], + "multi_platform_kylinserver": ["kylinserver10"], +- "multi_platform_openeuler": ["openeuler2203"], ++ "multi_platform_openeuler": ["openeuler2203", "openeuler2509"], + "multi_platform_opensuse": ["opensuse"], + "multi_platform_ol": ["ol7", "ol8", "ol9", "ol10"], + "multi_platform_ocp": ["ocp4"], +-- +2.33.0 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 043eaab87e40c2263b1f1bc5a7b2d131a402bfff..1f12227530f9215b825ebd16c42182eba6fee8f2 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -3,7 +3,7 @@ Name: scap-security-guide Version: 0.1.77 -Release: 1 +Release: 2 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -16,6 +16,7 @@ Patch0004: add-openeuler-automatic-hardening.patch Patch0005: scap-is-modified-to-be-consistent-with-the-specif.patch Patch0006: remove-rule-audit_privilege_escalation_command.patch Patch0007: remove-oval_sshd_config.patch +Patch0008: Support-for-2509-configuration-check.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.12, python3-jinja2, python3-PyYAML @@ -70,6 +71,9 @@ rm -f %{buildroot}%{_docdir}/%{name}/LICENSE %doc %{_docdir}/%{name}/tables/*.html %changelog +* Wed Sep 03 2025 jinlun - 0.1.77-2 +- Support for 2509 configuration check + * Mon Apr 28 2025 wangkai <13474090681@163.com> - 0.1.77-1 - Update to 0.1.77