diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000000000000000000000000000000000..9b7c16d48bd159875d83e4763fc63b46ce1bd58f --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.bz2 filter=lfs diff=lfs merge=lfs -text diff --git a/.lfsconfig b/.lfsconfig new file mode 100644 index 0000000000000000000000000000000000000000..7afddda3afad84a64bdfbe7b90aa4c8b6b6ca2d9 --- /dev/null +++ b/.lfsconfig @@ -0,0 +1,2 @@ +[lfs] + url = https://artlfs.openeuler.openatom.cn/src-openEuler/scap-security-guide diff --git a/add-openeuler-automatic-hardening.patch b/add-openeuler-automatic-hardening.patch index 85781ebd4ed074638fe38a031c18fcff26dc479d..f16ea82d53f45cdafc8bdc50bfe7e8282c990261 100644 --- a/add-openeuler-automatic-hardening.patch +++ b/add-openeuler-automatic-hardening.patch @@ -44,49 +44,49 @@ Signed-off-by: xuce create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml -index df69b488..f5d74498 100644 +index fe376cee..ee6986d3 100644 --- a/controls/std_openeuler2203.yml +++ b/controls/std_openeuler2203.yml -@@ -57,7 +57,7 @@ controls: - rules: - - accounts_umask_etc_bashrc - - accounts_umask_etc_bashrc.severity=high -- - var_accounts_user_umask=077 -+ - var_accounts_user_umask=027 +@@ -58,7 +58,7 @@ controls: + rules: + - accounts_umask_etc_bashrc + - accounts_umask_etc_bashrc.severity=high +- - var_accounts_user_umask=077 ++ - var_accounts_user_umask=027 - - id: 1.1.6 - title: Ensure No Global Writable File -@@ -284,8 +284,8 @@ controls: - - l1_server - status: automated - rules: -- - service_avahi-daemon_disabled -- - service_avahi-daemon_disabled.severity=high -+ - package_avahi_removed -+ - package_avahi_removed.severity=high + - id: 1.1.6 + title: Ensure No Global Writable File +@@ -285,8 +285,8 @@ controls: + - l1_server + status: automated + rules: +- - service_avahi-daemon_disabled +- - service_avahi-daemon_disabled.severity=high ++ - package_avahi_removed ++ - package_avahi_removed.severity=high - - id: 1.2.10 - title: Ensure LDAP Server Not Installed + - id: 1.2.10 + title: Ensure LDAP Server Not Installed @@ -716,6 +716,8 @@ controls: - - l1_server - status: automated - rules: -+ - require_singleuser_auth -+ - require_singleuser_auth.severity=high - - require_emergency_target_auth - - require_emergency_target_auth.severity=high + - l1_server + status: automated + rules: ++ - require_singleuser_auth ++ - require_singleuser_auth.severity=high + - require_emergency_target_auth + - require_emergency_target_auth.severity=high -@@ -1638,6 +1640,8 @@ controls: - - l1_server - status: automated - rules: -+ - package_audit_installed -+ - package_audit_installed.severity=high - - service_auditd_enabled - - service_auditd_enabled.severity=high +@@ -1636,6 +1638,8 @@ controls: + - l1_server + status: automated + rules: ++ - package_audit_installed ++ - package_audit_installed.severity=high + - service_auditd_enabled + - service_auditd_enabled.severity=high diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh -index 342dc194..66757082 100644 +index 0c468866..7981756a 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh @@ -1,4 +1,4 @@ @@ -96,7 +96,7 @@ index 342dc194..66757082 100644 {{{ bash_instantiate_variables("var_audispd_disk_full_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh -index 32e2b70b..c066584a 100644 +index 542bebfb..6e7cc0ba 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh @@ -1,4 +1,4 @@ @@ -106,12 +106,12 @@ index 32e2b70b..c066584a 100644 {{{ bash_instantiate_variables("var_auditd_max_log_file") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh -index c12f6315..ba23a334 100644 +index 5feb1c07..adce76cb 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh @@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_openeuler +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_debian ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_debian,multi_platform_openeuler {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} @@ -126,7 +126,7 @@ index c0225b9f..b96d4412 100644 {{{ bash_instantiate_variables("var_auditd_space_left") }}} diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml -index 8f514489..c2ae2269 100644 +index 048a7b15..ce9014da 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true @@ -139,7 +139,7 @@ index 8f514489..c2ae2269 100644 {{% set target_perms="-rw-r-----" %}} {{% else %}} diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml -index 0a1cf6b7..bf7b3be8 100644 +index 32918155..36ff9792 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true @@ -265,15 +265,15 @@ index 4353ef51..b25da971 100644 | xargs -I '$6' find '$6' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml -index c87f7412..b9989413 100644 +index f84d3a93..6b050984 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml -@@ -17,7 +17,7 @@ - /etc/aide.conf - {{% if 'sle' in product or 'slmicro' in product %}} +@@ -19,7 +19,7 @@ ^database=file:/([/a-z.]+)$ + {{% elif product == 'slmicro6' %}} + ^database_in=file:/([/a-z.]+)$ - {{% elif product in [ 'ol10', 'rhel10' ] %}} -+ {{% elif 'openeuler2403' in product or product in [ 'ol10', 'rhel10'] %}} ++ {{% elif 'openeuler2403' in product or product in [ 'ol10', 'rhel10' ] %}} ^database_in=file:@@{DBDIR}/([a-z.]+)$ {{% else %}} ^database=file:@@{DBDIR}/([a-z.]+)$ @@ -334,19 +334,19 @@ index 1b03ae05..9bbcfddf 100644 sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/* {{% else %}} diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja -index 13e0a897..c8671edd 100644 +index 5649cc61..b3b2abd2 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja -@@ -1954,7 +1954,7 @@ Part of the grub2_bootloader_argument template. +@@ -1964,7 +1964,7 @@ Part of the grub2_bootloader_argument template. #}} {{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}} --{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15'] %}} -+{{% if 'ubuntu' in product or 'debian' in product or 'openeuler' in product or product in ['ol7', 'sle12', 'sle15'] %}} +-{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15', 'slmicro5'] %}} ++{{% if 'ubuntu' in product or 'debian' in product or 'openeuler' in product or product in ['ol7', 'sle12', 'sle15', 'slmicro5'] %}} {{{ update_etc_default_grub_manually(arg_name, arg_name_value) }}} {{% endif -%}} {{{ grub_command("add", arg_name_value) }}} -@@ -1970,9 +1970,9 @@ Part of the grub2_bootloader_argument template. +@@ -1980,9 +1980,9 @@ Part of the grub2_bootloader_argument template. #}} {{%- macro update_etc_default_grub_manually_absent(arg_name) -%}} # Correct the form of default kernel command line in GRUB @@ -359,7 +359,7 @@ index 13e0a897..c8671edd 100644 {{%- endmacro %}} -@@ -1985,7 +1985,7 @@ Part of the grub2_bootloader_argument_absent template. +@@ -1995,7 +1995,7 @@ Part of the grub2_bootloader_argument_absent template. #}} {{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}} @@ -369,7 +369,7 @@ index 13e0a897..c8671edd 100644 {{% endif -%}} {{{ grub_command("remove", arg_name) }}} diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template -index 44e50228..d527378b 100644 +index 1644ddce..534de901 100644 --- a/shared/templates/accounts_password/bash.template +++ b/shared/templates/accounts_password/bash.template @@ -12,7 +12,7 @@ if grep -sq {{{ VARIABLE }}} /etc/security/pwquality.conf.d/*.conf ; then @@ -382,7 +382,7 @@ index 44e50228..d527378b 100644 'password', '', diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template -index 7eacdf62..8a364943 100644 +index c20c4525..1ab1dbcf 100644 --- a/shared/templates/accounts_password/oval.template +++ b/shared/templates/accounts_password/oval.template @@ -11,14 +11,14 @@ @@ -403,7 +403,7 @@ index 7eacdf62..8a364943 100644 comment="check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf" id="test_password_pam_pwquality_{{{ VARIABLE }}}_not_overwritten" version="1"> diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template -index 07057cbb..fb582e57 100644 +index f43f3484..fd7df953 100644 --- a/shared/templates/grub2_bootloader_argument/bash.template +++ b/shared/templates/grub2_bootloader_argument/bash.template @@ -1,4 +1,4 @@ @@ -433,17 +433,17 @@ index 4c93f2b8..171e347b 100644 # strategy = disable # complexity = low diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template -index 3249f02c..a68eabd1 100644 +index 4e207a79..aa0517a5 100644 --- a/shared/templates/service_enabled/bash.template +++ b/shared/templates/service_enabled/bash.template @@ -1,4 +1,4 @@ --# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux -+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_openeuler +-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_debian ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_debian,multi_platform_openeuler # reboot = false # strategy = enable # complexity = low diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template -index 7093aae9..d176ec79 100644 +index 0f0e48ed..d1a860f1 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -1,4 +1,4 @@ @@ -453,5 +453,5 @@ index 7093aae9..d176ec79 100644 # strategy = disable # complexity = low -- -2.48.1 +2.51.0 diff --git a/add-openeuler-control-rules.patch b/add-openeuler-control-rules.patch index 0b2503cdfce74e835643481b7d9768717c15c038..ff91e9f1cce6a479df9626ab967a9c765bdaedd1 100644 --- a/add-openeuler-control-rules.patch +++ b/add-openeuler-control-rules.patch @@ -21,25 +21,25 @@ Subject: [PATCH] add openeuler control rules create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml -index 4717aa3d..65badc0e 100644 +index 9247d228..041deaae 100644 --- a/controls/std_openeuler2203.yml +++ b/controls/std_openeuler2203.yml @@ -691,6 +691,8 @@ controls: - - l1_server - status: automated - rules: -+ - warning_banners -+ - warning_banners.severity=high - - file_groupowner_etc_issue - - file_groupowner_etc_issue.severity=high - - file_groupowner_etc_issue_net + - l1_server + status: automated + rules: ++ - warning_banners ++ - warning_banners.severity=high + - file_groupowner_etc_issue + - file_groupowner_etc_issue.severity=high + - file_groupowner_etc_issue_net diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -index 0c6da6e7..2c83bfa7 100644 +index 62fbca92..1ce3176b 100644 --- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -@@ -40,5 +40,6 @@ template: - packagename@sle12: rsync +@@ -42,5 +42,6 @@ template: packagename@sle15: rsync + packagename@slmicro5: rsync packagename@openeuler2203: rsync + packagename@openeuler2403: rsync servicename@ubuntu2404: rsync @@ -661,7 +661,7 @@ index 00000000..94c1ecaa + + diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml -index f0e8d952..8de00f87 100644 +index e7f57f78..21c6f000 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml @@ -35,7 +35,7 @@ @@ -674,7 +674,7 @@ index f0e8d952..8de00f87 100644 {{%- else -%}} ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml -index 0a28ea58..840f15f4 100644 +index 8492ec03..1eefbccf 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml @@ -17,7 +17,11 @@ rationale: |- @@ -690,7 +690,7 @@ index 0a28ea58..840f15f4 100644 identifiers: cce@sle12: CCE-92215-3 diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml -index 34db3ae1..9627cf4a 100644 +index 60da5d94..30aadc7c 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml @@ -17,7 +17,11 @@ rationale: |- @@ -706,10 +706,10 @@ index 34db3ae1..9627cf4a 100644 identifiers: cce@sle12: CCE-92214-6 diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml -index f194da36..2ef3ec76 100644 +index 93fdec05..eed8e936 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml -@@ -18,7 +18,11 @@ rationale: |- +@@ -22,7 +22,11 @@ rationale: |- severity: medium @@ -722,10 +722,10 @@ index f194da36..2ef3ec76 100644 identifiers: cce@rhel8: CCE-85968-6 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -index 256ab855..8ab9ad47 100644 +index e3649603..94b0e249 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -@@ -138,4 +138,8 @@ fixtext: |- +@@ -132,4 +132,8 @@ fixtext: |- srg_requirement: '{{{ full_name }}} wireless network adapters must be disabled.' @@ -735,18 +735,18 @@ index 256ab855..8ab9ad47 100644 platform: wifi-iface and not container +{{% endif %}} diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml -index d2e7b75f..33f33490 100644 +index 8f52bdbb..c24e7aca 100644 --- a/shared/applicability/package.yml +++ b/shared/applicability/package.yml -@@ -89,7 +89,7 @@ args: +@@ -103,7 +103,7 @@ args: pkgname: rsh-server shadow-utils: {{% if pkg_system == "rpm" %}} -- {{% if product in ["kylinserver10", "openeuler2203", "sle12", "sle15", "slmicro5"] %}} -+ {{% if product in ["kylinserver10", "openeuler2203", "openeuler2403", "sle12", "sle15", "slmicro5"] %}} +- {{% if product in ["kylinserver10", "openeuler2203", "sle12", "sle15", "slmicro5", "slmicro6"] %}} ++ {{% if product in ["kylinserver10", "openeuler2203", "openeuler2403", "sle12", "sle15", "slmicro5", "slmicro6"] %}} pkgname: shadow {{% else %}} pkgname: shadow-utils -- -2.48.1 +2.51.0 diff --git a/optimize-rules-for-openEuler.patch b/optimize-rules-for-openEuler.patch index 4b59bfbebef5ffefb4c9dc0a2f168b762c306cf3..d9872ac772f76117449a4dcc471fa10498de4e72 100644 --- a/optimize-rules-for-openEuler.patch +++ b/optimize-rules-for-openEuler.patch @@ -155,17 +155,17 @@ Subject: [PATCH] imporve check command create mode 100644 linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml diff --git a/components/audit.yml b/components/audit.yml -index f3b96558..e749769c 100644 +index eef815fd..16cc2831 100644 --- a/components/audit.yml +++ b/components/audit.yml -@@ -325,6 +325,7 @@ rules: - - package_audit-libs_installed - - package_audit_installed - - service_auditd_enabled +@@ -18,6 +18,7 @@ packages: + - audit-audispd-plugins + - audit-libs + rules: +- audit_privilege_escalation_command - templates: - - audit_file_contents - - audit_rules_dac_modification + - audit_access_failed + - audit_access_failed_aarch64 + - audit_access_failed_ppc64le diff --git a/components/cronie.yml b/components/cronie.yml index 37264a89..a11918c2 100644 --- a/components/cronie.yml @@ -176,10 +176,10 @@ index 37264a89..a11918c2 100644 - service_crond_enabled +- no_lowprivilege_users_writeable_cmds_in_crontab_file diff --git a/components/filesystem.yml b/components/filesystem.yml -index b2c0d230..8fcd9997 100644 +index 86e82fe3..bf1b2cb0 100644 --- a/components/filesystem.yml +++ b/components/filesystem.yml -@@ -152,6 +152,17 @@ rules: +@@ -192,6 +192,17 @@ rules: - sysctl_fs_protected_hardlinks - sysctl_fs_protected_regular - sysctl_fs_protected_symlinks @@ -225,10 +225,10 @@ index e603e3f4..38ca7dc9 100644 +- iptables_input_policy_configured_corrently +- iptables_output_policy_configured_corrently diff --git a/components/kernel.yml b/components/kernel.yml -index 47a71ce1..93746587 100644 +index 3384a926..87b706cc 100644 --- a/components/kernel.yml +++ b/components/kernel.yml -@@ -202,6 +202,12 @@ rules: +@@ -203,6 +203,12 @@ rules: - sysctl_user_max_user_namespaces - sysctl_user_max_user_namespaces_no_remediation - sysctl_vm_mmap_min_addr @@ -283,10 +283,10 @@ index 00000000..49af8cdf +- only_root_can_run_pkexec +- ima_verification diff --git a/components/openssh.yml b/components/openssh.yml -index 0dac3e2e..4dda8541 100644 +index e89f5bbb..cd93730a 100644 --- a/components/openssh.yml +++ b/components/openssh.yml -@@ -88,5 +88,8 @@ rules: +@@ -91,5 +91,8 @@ rules: - sshd_x11_use_localhost - sshd_include_crypto_policy - harden_sshd_crypto_policy @@ -296,10 +296,10 @@ index 0dac3e2e..4dda8541 100644 templates: - sshd_lineinfile diff --git a/components/pam.yml b/components/pam.yml -index 06047160..a4a1b4aa 100644 +index fda57054..7a7e7f91 100644 --- a/components/pam.yml +++ b/components/pam.yml -@@ -242,5 +242,12 @@ rules: +@@ -179,5 +179,12 @@ rules: - use_pam_wheel_group_for_su - verify_use_mappers - vlock_installed @@ -313,10 +313,10 @@ index 06047160..a4a1b4aa 100644 templates: - pam_options diff --git a/components/rsyslog.yml b/components/rsyslog.yml -index 2659542e..e8f532a3 100644 +index 4de4c30b..fd14d689 100644 --- a/components/rsyslog.yml +++ b/components/rsyslog.yml -@@ -46,3 +46,7 @@ rules: +@@ -48,3 +48,7 @@ rules: - systemd_journal_upload_url - systemd_journal_upload_server_tls - timer_logrotate_enabled @@ -336,579 +336,579 @@ index 752c426e..d1d592b0 100644 templates: - sudo_defaults_option diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml -index 65badc0e..df69b488 100644 +index 041deaae..fe376cee 100644 --- a/controls/std_openeuler2203.yml +++ b/controls/std_openeuler2203.yml -@@ -26,13 +26,19 @@ controls: - title: Ensure No Empty Symlink - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - file_empty_link_prohibit -+ - file_empty_link_prohibit.severity=high +@@ -27,13 +27,19 @@ controls: + title: Ensure No Empty Symlink + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - file_empty_link_prohibit ++ - file_empty_link_prohibit.severity=high - - id: 1.1.3 - title: Ensure No Hidden Executable Files - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - file_hidden_executable_prohibit -+ - file_hidden_executable_prohibit.severity=high + - id: 1.1.3 + title: Ensure No Hidden Executable Files + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - file_hidden_executable_prohibit ++ - file_hidden_executable_prohibit.severity=high - - id: 1.1.4 - title: Ensure Sticky Set On Global Writable Folder -@@ -66,25 +72,37 @@ controls: - title: Umount Unnecessary File System - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - removed_unnecessary_file_mount -+ - removed_unnecessary_file_mount.severity=high + - id: 1.1.4 + title: Ensure Sticky Set On Global Writable Folder +@@ -67,25 +73,37 @@ controls: + title: Umount Unnecessary File System + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - removed_unnecessary_file_mount ++ - removed_unnecessary_file_mount.severity=high - - id: 1.1.8 - title: Ensure Mount As Readonly If No Need To Write - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - mount_only_no_modified_partitionsread -+ - mount_only_no_modified_partitionsread.severity=high + - id: 1.1.8 + title: Ensure Mount As Readonly If No Need To Write + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - mount_only_no_modified_partitionsread ++ - mount_only_no_modified_partitionsread.severity=high - - id: 1.1.9 - title: Ensure Mount As Nodev - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - mount_nodev_mode_partitions -+ - mount_nodev_mode_partitions.severity=high + - id: 1.1.9 + title: Ensure Mount As Nodev + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - mount_nodev_mode_partitions ++ - mount_nodev_mode_partitions.severity=high - - id: 1.1.10 - title: Ensure Mount As Noexec - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - mount_noexec_mode_partitions -+ - mount_noexec_mode_partitions.severity=high + - id: 1.1.10 + title: Ensure Mount As Noexec + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - mount_noexec_mode_partitions ++ - mount_noexec_mode_partitions.severity=high - - id: 1.1.11 - title: Ensure Mount As Noexec And Nodev For Removable Device -@@ -101,7 +119,10 @@ controls: - title: Ensure Mount As Nosuid - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - mounted_nosuid_mode_partitions -+ - mounted_nosuid_mode_partitions.severity=high + - id: 1.1.11 + title: Ensure Mount As Noexec And Nodev For Removable Device +@@ -102,7 +120,10 @@ controls: + title: Ensure Mount As Nosuid + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - mounted_nosuid_mode_partitions ++ - mounted_nosuid_mode_partitions.severity=high - - id: 1.1.13 - title: Ensure Remove Unnecessary SUID And SGID -@@ -118,13 +139,19 @@ controls: - title: Ensure File Permission Minimize - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - file_permission_minimum -+ - file_permission_minimum.severity=high + - id: 1.1.13 + title: Ensure Remove Unnecessary SUID And SGID +@@ -119,13 +140,19 @@ controls: + title: Ensure File Permission Minimize + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - file_permission_minimum ++ - file_permission_minimum.severity=high - - id: 1.1.15 - title: Ensure Ulinmit Correctly - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - file_opened_count_limited -+ - file_opened_count_limited.severity=high + - id: 1.1.15 + title: Ensure Ulinmit Correctly + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - file_opened_count_limited ++ - file_opened_count_limited.severity=high - - id: 1.1.16 - title: Ensure Symlinks And Hardlinks Protected -@@ -150,19 +177,28 @@ controls: - title: Ensure Different Data Store In Different Partitions - levels: - - l2_server -- status: planned -+ status: manual -+ rules: -+ - partitions_manage_hard_drive_data -+ - partitions_manage_hard_drive_data.severity=high + - id: 1.1.16 + title: Ensure Symlinks And Hardlinks Protected +@@ -151,19 +178,28 @@ controls: + title: Ensure Different Data Store In Different Partitions + levels: + - l2_server +- status: planned ++ status: manual ++ rules: ++ - partitions_manage_hard_drive_data ++ - partitions_manage_hard_drive_data.severity=high - - id: 1.1.19 - title: Ensure LD_LIBRARY_PATH Correct - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - define_ld_lib_path_correctly -+ - define_ld_lib_path_correctly.severity=high + - id: 1.1.19 + title: Ensure LD_LIBRARY_PATH Correct + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - define_ld_lib_path_correctly ++ - define_ld_lib_path_correctly.severity=high - - id: 1.1.20 - title: Ensure User PATH Correct - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - define_path_strictly -+ - define_path_strictly.severity=low + - id: 1.1.20 + title: Ensure User PATH Correct + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - define_path_strictly ++ - define_path_strictly.severity=low - - id: 1.2.1 - title: Ensure FTP Not Installed -@@ -208,7 +244,10 @@ controls: - title: Ensure Python2 Not Installed - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - package_python2_removed -+ - package_python2_removed.severity=high + - id: 1.2.1 + title: Ensure FTP Not Installed +@@ -209,7 +245,10 @@ controls: + title: Ensure Python2 Not Installed + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - package_python2_removed ++ - package_python2_removed.severity=high - - id: 1.2.6 - title: Ensure GPG Check Configured -@@ -297,19 +336,28 @@ controls: - title: Ensure Network Sniffing Software Removed - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - network_sniffing_tools -+ - network_sniffing_tools.severity=high + - id: 1.2.6 + title: Ensure GPG Check Configured +@@ -298,19 +337,28 @@ controls: + title: Ensure Network Sniffing Software Removed + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - network_sniffing_tools ++ - network_sniffing_tools.severity=high - - id: 1.2.16 - title: Ensure Debug Tools Removed - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - debugging_tools -+ - debugging_tools.severity=high + - id: 1.2.16 + title: Ensure Debug Tools Removed + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - debugging_tools ++ - debugging_tools.severity=high - - id: 1.2.17 - title: Ensure Compiler Tools Removed - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - development_and_compliation_tools -+ - development_and_compliation_tools.severity=high + - id: 1.2.17 + title: Ensure Compiler Tools Removed + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - development_and_compliation_tools ++ - development_and_compliation_tools.severity=high - - id: 1.2.18 - title: Ensure X Window Not Installed + - id: 1.2.18 + title: Ensure X Window Not Installed @@ -379,19 +427,28 @@ controls: - title: Ensure All Login Accounts Are Necessary - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - login_accounts_are_necessary -+ - login_accounts_are_necessary.severity=high + title: Ensure All Login Accounts Are Necessary + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - login_accounts_are_necessary ++ - login_accounts_are_necessary.severity=high - - id: 2.1.2 - title: Ensure No Unused Accounts - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - accounts_are_necessary -+ - accounts_are_necessary.severity=high + - id: 2.1.2 + title: Ensure No Unused Accounts + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - accounts_are_necessary ++ - accounts_are_necessary.severity=high - - id: 2.1.3 - title: Ensure Different Accounts Have Different GroupID - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - account_unique_group_id -+ - account_unique_group_id.severity=high + - id: 2.1.3 + title: Ensure Different Accounts Have Different GroupID + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - account_unique_group_id ++ - account_unique_group_id.severity=high - - id: 2.1.4 - title: Ensure Only Root's UID Is 0 + - id: 2.1.4 + title: Ensure Only Root's UID Is 0 @@ -582,13 +639,19 @@ controls: - title: Ensure Old Password Verified - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - verify_owner_password -+ - verify_owner_password.severity=high + title: Ensure Old Password Verified + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - verify_owner_password ++ - verify_owner_password.severity=high - - id: 2.2.4 - title: Ensure Password Not Contain User Name - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - no_name_contained_in_password -+ - no_name_contained_in_password.severity=high + - id: 2.2.4 + title: Ensure Password Not Contain User Name + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - no_name_contained_in_password ++ - no_name_contained_in_password.severity=high - - id: 2.2.5 - title: Ensure Using Strong Hash Algorithm To Encipher Password + - id: 2.2.5 + title: Ensure Using Strong Hash Algorithm To Encipher Password @@ -660,7 +723,10 @@ controls: - title: Ensure Password Changed At First Login - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - first_logging_change_password -+ - first_logging_change_password.severity=high + title: Ensure Password Changed At First Login + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - first_logging_change_password ++ - first_logging_change_password.severity=high - - id: 2.3.1 - title: Ensure Account Locked After Accessing Fail + - id: 2.3.1 + title: Ensure Account Locked After Accessing Fail @@ -725,7 +791,10 @@ controls: - title: Ensure HISTSIZE Limited - levels: - - l2_server -- status: planned -+ status: automated -+ rules: -+ - historical_command_records_limited -+ - historical_command_records_limited.severity=low + title: Ensure HISTSIZE Limited + levels: + - l2_server +- status: planned ++ status: automated ++ rules: ++ - historical_command_records_limited ++ - historical_command_records_limited.severity=low - - id: 2.4.2 - title: Ensure SELinux Enforce + - id: 2.4.2 + title: Ensure SELinux Enforce @@ -767,25 +836,37 @@ controls: - title: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - sudoers_disable_low_privileged_configure -+ - sudoers_disable_low_privileged_configure.severity=high + title: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - sudoers_disable_low_privileged_configure ++ - sudoers_disable_low_privileged_configure.severity=high - - id: 2.4.7 - title: Ensure Low-privilege User Cannot Escalate By Pkexec - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - only_root_can_run_pkexec -+ - only_root_can_run_pkexec.severity=high + - id: 2.4.7 + title: Ensure Low-privilege User Cannot Escalate By Pkexec + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - only_root_can_run_pkexec ++ - only_root_can_run_pkexec.severity=high - - id: 2.4.8 - title: Ensure ALWAYS_SET_PATH Configurated - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - su_always_set_path -+ - su_always_set_path.severity=high + - id: 2.4.8 + title: Ensure ALWAYS_SET_PATH Configurated + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - su_always_set_path ++ - su_always_set_path.severity=high - - id: 2.4.9 - title: Ensure Root Can Not Login Local - levels: - - l2_server -- status: planned -+ status: manual -+ rules: -+ - diasable_root_accessing_system -+ - diasable_root_accessing_system.severity=low + - id: 2.4.9 + title: Ensure Root Can Not Login Local + levels: + - l2_server +- status: planned ++ status: manual ++ rules: ++ - diasable_root_accessing_system ++ - diasable_root_accessing_system.severity=low - - id: 2.4.10 - title: Ensure Not Run Files wiht unconfined_service_t Flag + - id: 2.4.10 + title: Ensure Not Run Files wiht unconfined_service_t Flag @@ -800,7 +881,10 @@ controls: - title: Ensure IMA Enabled - levels: - - l2_server -- status: planned -+ status: manual -+ rules: -+ - ima_verification -+ - ima_verification.severity=low + title: Ensure IMA Enabled + levels: + - l2_server +- status: planned ++ status: manual ++ rules: ++ - ima_verification ++ - ima_verification.severity=low - - id: 2.5.2 - title: Ensure AIDE Enabled + - id: 2.5.2 + title: Ensure AIDE Enabled @@ -817,7 +901,10 @@ controls: - title: Ensure Haveged Enabled - levels: - - l2_server -- status: planned -+ status: automated -+ rules: -+ - service_haveged_enabled -+ - service_haveged_enabled.severity=low + title: Ensure Haveged Enabled + levels: + - l2_server +- status: planned ++ status: automated ++ rules: ++ - service_haveged_enabled ++ - service_haveged_enabled.severity=low - - id: 2.6.2 - title: Global Crypto Setting Correct -@@ -862,7 +949,10 @@ controls: - title: Ensure Firewalld Set Default Zone Correctly - levels: - - l2_server -- status: planned -+ status: manual -+ rules: -+ - set_firewalld_default_zone_openeuler -+ - set_firewalld_default_zone_openeuler.severity=low + - id: 2.6.2 + title: Global Crypto Setting Correct +@@ -861,7 +948,10 @@ controls: + title: Ensure Firewalld Set Default Zone Correctly + levels: + - l2_server +- status: planned ++ status: manual ++ rules: ++ - set_firewalld_default_zone_openeuler ++ - set_firewalld_default_zone_openeuler.severity=low - - id: 3.2.3 - title: Ensure Firewalld Set Correct Interface Zone -@@ -917,13 +1007,19 @@ controls: - title: Ensure Iptables Input Rules Set - levels: - - l2_server -- status: planned -+ status: manual -+ rules: -+ - iptables_input_policy_configured_corrently -+ - iptables_input_policy_configured_corrently.severity=low + - id: 3.2.3 + title: Ensure Firewalld Set Correct Interface Zone +@@ -916,13 +1006,19 @@ controls: + title: Ensure Iptables Input Rules Set + levels: + - l2_server +- status: planned ++ status: manual ++ rules: ++ - iptables_input_policy_configured_corrently ++ - iptables_input_policy_configured_corrently.severity=low - - id: 3.2.9 - title: Ensure Iptables Output Rules Set - levels: - - l2_server -- status: planned -+ status: manual -+ rules: -+ - iptables_output_policy_configured_corrently -+ - iptables_output_policy_configured_corrently.severity=low + - id: 3.2.9 + title: Ensure Iptables Output Rules Set + levels: + - l2_server +- status: planned ++ status: manual ++ rules: ++ - iptables_output_policy_configured_corrently ++ - iptables_output_policy_configured_corrently.severity=low - - id: 3.2.10 - title: Ensure Iptables Input Output Connection Rules Set -@@ -965,13 +1061,19 @@ controls: - title: Ensure Nftables Input Rules Set - levels: - - l2_server -- status: planned -+ status: manual -+ rules: -+ - nftables_input_policy_configured_corrently -+ - nftables_input_policy_configured_corrently.severity=low + - id: 3.2.10 + title: Ensure Iptables Input Output Connection Rules Set +@@ -964,13 +1060,19 @@ controls: + title: Ensure Nftables Input Rules Set + levels: + - l2_server +- status: planned ++ status: manual ++ rules: ++ - nftables_input_policy_configured_corrently ++ - nftables_input_policy_configured_corrently.severity=low - - id: 3.2.15 - title: Ensure Nftables Output Rules Set - levels: - - l2_server -- status: planned -+ status: manual -+ rules: -+ - nftables_output_policy_configured_corrently -+ - nftables_output_policy_configured_corrently.severity=low + - id: 3.2.15 + title: Ensure Nftables Output Rules Set + levels: + - l2_server +- status: planned ++ status: manual ++ rules: ++ - nftables_output_policy_configured_corrently ++ - nftables_output_policy_configured_corrently.severity=low - - id: 3.2.16 - title: Ensure Nftables Input Output Connection Rules Set -@@ -1016,7 +1118,10 @@ controls: - title: Ensure SSHd Pubkey Algorithm Correct - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - sshd_use_strong_pubkey -+ - sshd_use_strong_pubkey.severity=high + - id: 3.2.16 + title: Ensure Nftables Input Output Connection Rules Set +@@ -1015,7 +1117,10 @@ controls: + title: Ensure SSHd Pubkey Algorithm Correct + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - sshd_use_strong_pubkey ++ - sshd_use_strong_pubkey.severity=high - - id: 3.3.5 - title: Ensure SSHd PAM Enabled -@@ -1049,7 +1154,10 @@ controls: - title: Ensure SSHd Ciphers Algorithm Not Overwritten - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - configure_ssh_crypto_policy -+ - configure_ssh_crypto_policy.severity=high + - id: 3.3.5 + title: Ensure SSHd PAM Enabled +@@ -1048,7 +1153,10 @@ controls: + title: Ensure SSHd Ciphers Algorithm Not Overwritten + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - configure_ssh_crypto_policy ++ - configure_ssh_crypto_policy.severity=high - - id: 3.3.9 - title: Ensure SSHd Forbid Root Login From Remote -@@ -1073,7 +1181,10 @@ controls: - title: Ensure SSHd Listen Address Set Correct - levels: - - l2_server -- status: planned -+ status: automated -+ rules: -+ - sshd_configure_correct_interface -+ - sshd_configure_correct_interface.severity=low + - id: 3.3.9 + title: Ensure SSHd Forbid Root Login From Remote +@@ -1072,7 +1180,10 @@ controls: + title: Ensure SSHd Listen Address Set Correct + levels: + - l2_server +- status: planned ++ status: automated ++ rules: ++ - sshd_configure_correct_interface ++ - sshd_configure_correct_interface.severity=low - - id: 3.3.12 - title: Ensure SSHd MaxStartups Correct -@@ -1137,7 +1248,10 @@ controls: - title: Ensure SSHd Authorized Keys Not Set - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - sshd_prohibit_preset_authorized_keys -+ - sshd_prohibit_preset_authorized_keys.severity=high + - id: 3.3.12 + title: Ensure SSHd MaxStartups Correct +@@ -1136,7 +1247,10 @@ controls: + title: Ensure SSHd Authorized Keys Not Set + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - sshd_prohibit_preset_authorized_keys ++ - sshd_prohibit_preset_authorized_keys.severity=high - - id: 3.3.19 - title: Ensure SSHd Known Hosts Not Set -@@ -1152,7 +1266,10 @@ controls: - title: Ensure SSHd Has No Obsolete Configurations - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - sshd_disable_rhosts_rsa -+ - sshd_disable_rhosts_rsa.severity=high + - id: 3.3.19 + title: Ensure SSHd Known Hosts Not Set +@@ -1151,7 +1265,10 @@ controls: + title: Ensure SSHd Has No Obsolete Configurations + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - sshd_disable_rhosts_rsa ++ - sshd_disable_rhosts_rsa.severity=high - - id: 3.3.21 - title: Ensure SSHd TCP Forward Disabled -@@ -1173,7 +1290,10 @@ controls: - title: Ensure Cron Not Run Low Privilege User Writable Bash - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - no_lowprivilege_users_writeable_cmds_in_crontab_file -+ - no_lowprivilege_users_writeable_cmds_in_crontab_file.severity=high + - id: 3.3.21 + title: Ensure SSHd TCP Forward Disabled +@@ -1172,7 +1289,10 @@ controls: + title: Ensure Cron Not Run Low Privilege User Writable Bash + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - no_lowprivilege_users_writeable_cmds_in_crontab_file ++ - no_lowprivilege_users_writeable_cmds_in_crontab_file.severity=high - - id: 3.4.2 - title: Ensure Cron Deamon Running -@@ -1332,7 +1452,10 @@ controls: - title: Ensure Ignore All ICMP Request - levels: - - l2_server -- status: planned -+ status: automated -+ rules: -+ - sysctl_net_ipv4_icmp_echo_ignore_all -+ - sysctl_net_ipv4_icmp_echo_ignore_all.severity=high + - id: 3.4.2 + title: Ensure Cron Deamon Running +@@ -1331,7 +1451,10 @@ controls: + title: Ensure Ignore All ICMP Request + levels: + - l2_server +- status: planned ++ status: automated ++ rules: ++ - sysctl_net_ipv4_icmp_echo_ignore_all ++ - sysctl_net_ipv4_icmp_echo_ignore_all.severity=high - - id: 3.5.10 - title: Ensure Ignore Bogus Error ICMP Package -@@ -1412,31 +1535,50 @@ controls: - title: Ensure tcp_timestamps Disabled - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - sysctl_net_ipv4_tcp_timestamps -+ - sysctl_net_ipv4_tcp_timestamps.severity=low + - id: 3.5.10 + title: Ensure Ignore Bogus Error ICMP Package +@@ -1411,31 +1534,50 @@ controls: + title: Ensure tcp_timestamps Disabled + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_timestamps ++ - sysctl_net_ipv4_tcp_timestamps.severity=low - - id: 3.5.17 - title: Ensure TCP Time Wait Correct - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - sysctl_net_ipv4_tcp_fin_timeout -+ - sysctl_net_ipv4_tcp_fin_timeout.severity=high + - id: 3.5.17 + title: Ensure TCP Time Wait Correct + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_fin_timeout ++ - sysctl_net_ipv4_tcp_fin_timeout.severity=high - - id: 3.5.18 - title: Ensure SYN Recv Set Correct - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - sysctl_net_ipv4_tcp_max_syn_backlog -+ - sysctl_net_ipv4_tcp_max_syn_backlog.severity=low + - id: 3.5.18 + title: Ensure SYN Recv Set Correct + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - sysctl_net_ipv4_tcp_max_syn_backlog ++ - sysctl_net_ipv4_tcp_max_syn_backlog.severity=low - - id: 3.5.19 - title: Ensure No ARP Proxy - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_default_proxy_arp -+ - sysctl_net_ipv4_conf_default_proxy_arp.severity=high -+ - sysctl_net_ipv4_conf_all_proxy_arp -+ - sysctl_net_ipv4_conf_all_proxy_arp.severity=high + - id: 3.5.19 + title: Ensure No ARP Proxy + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - sysctl_net_ipv4_conf_default_proxy_arp ++ - sysctl_net_ipv4_conf_default_proxy_arp.severity=high ++ - sysctl_net_ipv4_conf_all_proxy_arp ++ - sysctl_net_ipv4_conf_all_proxy_arp.severity=high - - id: 3.5.20 - title: Ensure Core Dump Set Correct - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - coredump_limited -+ - coredump_limited.severity=high -+ - coredump_prohibit -+ - coredump_prohibit.severity=high + - id: 3.5.20 + title: Ensure Core Dump Set Correct + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - coredump_limited ++ - coredump_limited.severity=high ++ - coredump_prohibit ++ - coredump_prohibit.severity=high - - id: 3.5.21 - title: Ensure SysRq Key Disabled -@@ -1542,7 +1684,10 @@ controls: - title: Ensure Escalation Audited - levels: - - l2_server -- status: planned -+ status: automated -+ rules: -+ - audit_privilege_escalation_command -+ - audit_privilege_escalation_command.severity=low + - id: 3.5.21 + title: Ensure SysRq Key Disabled +@@ -1540,7 +1682,10 @@ controls: + title: Ensure Escalation Audited + levels: + - l2_server +- status: planned ++ status: automated ++ rules: ++ - audit_privilege_escalation_command ++ - audit_privilege_escalation_command.severity=low - - id: 4.1.6 - title: Ensure Module Changes Audited -@@ -1742,7 +1887,10 @@ controls: - title: Ensure Mount Audited - levels: - - l2_server -- status: planned -+ status: automated -+ rules: -+ - audit_rules_media_export -+ - audit_rules_media_export.severity=low + - id: 4.1.6 + title: Ensure Module Changes Audited +@@ -1740,7 +1885,10 @@ controls: + title: Ensure Mount Audited + levels: + - l2_server +- status: planned ++ status: automated ++ rules: ++ - audit_rules_media_export ++ - audit_rules_media_export.severity=low - - id: 4.2.1 - title: Ensure Rsyslog Enabled -@@ -1793,19 +1941,28 @@ controls: - title: Ensure Journald Transfer Set Correct - levels: - - l1_server -- status: planned -+ status: automated -+ rules: -+ - configure_dump_journald_log -+ - configure_dump_journald_log.severity=high + - id: 4.2.1 + title: Ensure Rsyslog Enabled +@@ -1791,19 +1939,28 @@ controls: + title: Ensure Journald Transfer Set Correct + levels: + - l1_server +- status: planned ++ status: automated ++ rules: ++ - configure_dump_journald_log ++ - configure_dump_journald_log.severity=high - - id: 4.2.7 - title: Ensure Rotate Setting In Rsyslog - levels: - - l1_server -- status: planned -+ status: manual -+ rules: -+ - configure_rsyslog_log_rotate -+ - configure_rsyslog_log_rotate.severity=high + - id: 4.2.7 + title: Ensure Rotate Setting In Rsyslog + levels: + - l1_server +- status: planned ++ status: manual ++ rules: ++ - configure_rsyslog_log_rotate ++ - configure_rsyslog_log_rotate.severity=high - - id: 4.2.8 - title: Ensure Remote Log Server Correct - levels: - - l2_server -- status: planned -+ status: manual -+ rules: -+ - rsyslog_remote_loghost_openeuler -+ - rsyslog_remote_loghost_openeuler.severity=low + - id: 4.2.8 + title: Ensure Remote Log Server Correct + levels: + - l2_server +- status: planned ++ status: manual ++ rules: ++ - rsyslog_remote_loghost_openeuler ++ - rsyslog_remote_loghost_openeuler.severity=low - - id: 4.2.9 - title: Ensure Only Specified Server Can Receive Logs + - id: 4.2.9 + title: Ensure Only Specified Server Can Receive Logs diff --git a/linux_os/guide/services/base/service_haveged_enabled/rule.yml b/linux_os/guide/services/base/service_haveged_enabled/rule.yml new file mode 100644 index 00000000..95bfd4b1 @@ -3119,5 +3119,5 @@ index 00000000..572cfb84 + vars: + pkgname: python2 -- -2.48.1 +2.51.0 diff --git a/remove-rule-audit_privilege_escalation_command.patch b/remove-rule-audit_privilege_escalation_command.patch index 5dd54ea5cd2117b3cff697a688f917950605fea3..08b8b09b10282d6622d41f18f6e814315d163e0e 100644 --- a/remove-rule-audit_privilege_escalation_command.patch +++ b/remove-rule-audit_privilege_escalation_command.patch @@ -13,33 +13,33 @@ Subject: [PATCH 1/1] remove rule audit_privilege_escalation_command delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/sce/shared.sh diff --git a/components/audit.yml b/components/audit.yml -index e749769c..f3b96558 100644 +index 16cc2831..eef815fd 100644 --- a/components/audit.yml +++ b/components/audit.yml -@@ -325,7 +325,6 @@ rules: - - package_audit-libs_installed - - package_audit_installed - - service_auditd_enabled +@@ -18,7 +18,6 @@ packages: + - audit-audispd-plugins + - audit-libs + rules: -- audit_privilege_escalation_command - templates: - - audit_file_contents - - audit_rules_dac_modification + - audit_access_failed + - audit_access_failed_aarch64 + - audit_access_failed_ppc64le diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml -index 970a6e00..bae6ebc6 100644 +index 7cfe737b..6c1ffff0 100644 --- a/controls/std_openeuler2203.yml +++ b/controls/std_openeuler2203.yml -@@ -1688,10 +1688,7 @@ controls: - title: Ensure Escalation Audited - levels: - - l2_server -- status: automated -- rules: -- - audit_privilege_escalation_command -- - audit_privilege_escalation_command.severity=low -+ status: planned +@@ -1686,10 +1686,7 @@ controls: + title: Ensure Escalation Audited + levels: + - l2_server +- status: automated +- rules: +- - audit_privilege_escalation_command +- - audit_privilege_escalation_command.severity=low ++ status: planned - - id: 4.1.6 - title: Ensure Module Changes Audited + - id: 4.1.6 + title: Ensure Module Changes Audited diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml deleted file mode 100644 index 46e780e3..00000000 @@ -106,5 +106,5 @@ index 8cbd2019..00000000 -done -exit "$XCCDF_RESULT_PASS" -- -2.48.1 +2.51.0 diff --git a/scap-is-modified-to-be-consistent-with-the-specif.patch b/scap-is-modified-to-be-consistent-with-the-specif.patch index cc1af79eea50943352ee99c786301ef86b9f9982..c92a512dbb33e17362a5f899bc7c145e44bbf4f8 100644 --- a/scap-is-modified-to-be-consistent-with-the-specif.patch +++ b/scap-is-modified-to-be-consistent-with-the-specif.patch @@ -11,17 +11,17 @@ Subject: [PATCH] the ssg is modified to be consistent with the specifications 4 files changed, 12 insertions(+) diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml -index f5d74498..970a6e00 100644 +index ee6986d3..7cfe737b 100644 --- a/controls/std_openeuler2203.yml +++ b/controls/std_openeuler2203.yml -@@ -1763,6 +1763,7 @@ controls: - rules: - - auditd_data_retention_space_left - - auditd_data_retention_space_left.severity=low -+ - var_auditd_space_left=75MB - - auditd_data_retention_space_left_action - - auditd_data_retention_space_left_action.severity=low - - var_auditd_space_left_action=syslog +@@ -1761,6 +1761,7 @@ controls: + rules: + - auditd_data_retention_space_left + - auditd_data_retention_space_left.severity=low ++ - var_auditd_space_left=75MB + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_action.severity=low + - var_auditd_space_left_action=syslog diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh index 4233f10e..293dc771 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh @@ -40,7 +40,7 @@ index 4233f10e..293dc771 100644 echo "admin_space_left = $var_auditd_admin_space_left_percentage%" >> /etc/audit/auditd.conf +{{% endif %}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml -index 16d74331..b2acd8f4 100644 +index 829c95ab..e831159d 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml @@ -17,7 +17,11 @@ @@ -68,5 +68,5 @@ index 4a3acbae..3d86ed49 100644 250MB: 250 500MB: 500 -- -2.48.1 +2.51.0 diff --git a/scap-security-guide-0.1.77.tar.bz2 b/scap-security-guide-0.1.77.tar.bz2 deleted file mode 100644 index a1c6f81dca0e921652f296244b9d1852e6a517d0..0000000000000000000000000000000000000000 Binary files a/scap-security-guide-0.1.77.tar.bz2 and /dev/null differ diff --git a/scap-security-guide-0.1.78.tar.bz2 b/scap-security-guide-0.1.78.tar.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..f4e75932b4bb9eb677ad89aca7df94dd6c9462fc --- /dev/null +++ b/scap-security-guide-0.1.78.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8df68e10f80c722de8533668265e721e7a66fcf448a0fb78d28853a6e4418e17 +size 8569627 diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 1f12227530f9215b825ebd16c42182eba6fee8f2..9d52ad5b1166005c4a16404a47a8bb232eb92fc3 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -2,8 +2,8 @@ %global _vpath_builddir build Name: scap-security-guide -Version: 0.1.77 -Release: 2 +Version: 0.1.78 +Release: 1 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -71,6 +71,9 @@ rm -f %{buildroot}%{_docdir}/%{name}/LICENSE %doc %{_docdir}/%{name}/tables/*.html %changelog +* Wed Nov 05 2025 Ge Wang - 0.1.78-1 +- Update to 0.1.78 + * Wed Sep 03 2025 jinlun - 0.1.77-2 - Support for 2509 configuration check