packages/scap-security-guide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
scap-security-guide/add-80-rules-for-openeuler.patch

2735 lines
128 KiB
Diff
Raw Normal View History

enable 80 rules for openEuler
2023-11-17 16:31:34 +08:00
From 941e961d84f0c1610134b367364a0f66b82cc9f9 Mon Sep 17 00:00:00 2001
From: qsw333 <wangqingsan@huawei.com>
Date: Thu, 16 Nov 2023 13:50:38 +0800
Subject: [PATCH] second
---
.../base/service_haveged_enabled/rule.yml | 31 +++++++
.../service_dhcpd_disabled/rule.yml | 2 +-
.../service_named_disabled/rule.yml | 2 +-
.../package_httpd_removed/rule.yml | 2 +-
.../package_openldap-clients_removed/rule.yml | 23 +++++
.../service_rpcbind_disabled/rule.yml | 2 +-
.../service_nfs-server_disabled/rule.yml | 33 +++++++
linux_os/guide/services/rsync/group.yml | 9 ++
.../rsync/service_rsyncd_disabled/rule.yml | 20 ++++
.../service_smb_disabled/rule.yml | 2 +-
.../oval/shared.xml | 25 +++++
.../rule.yml | 16 ++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 19 ++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 18 ++++
.../oval/shared.xml | 25 +++++
.../sshd_configure_correct_interface/rule.yml | 18 ++++
.../oval/shared.xml | 25 +++++
.../sshd_disable_AllowTcpForwardindg/rule.yml | 18 ++++
.../oval/shared.xml | 25 +++++
.../sshd_disable_x11_forwarding/rule.yml | 16 ++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 18 ++++
.../uninstall_software_service/group.yml | 5 +
.../network_sniffing_tools/rule.yml | 24 +++++
.../rule.yml | 2 +-
.../no_forward_files/oval/shared.xml | 20 ++++
.../no_forward_files/rule.yml | 17 ++++
.../rule.yml | 27 ++++++
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 25 +++++
.../oval/shared.xml | 25 +++++
.../audit_rule_admin_privilege/rule.yml | 27 ++++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 56 +++++++++++
.../auditd_data_retention_space_left/rule.yml | 2 +-
.../auditing/grub2_audit_argument/rule.yml | 2 +-
.../rule.yml | 2 +-
.../oval/shared.xml | 25 +++++
.../configure_dump_journald_log/rule.yml | 22 +++++
.../rule.yml | 19 ++++
.../configure_rsyslog_log_rotate/rule.yml | 45 +++++++++
.../configure_service_logging/rule.yml | 21 +++++
.../diasable_root_accessing_system/rule.yml | 35 +++++++
.../rsyslog_files_permissions/oval/shared.xml | 1 +
.../oval/shared.xml | 25 +++++
.../rule.yml | 24 +++++
.../rsyslog_remote_loghost/oval/shared.xml | 1 +
.../rule.yml | 28 ++++++
.../rule.yml | 36 +++++++
.../rule.yml | 27 ++++++
.../rule.yml | 36 +++++++
.../rule.yml | 28 ++++++
.../wireless_disable_interfaces/rule.yml | 2 +-
.../rule.yml | 26 ++++++
.../system/network/network_nftables/group.yml | 12 +++
.../rule.yml | 32 +++++++
.../rule.yml | 24 +++++
.../rule.yml | 21 +++++
.../rule.yml | 23 +++++
.../rule.yml | 22 +++++
.../service_nftables_enabled/rule.yml | 22 +++++
.../define_ld_lib_path_correctly/rule.yml | 25 +++++
.../files/define_path_strictly/rule.yml | 31 +++++++
.../no_files_globally_writable_files/rule.yml | 34 +++++++
.../rule.yml | 28 ++++++
.../partitions_mounted_nodev_mode/rule.yml | 48 ++++++++++
.../partitions_mounted_noexec_mode/rule.yml | 19 ++++
.../partitions_mounted_nosuid_mode/rule.yml | 27 ++++++
.../rule.yml | 28 ++++++
.../read_only_partitions_no_modified/rule.yml | 19 ++++
.../rule.yml | 29 ++++++
.../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +-
.../rule.yml | 28 ++++++
.../system/software/enabled_seccomp/rule.yml | 35 +++++++
.../crypto/configure_crypto_policy/rule.yml | 2 +-
.../aide/aide_build_database/oval/shared.xml | 1 +
.../aide/enable_aide_detection/rule.yml | 29 ++++++
.../ima_verification/rule.yml | 47 ++++++++++
.../rule.yml | 18 ++++
.../disabled_SysRq/oval/shared.xml | 25 +++++
.../system-tools/disabled_SysRq/rule.yml | 20 ++++
.../uninstall_debugging_tools/rule.yml | 23 +++++
.../rule.yml | 26 ++++++
openeuler2203/profiles/standard.profile | 93 +++++++++++++++++++
89 files changed, 1869 insertions(+), 16 deletions(-)
create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml
create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
create mode 100644 linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml
create mode 100644 linux_os/guide/services/rsync/group.yml
create mode 100644 linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml
create mode 100644 linux_os/guide/services/uninstall_software_service/group.yml
create mode 100644 linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml
create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml
create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
create mode 100644 linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml
create mode 100644 linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml
create mode 100644 linux_os/guide/system/logging/configure_service_logging/rule.yml
create mode 100644 linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml
create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml
create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml
create mode 100644 linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml
create mode 100644 linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_interface_binding_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/group.yml
create mode 100644 linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/define_path_strictly/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml
create mode 100644 linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml
create mode 100644 linux_os/guide/system/software/enabled_seccomp/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml
create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml
create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml
create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml
create mode 100644 linux_os/guide/system/software/uninstall_debugging_tools/rule.yml
create mode 100644 linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml
diff --git a/linux_os/guide/services/base/service_haveged_enabled/rule.yml b/linux_os/guide/services/base/service_haveged_enabled/rule.yml
new file mode 100644
index 0000000..a2e373a
--- /dev/null
+++ b/linux_os/guide/services/base/service_haveged_enabled/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Enable haveged service'
+
+description: |-
+ The haveged service provides an easy-to-use, unpredictable random number
+ generator. The generated random numbers are used to supplement the system
+ entropy pool, which can solve the problem of low system entropy in some
+ cases. It is recommended to enable this service in scenarios where encryption,
+ decryption or key generation is required (such as using openssl and gnutls).
+
+ If the haveged service is not turned on, when the process that needs to
+ generate strong pseudo-random numbers gets values from /dev/random, it will
+ be stuck in waiting because it cannot get enough values, and will not return
+ until new random bytes are obtained.
+
+severity: low
+
+rationale: |-
+ none.
+
+ocil: '{{{ ocil_service_disabled(service="haveged") }}}'
+
+platform: machine
+
+template:
+ name: service_enabled
+ vars:
+ servicename: haveged
\ No newline at end of file
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
index efe3519..4d41613 100644
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: rhel6,rhel7,rhel8,openeuler2203
title: 'Disable DHCP Service'
diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
index 62c1bf0..7add584 100644
--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: rhel6,rhel7,rhel8,openeuler2203
title: 'Disable named Service'
diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
index b9a6437..8156243 100644
--- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
+++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: rhel6,rhel7,rhel8,openeuler2203
title: 'Uninstall httpd Package'
diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
new file mode 100644
index 0000000..717c04b
--- /dev/null
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Remove LDAP Client'
+
+description: |-
+ LDAP (Lightweight Directory Access Protocol) is a lightweight directory
+ access protocol that provides access control and maintains distributed
+ directory information.
+
+rationale: |-
+ Providing an LDAP client (<tt>openldap-clients</tt>) in the system can cause
+ waste of system resources and expand the scope of attacks. If the business
+ scenario does not require the use of LDAP services, it is prohibited to
+ install the LDAP client.
+
+severity: high
+
+template:
+ name: package_removed
+ vars:
+ pkgname: openldap-clients
\ No newline at end of file
diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
index 902117f..9bd2182 100644
--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: rhel6,rhel7,rhel8,openeuler2203
title: 'Disable rpcbind Service'
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml
new file mode 100644
index 0000000..32a4889
--- /dev/null
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+prodtype: fedora,rhel6,rhel7,rhel8,openeuler2203
+
+title: 'Disable Network File System (nfs) Service'
+
+description: |-
+ Network File System (NFS) is one of the oldest and most widely distributed
+ file systems in UNIX environments. It provides the system with the ability
+ to mount other servers' file systems over the network. If the system does
+ not export NFS shares, it is recommended to disable NFS to reduce the remote
+ attack surface..
+ {{{ describe_service_disable(service="nfs-server") }}}
+
+rationale: |-
+ 'Disabling NFS affects services and applications on the system that rely on NFS,
+ as well as existing NFS mount points. Before disabling NFS, you should make sure
+ you understand the usage on your system and consider whether there are alternatives
+ to meet your file sharing and data access needs.'
+
+severity: low
+
+ocil_clause: 'it does not'
+
+ocil: '{{{ ocil_service_disabled(service="nfs") }}}'
+
+platform: machine
+
+template:
+ name: service_disabled
+ vars:
+ servicename: nfs-server
+ packagename: nfs-utils
diff --git a/linux_os/guide/services/rsync/group.yml b/linux_os/guide/services/rsync/group.yml
new file mode 100644
index 0000000..0482394
--- /dev/null
+++ b/linux_os/guide/services/rsync/group.yml
@@ -0,0 +1,9 @@
+documentation_complete: true
+
+title: 'Rsync Server'
+
+description: |-
+ The rsync service can be used to synchronize data between
+ servers or between different Disk partitioning on the server,
+ but because rsync uses an unencrypted transmission protocol,
+ there is a risk of information disclosure.
\ No newline at end of file
diff --git a/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml
new file mode 100644
index 0000000..5afaa7c
--- /dev/null
+++ b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Disable Rsync Server Software'
+
+description: '{{{ describe_service_disable(service="rsync-daemon") }}}'
+
+rationale: |-
+ If the rsync service is enabled and data is transmitted between
+ different servers through the network, attackers can steal data
+ by listening to server ports, routers, and switch data packets.
+
+severity: high
+
+template:
+ name: service_disabled
+ vars:
+ servicename: rsyncd
+ packagename: rsync
\ No newline at end of file
diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
index aec5800..c13311f 100644
--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
+++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: rhel6,rhel7,rhel8,openeuler2203
title: 'Disable Samba'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
new file mode 100644
index 0000000..e6c1a0e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_concurrent_unauthenticated_connections" version="1">
+ <metadata>
+ <title>SSH concurrent unauthenticated connections should be configured correctly</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure the specified IP address for SSH connection.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH configure correctly concurrent unauthenticated connections"
+ test_ref="test_sshd_configure_concurrent_unauthenticated_connections" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH configure correctly concurrent unauthenticated connections"
+ id="test_sshd_configure_concurrent_unauthenticated_connections" version="1">
+ <ind:object object_ref="obj_test_sshd_configure_concurrent_unauthenticated_connections" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_configure_concurrent_unauthenticated_connections" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^maxstartups\s+\d+:\d+:\d+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml
new file mode 100644
index 0000000..60d2ccd
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'SSH concurrent unauthenticated connections should be configured correctly'
+
+description: |-
+ Attackers can consume system resources by establishing a large number of
+ concurrent connections with incomplete authentication without knowing the
+ password.
+
+rationale: |-
+ The MaxStartups setting specifies the maximum number of concurrent unauthenticated
+ connections to the SSH daemon.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml
new file mode 100644
index 0000000..d30df39
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_configure_correct_sessions" version="1">
+ <metadata>
+ <title>The allowed number of concurrent sessions for a single SSH connection should be configured correctly</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure the allowed number of concurrent sessions.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH configure the allowed number of concurrent sessions"
+ test_ref="test_sshd_configure_concurrent_sessions" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH configure the allowed number of concurrent sessions"
+ id="test_sshd_configure_concurrent_sessions" version="1">
+ <ind:object object_ref="obj_test_sshd_configure_concurrent_sessions" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_configure_concurrent_sessions" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^MaxSessions\s+\d+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml
new file mode 100644
index 0000000..2517850
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'The allowed number of concurrent sessions for a single SSH connection should be configured correctly'
+
+description: |-
+ SSH allows clients that support multiplexing to establish multiple sessions
+ based on a single network connection. MaxSessions limits the number of SSH
+ concurrent sessions allowed for each network connection, which can prevent
+ system resources from being unlimited occupied by a single or a few connections,
+ leading to denial of service attacks.
+
+rationale: |-
+ Setting MaxSessions to 1 will disable session multiplexing, meaning that only
+ one session is allowed for a connection, while setting it to 0 will block all
+ connected sessions.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
new file mode 100644
index 0000000..fb79aff
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_configure_correct_LoginGraceTime" version="1">
+ <metadata>
+ <title>LoginGraceTime should be configured correctly</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure the LoginGraceTime for SSH connection.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH configure correctly LoginGraceTime"
+ test_ref="test_sshd_configure_correct_LoginGraceTime" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH configure correctly LoginGraceTime"
+ id="test_sshd_configure_correct_LoginGraceTime" version="1">
+ <ind:object object_ref="obj_test_sshd_configure_correct_LoginGraceTime" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_configure_correct_LoginGraceTime" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^LoginGraceTime\s+\d+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml
new file mode 100644
index 0000000..2c97751
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'LoginGraceTime should be configured correctly'
+
+description: |-
+ LoginGraceTime is used to limit the user's login time. If the user
+ fails to complete the login action within the time limit specified
+ by LoginGraceTime, the connection will be automatically disconnected.
+
+rationale: |-
+ It is recommended to set this value to less than or equal to 60 seconds.
+ If the value is set too high, attackers can utilize a large number of
+ incomplete login actions to consume server resources, resulting in normal
+ administrator login failures.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml
new file mode 100644
index 0000000..47510c8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_configure_correct_interface" version="1">
+ <metadata>
+ <title>SSH service interface should be configured correctly</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure the specified IP address for SSH connection.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH configure correctly interface"
+ test_ref="test_sshd_configure_interface" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH configure correctly interface"
+ id="test_sshd_configure_interface" version="1">
+ <ind:object object_ref="obj_test_sshd_configure_interface" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_configure_interface" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^ListenAddress\s+((?:\d{1,3}\.){3}\d{1,3})$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml
new file mode 100644
index 0000000..0e1cb5c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'SSH service interface should be configured correctly'
+
+description: |-
+ Generally, the server has multiple network cards and multiple
+ IP addresses. IP addresses should be planned for business and
+ management. Therefore, not every IP address needs to listen for
+ SSH connections. You can configure to limit SSH connections to
+ only specified IP addresses to reduce the attack surface.
+
+rationale: |-
+ Unconfigured IP addresses cannot connect to the server through SSH.
+ It is recommended to plan and configure according to the actual situation.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml
new file mode 100644
index 0000000..9146f4c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_disable_AllowTcpForwardindg" version="1">
+ <metadata>
+ <title>Does not allow the use of AllowTcpForwarding</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Sshd does not allow the use of AllowTcpForwarding.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH prohibits the use of AllowTcpForwarding"
+ test_ref="test_sshd_disable_AllowTcpForwarding" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH prohibits the use of AllowTcpForwarding"
+ id="test_sshd_disable_AllowTcpForwarding" version="1">
+ <ind:object object_ref="obj_test_sshd_disable_AllowTcpForwarding" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_disable_AllowTcpForwarding" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^AllowTcpForwarding\s+no$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml
new file mode 100644
index 0000000..1cdfb4e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Does not allow the use of AllowTcpForwarding'
+
+description: |-
+ AllowTcpForwarding allows the SSH server to act as a proxy to forward TCP requests from
+ clients, similar to establishing an SSH tunnel between the server and the client. This
+ feature may cause the client to attack other servers from the external network through
+ the SSH channel.
+
+rationale: |-
+ If AllowTcpForwarding is configured as yes, attackers can bypass firewall monitoring on
+ the client through the SSH channel and send attack commands to the intranet server where
+ the SSH server is located, thereby attacking it. So AllowTcpForwarding must be closed.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
new file mode 100644
index 0000000..5f4d777
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_disable_x11_forwarding" version="1">
+ <metadata>
+ <title>Does not allow the use of X11 Forwarding</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Sshd does not allow the use of X11 Forwarding.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH prohibits the use of X11 Forwarding"
+ test_ref="test_sshd_disable_X11_forwarding" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH prohibits the use of X11 Forwarding"
+ id="test_sshd_disable_X11_forwarding" version="1">
+ <ind:object object_ref="obj_test_sshd_disable_X11_forwarding" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_disable_X11_forwarding" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^X11Forwarding\s+no$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
new file mode 100644
index 0000000..bc5f1fe
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Does not allow the use of X11 Forwarding'
+
+description: |-
+ The X11 Forwarding feature of SSH allows for the execution of GUI programs for remote
+ hosts on the local host. If not required in the business scenario, this feature must
+ be disabled.
+
+rationale: |-
+ Enabling the X11 Forwarding function expands the scope of attacks and poses a possibility
+ of being attacked by other users on the X11 server.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml
new file mode 100644
index 0000000..3edae48
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_prohibit_preset_authorized_keys" version="1">
+ <metadata>
+ <title>Prohibit SSH service pre setting authorized_Keys</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>SSH service prohibits preset authorized_Keys.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH service prohibits preset authorized_Keys"
+ test_ref="test_sshd_prohibit_preset_authorized_keys" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH service prohibits preset authorized_Keys"
+ id="test_sshd_prohibit_preset_authorized_keys" version="1">
+ <ind:object object_ref="obj_test_sshd_prohibit_preset_authorized_keys" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_prohibit_preset_authorized_keys" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^LoginGraceTime\s+\d+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml
new file mode 100644
index 0000000..1c139fa
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Prohibit SSH service pre setting authorized_Keys'
+
+description: |-
+ Authorized_ Keys is the public key of the remote host, which users can
+ store in their home directory $HOME/. ssh/authorized_ In the keys file,
+ for public key authentication, you can directly log in to the system.
+
+rationale: |-
+ If authorized is preset in the system_ Keys, and the server has enabled
+ the login method of public and private key authentication, allowing
+ attackers to bypass authentication and directly log in to the specified
+ system to attack it. So authorized cannot be preset in the system_ Keys.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/services/uninstall_software_service/group.yml b/linux_os/guide/services/uninstall_software_service/group.yml
new file mode 100644
index 0000000..0a269ba
--- /dev/null
+++ b/linux_os/guide/services/uninstall_software_service/group.yml
@@ -0,0 +1,5 @@
+documentation_complete: true
+
+title: 'Do not install some software packages.'
+
+description: |-
\ No newline at end of file
diff --git a/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml
new file mode 100644
index 0000000..b41c210
--- /dev/null
+++ b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Uninstall network sniffing Package'
+
+description: |-
+ If the production environment contains network sniffing tools, attackers
+ can easily use these tools to conduct network analysis and assist network
+ attacks. Therefore, installation of various network sniffing and packet
+ capture analysis tools, such as tcpdump, ethereal, wireshark, etc., should
+ be prohibited in the production environment.
+
+ <p><tt>It can not be scanned automatically,please check it manually.</tt></p>
+ <p>check the network_sniffing_tools,such as wireshark,netcat,tcpdump,namp,ethereal:</p>
+ <ul>
+ <pre> rpm -qa | grep -iE "^(wireshark-|netcat-|tcpdump-|nmap-|ethereal-)"</pre>
+ </ul>
+
+rationale: |-
+ There is no need to install various network sniffing and packet capture
+ analysis tools in the production environment.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
index 84a64db..625f15d 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhel6,rhel7,rhel8,rhv4
+prodtype: fedora,rhel6,rhel7,rhel8,rhv4,openeuler2203
title: 'Remove the X Windows Package Group'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml
new file mode 100644
index 0000000..eab54dd
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml
@@ -0,0 +1,20 @@
+<def-group>
+ <definition class="compliance" id="no_forward_files" version="1">
+ <metadata>
+ <title>Verify No forward Files Exist</title>
+ {{{- oval_affected(products) }}}
+ <description>If there are no related email forwarding scenarios, it is recommended to delete the .forward file.</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="test_no_forward_files_home" negate="true" />
+ </criteria>
+ </definition>
+ <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .forward in /home" id="test_no_forward_files_home" version="1">
+ <unix:object object_ref="object_no_forward_files_home" />
+ </unix:file_test>
+ <unix:file_object comment="look for .forward in /home" id="object_no_forward_files_home" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all" />
+ <unix:path operation="equals">/home</unix:path>
+ <unix:filename operation="pattern match">^\.forward$</unix:filename>
+ </unix:file_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
new file mode 100644
index 0000000..318131a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Verify No forward Files Exist'
+
+description: |-
+ The <tt>.forward</tt> file can be configured with an email address, which
+ will be automatically forwarded to when users receive emails. If there are
+ no related email forwarding scenarios, it is recommended to delete the
+ <tt>.forward</tt> file.
+
+rationale: |-
+ If there is a <tt>.forward</tt> file, it may cause user emails carrying
+ sensitive information to be automatically forwarded to high-risk mailboxes.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml
new file mode 100644
index 0000000..b01dad4
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure the network interface is bound to the correct area'
+
+description: |-
+ File access permission control is the basic permission management in Linux. Different users
+ are authorized to access different files, preventing the leakage of sensitive information
+ between users or the tampering of file data. It can also prevent ordinary users from
+ unauthorized access to high-privilege files or configurations in the system.
+
+ It is recommended to audit and monitor system calls that modify file permissions and file
+ owners in the operating system. If relevant auditing is not configured, if illegal
+ modification occurs, it will not be conducive to traceability.
+
+ openEuler does not configure file access control permission audit rules by default. It is
+ recommended that users configure corresponding rules based on actual business scenarios.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ Configuring auditing, because audit logs need to be recorded when file permissions and owners
+ are modified, will have a slight impact on performance. However, since such operations should
+ not be performed frequently, it is actually not perceptible to users.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
index ebd52e2..2e7f907 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203
title: 'Record Unsuccessful Access Attempts to Files - creat'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
index 3634935..cac6a0d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203
title: 'Record Unsuccessful Access Attempts to Files - ftruncate'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
index 8d813fa..425ecb7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203
title: 'Record Unsuccessful Access Attempts to Files - open'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
index e8ec755..20b4d42 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203
title: 'Record Unsuccessful Access Attempts to Files - openat'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml
new file mode 100644
index 0000000..6cebb2c
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ Ordinary users can obtain super administrator privileges by calling privilege
+ escalation commands (with SUID/SGID set), so the use of privilege escalation
+ commands carries high risks and is often used by attackers to attack the system.
+
+ It is recommended to audit and monitor privilege escalation commands to facilitate
+ traceability afterwards.
+
+ openEuler does not configure audit rules for privilege escalation commands by
+ default. It is recommended that users configure corresponding rules based on actual
+ business scenarios.
+
+rationale: |-
+ Configuring auditing requires audit logging when using privilege escalation
+ commands, which has a slight impact on performance. If the user business has
+ a large number of scenarios where privilege escalation commands are frequently
+ called, there may be a cumulative effect.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml
new file mode 100644
index 0000000..b70b4d9
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="audit_rule_admin_privilege" version="1">
+ <metadata>
+ <title>Audit rules for administrator privileged operations should be configured</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure audit rules for administrator privileged operations</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Configure audit rules for administrator privileged operations"
+ test_ref="test_audit_rule_admin_privilege" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="recorded authentication-related event"
+ id="test_audit_rule_admin_privilege" version="1">
+ <ind:object object_ref="obj_test_audit_rule_admin_privilege" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_audit_rule_admin_privilege" version="1">
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml
new file mode 100644
index 0000000..8d548e5
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Audit rules for administrator privileged operations should be configured'
+
+description: |-
+
+ The sudo extraction command operation log in the openEuler system is recorded
+ in the /var/log/secure log file by default. Other authentication-related security
+ logs are also recorded in this file. If the user wants to audit the sudo extraction
+ command, it is recommended that the sudo related logs be Record separately and
+ output to /var/log/sudo.log, and then audit and monitor the sudo log file. Sudo
+ privilege escalation is a high-risk operation and is relatively common in attacks. It
+ is recommended to configure audit rules for later tracing.
+
+ openEuler does not configure audit rules for administrator privileged operations
+ by default. It is recommended that users configure corresponding rules based on
+ actual business scenarios.
+
+rationale: |-
+ Configure auditing. Since audit logging is required for any sudo privilege escalation
+ operation, it will have a slight impact on performance. If there are a large number
+ of frequent sudo operations in the user's business scenario, the impact on performance
+ will have a cumulative effect.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml
new file mode 100644
index 0000000..bf0b651
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="auditd_data_retention_admin_space_left" version="1">
+ <metadata>
+ <title>auditd data retention admin space left</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>auditd data retention admin space left.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="auditd data retention admin space left"
+ test_ref="test_auditd_data_retention_admin_space_left" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="auditd data retention admin space left"
+ id="test_auditd_data_retention_admin_space_left" version="1">
+ <ind:object object_ref="obj_test_auditd_data_retention_admin_space_left" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_auditd_data_retention_admin_space_left" version="1">
+ <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*admin_space_left[\s]+=[\s]+(\d+)[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml
new file mode 100644
index 0000000..2c9273d
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml
@@ -0,0 +1,56 @@
+documentation_complete: true
+
+title: 'Configure auditd admin_space_left on Low Disk Space'
+
+description: |-
+ The <tt>auditd</tt> service can be configured to take an action
+ when disk space is running low but prior to running out of space completely.
+ Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line,
+ substituting <i>ACTION</i> appropriately:
+ <pre>admin_space_left_action = <i>ACTION</i></pre>
+ Set this value to <tt>single</tt> to cause the system to switch to single user
+ mode for corrective action. Acceptable values also include <tt>suspend</tt> and
+ <tt>halt</tt>. For certain systems, the need for availability
+ outweighs the need to log all actions, and a different setting should be
+ determined. Details regarding all possible values for <i>ACTION</i> are described in the
+ <tt>auditd.conf</tt> man page.
+
+rationale: |-
+ Administrators should be made aware of an inability to record
+ audit records. If a separate partition or logical volume of adequate size
+ is used, running low on space for audit records should never occur.
+
+severity: medium
+
+identifiers:
+ cce@rhel6: 27239-3
+ cce@rhel7: 27370-6
+ cce@rhel8: 80679-4
+ cce@ocp4: 82677-6
+
+references:
+ stigid@rhel6: "000163"
+ srg@rhel6: SRG-OS-999999
+ cis: 5.2.1.2
+ cjis: 5.4.1.1
+ cui: 3.3.1
+ disa: 140,1343
+ hipaa: 164.312(a)(2)(ii)
+ iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1
+ nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a)
+ nist-csf: DE.AE-3,DE.AE-5,PR.DS-4,PR.PT-1,RS.AN-1,RS.AN-4
+ pcidss: Req-10.7
+ stigid@rhel7: "030340"
+ isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 7.1,SR 7.2'
+ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
+ cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01
+ cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
+
+ocil_clause: 'the system is not configured to switch to single user mode for corrective action'
+
+ocil: |-
+ Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to
+ determine if the system is configured to either suspend, switch to single user mode,
+ or halt when disk space has run low:
+ <pre>admin_space_left_action single</pre>
+
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
index cb1ff1d..080e1ee 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203
title: 'Configure auditd space_left on Low Disk Space'
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
index 2c17ee1..0f4cdf0 100644
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,openeuler2203
title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
index 36f3200..34ca8aa 100644
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,openeuler2203
title: 'Extend Audit Backlog Limit for the Audit Daemon'
diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml
new file mode 100644
index 0000000..1e95b34
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="configure_dump_journald_log" version="1">
+ <metadata>
+ <title>Make sure rsyslog dump journald log is configured</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure rsyslog dump journald log.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="configure dump journald log"
+ test_ref="test_configure_dump_journald_log" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="configure dump journald log"
+ id="test_configure_dump_journald_log" version="1">
+ <ind:object object_ref="obj_test_configure_dump_journald_log" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_configure_dump_journald_log" version="1">
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[^#]*imjournal</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
new file mode 100644
index 0000000..7247e27
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure rsyslog dump journald log is configured'
+
+description: |-
+
+ The system uses journald to collect logs. The logs may be stored on
+ volatile storage devices or on persistent storage devices. If there
+ are problems such as log loss or logs filling up the disk, the logs
+ must be dumped in a timely manner to ensure that the logs are more
+ consistent with the system. Safety.
+
+rationale: |-
+ If there is a volatile storage device for the log, failure to dump
+ the log in time may result in log loss. If there is a persistent
+ storage device, the amount of logs may be very large. If the logs
+ are not dumped in time, the logs may fill up the current partition,
+ causing the risk of other processes or system failures.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml
new file mode 100644
index 0000000..16c62e7
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the account is forced to change the password when logging in for the first time'
+
+description: |-
+ Passwords that are not set by users themselves, such as passwords reset by
+ administrators, if not modified in a timely manner in the business environment,
+ can easily cause low-cost attacks. Therefore, users are required to forcibly change
+ their passwords when logging in to their accounts for the first time. Except for
+ the root password.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml
new file mode 100644
index 0000000..4257677
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml
@@ -0,0 +1,45 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the iptables input and output association policies configuration is correct'
+
+description: |-
+ rsyslog is responsible for collecting log records from the system into files, and logrotate
+ is responsible for regularly or quantitatively copying and compressing log files to ensure
+ that excessive hard disk resources are not occupied due to excessive log file size, or that
+ the log files are even unmaintainable.
+
+ If the rotate policy is not configured, the log file will continue to grow, which may
+ eventually lead to the exhaustion of space on the hard disk partition where the log is
+ located, which may affect log recording at best, or may cause the system and business to be
+ unable to continue to execute normally.
+
+ By default, openEuler has configured the rsyslog rotate policy in the /etc/logrotate.d/rsyslog
+ file as follows:.
+
+ rotate log file:
+ /var/log/cron
+
+ /var/log/maillog
+
+ /var/log/messages
+
+ /var/log/secure
+
+ /var/log/spooler
+
+ The maximum retention period of log files is 365 days;
+
+ A maximum of 30 log files can be retained;
+
+ Log files are retained in a compressed manner;
+
+ The log file reaches 4MB, perform rotate operation.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
diff --git a/linux_os/guide/system/logging/configure_service_logging/rule.yml b/linux_os/guide/system/logging/configure_service_logging/rule.yml
new file mode 100644
index 0000000..c15d25b
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_service_logging/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Each service logging should be configured correctly'
+
+description: |-
+ Configure logging so that important system behaviors and security-related information will
+ be recorded using rsyslog. The configuration files /etc/rsyslog.conf and /etc/rsyslog.d/*.conf
+ can specify logging rules and which files will be used to record specific types of logs.
+
+ If logging is not configured, system behavior cannot be recorded, and problem location and
+ auditing cannot be performed when problems occur.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ After logging is configured, if the logs are not cleared in time, the logs may fill up the current partition, causing the
+ risk of other processes or system failures.
+
+severity: low
diff --git a/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml
new file mode 100644
index 0000000..b235f0e
--- /dev/null
+++ b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Prevent root users from accessing the system locally'
+
+description: |-
+ Root is a super-privileged user in a Linux system and has access to all
+ Linux system resources. If you are allowed to directly use the root account
+ to log in to the Linux system to operate the system, it will bring many
+ potential security risks. In order to avoid the risks caused by this, it
+ should be prohibited to directly use the root account to log in to the
+ operating system, and only use other technologies when necessary. Methods
+ (such as: sudo or su) indirectly use the root account.
+
+ Since the root account has the highest authority, logging in directly with
+ root has the following risks:
+
+ High-risk misoperations may directly cause server paralysis, such as accidentally
+ deleting or modifying key system files;
+
+ If multiple people need root privileges to operate, the root password will be
+ kept by multiple people, which can easily lead to password leakage and increase
+ password maintenance costs.
+
+ openEuler is not configured by default. If there is no need to log in locally using
+ the root account in actual scenarios, it is recommended to disable local login
+ with the root account.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ The root account cannot access the system locally.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index a78cd69..3bd9887 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -9,6 +9,7 @@
<platform>multi_platform_ol</platform>
<platform>multi_platform_rhel</platform>
<platform>multi_platform_ubuntu</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>File permissions for all syslog log files should be set correctly.</description>
</metadata>
diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml
new file mode 100644
index 0000000..63bce75
--- /dev/null
+++ b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="recorded_authentication_related_event" version="1">
+ <metadata>
+ <title>Ensure that system authentication related event logs are recorded</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure the System to Record Authentication-related Event.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="recorded authentication-related event"
+ test_ref="test_recorded_authentication_related_event" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="recorded authentication-related event"
+ id="test_recorded_authentication_related_event" version="1">
+ <ind:object object_ref="obj_test_recorded_authentication_related_event" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_recorded_authentication_related_event" version="1">
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[^#]*auth</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml
new file mode 100644
index 0000000..1a52982
--- /dev/null
+++ b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that system authentication related event logs are recorded'
+
+description: |-
+
+ Events related to system authentication must be recorded to help
+ analyze user logins, use of root privileges, and monitor suspicious
+ system actions.
+ Failure to record system authentication-related event logs will
+ result in the inability to analyze suspicious attack actions from
+ the logs, such as login actions performed by attackers trying to
+ guess administrator passwords.
+
+rationale: |-
+ If there is a volatile storage device for the log, failure to
+ dump the log in time may result in log loss. If there is a persistent
+ storage device, the amount of logs may be very large. If the logs
+ are not dumped in time, the logs may fill up the current partition,
+ causing the risk of other processes or system failures.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
index 22307d4..c3e2752 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
@@ -10,6 +10,7 @@
<platform>multi_platform_rhel</platform>
<platform>multi_platform_ubuntu</platform>
<platform>multi_platform_wrlinux</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>Syslog logs should be sent to a remote loghost</description>
</metadata>
diff --git a/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml
new file mode 100644
index 0000000..d5d2335
--- /dev/null
+++ b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure Warning Banners contain reasonable information'
+
+description: |-
+ Warning Banners include warning information added to the system login
+ interface, which identifies the system's security warnings for all
+ users who log in to the system. Security warnings can include the
+ organization to which the system belongs, monitoring or recording of
+ login behaviors, and unauthorized logins based on business scenarios. Or
+ the legal sanctions that will be imposed upon intrusion. Inappropriate
+ security warning information may increase the risk of system attacks
+ or violate local laws and regulations.
+
+ Warning Banners should not expose the system version, application server
+ type, functions, etc. to users to prevent attackers from obtaining system
+ information and carrying out attacks. In addition to this, file ownership
+ needs to be configured correctly, otherwise unauthorized users may modify
+ files with incorrect or misleading information.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..278556e
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the iptables input and output association policies configuration is correct'
+
+description: |-
+ Although it is possible to configure packet policies for incoming and outgoing servers to the
+ Input and OUTPUT chains by configuring protocols, IP, and ports, in some cases it may be more
+ complex. For example, if the client accesses the server through a certain port, the server may
+ not necessarily return the response packet from the original port, and may use a random source
+ port. In this case, it is difficult to configure accurate policies through the sport parameter.
+
+ At this point, it is necessary to consider using association links to configure the strategy.
+ If an outgoing message belongs to an existing network link, it will be directly released; If a
+ received message belongs to an existing network link, it is also directly released. Because
+ these existing links must have been filtered and checked by other policies, otherwise they cannot
+ be established.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check if the input and output chains are configured with associated policies.</p>
+ <ul>
+ <li>You can use below cli command to check if the input and output chains of IPv4 are configured with associated policies:
+ <pre># iptables -L</pre>
+ </li>
+ <li>You can use below cli command to check if the input and output chains of IPv6 are configured with associated policies:
+ <pre># ip6tables -L</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ If the policy is not configured through associated links, it is necessary to analyze all possible
+ link situations and configure corresponding policies. If the configuration is too loose, it may
+ cause security risks, and if the configuration is too strict, it may cause business interruption.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..0f7e91a
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the iptables input policy configuration is correct'
+
+description: |-
+ The function of the Input chain is to filter packets received from external sources. Any
+ externally provided service requires configuring the corresponding Input policy and opening
+ the relevant port, so that external clients can access the service through that port.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check if the policy configured for the input chain meets business needs.</p>
+ <ul>
+ <li>You can use below cli command to check the input chain of IPv4:
+ <pre># iptables -L INPUT -v -n</pre>
+ </li>
+ <li>Or check the input chain of IPv6:
+ <pre># ip6tables -L INPUT -v -n</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ If not configured, all external attempts to access related services will be discarded due to
+ the default policy configuration being DROP.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..9d8bafe
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the iptables loopback policy configuration is correct'
+
+description: |-
+ The loopback address is a special address on the server, represented by 127.0.0.0/8,which is
+ not related to the network card and is mainly used for communication between local processes.
+ Messages with a source address of 127.0.0.0/8 should not be received from the network card,
+ and such messages should be discarded.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check if the loopback address policy has been correctly configured.</p>
+ <ul>
+ <li>You can use below cli command to check the input chain of IPv4:
+ <pre># iptables -L INPUT -v -n</pre>
+ </li>
+ <li>Or check the output chain of IPv4:
+ <pre># iptables -L OUTPUT -v -n</pre>
+ </li>
+ <li>Or check the input chain of IPv6:
+ <pre># ip6tables -L INPUT -v -n</pre>
+ </li>
+ <li>Or check the output chain of IPv6:
+ <pre># ip6tables -L OUTPUT -v -n</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ If the loopback address policy is not set correctly, it may cause communication failure between
+ local processes or receive spoofing messages from the network card. The server needs to set
+ policies that allow receiving and processing loopback address messages from the lo interface,
+ but reject messages received from the network card.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..c10cd44
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the iptables output policy configuration is correct'
+
+description: |-
+ There are two main situations for server outgoing messages: one is when the host process
+ actively connects to an external server, such as HTTP access, or sends data to a log server,
+ etc.; the other is when the host process accesses the local service externally and the local
+ machine responds to the message.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check if the policy configured for the output chain meets business needs.</p>
+ <ul>
+ <li>You can use below cli command to check the output chain of IPv4:
+ <pre># iptables -L OUTPUT -v -n</pre>
+ </li>
+ <li>Or check the input chain of IPv6:
+ <pre># ip6tables -L OUTPUT -v -n</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ If the OUTPUT policy is not configured, all outgoing messages from the server will be discarded
+ due to the default policy being DROP.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
index bbea345..19cc6f5 100644
--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4
+prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4,openeuler2203
title: 'Deactivate Wireless Network Interfaces'
diff --git a/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml
new file mode 100644
index 0000000..ee66dd7
--- /dev/null
+++ b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure the network interface is bound to the correct area'
+
+description: |-
+ Different firewall regions can develop different filtering strategies. If the server network
+ is complex and has multiple interfaces, and different interfaces undertake different business
+ functions, it is recommended to configure the interfaces to different regions and develop
+ different firewall strategies. For example, the external network business interface does not
+ allow SSH access, while the internal network management interface can open SSH access.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check the interface configuration of each region:</p>
+ <ul>
+ <pre># find ./ -type l -follow</pre>
+ </ul>
+
+rationale: |-
+ If all interfaces are configured in one area, firewall policies are not conducive to configuring
+ different interfaces differently, increasing management complexity, and reducing the filtering
+ efficiency of firewall security protection. Due to configuration issues, messages that should
+ not be received may not be rejected or discarded.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/group.yml b/linux_os/guide/system/network/network_nftables/group.yml
new file mode 100644
index 0000000..68ecddd
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/group.yml
@@ -0,0 +1,12 @@
+documentation_complete: true
+
+title: 'nftables'
+
+description: |-
+ nftables is a subsystem of the Linux kernel that provides filtering
+ and classification of network packets. nftables replaces the iptables
+ part of Netfilter. Compared with iptables, nftable is easier to extend
+ to new protocols, and nftables will replace iptables in the future.
+ In addition, nftables is different from firewalld and iptables. The
+ operating system does not configure any policies by default and
+ requires manual configuration by the administrator.
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..73b0e5e
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Configure nftables input strategy'
+
+description: |-
+ Although you can configure the policy of packets in and out of the server to
+ the input and output chains by configuring the protocol, IP and port, etc,
+ it is more complicated in some cases. For example, the client accesses the
+ server through a certain port, but when the server returns a response message
+ It does not necessarily return from the original port, but may use a random
+ source port. In this case, it is difficult to configure an accurate policy
+ through the sport parameter.
+
+ At this time, you need to consider using the associated link method to configure
+ the policy. If an outgoing packet belongs to an existing network link, it is
+ directly allowed; if a received packet belongs to an existing network link, it
+ is also directly allowed. Because these existing links must have been filtered
+ and checked by other policies, otherwise they cannot be established.
+
+ If you do not configure policies through associated links, you need to analyze
+ all possible link situations and configure corresponding policies. If the
+ configuration is too loose, it may lead to security risks. If the configuration
+ is too strict, it may cause business interruption.lll
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml
new file mode 100644
index 0000000..9a95f50
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Configure nftables default deny policy'
+
+description: |-
+ From a security perspective, the nftables basic chain is similar to
+ iptables. (Input, output, forward) you need to configure the rejection
+ policy for all packets, and then add the allow policy to the basic
+ chain to open related services and ports.
+
+ If the basic chain is not configured, or the hook rules of the basic
+ chain are not specified, the packet will not be captured by nftables,
+ and filtering will not be possible.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ If the basic chain is not configured with a DROP or REJECT policy, the
+ packets will be ACCEPT by default, which may easily lead to security
+ risks due to omission of the rejection policy.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..a1fb377
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Configure nftables input strategy'
+
+description: |-
+ The function of the input chain is to filter messages received from the
+ outside. Any externally provided service needs to configure the
+ corresponding input policy and open the relevant port so that external
+ clients can access the service through the port.
+
+ If not configured, since the default policy is configured as DROP, all
+ external packets trying to access related services will be dropped.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..c71aabe
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Configure nftables loopback policy'
+
+description: |-
+ The loopback address is a special address on the server, represented by 127.0.0.0/8. It
+ has nothing to do with the network card. It is mainly used for inter-process communication
+ on this machine. Packets with the source address 127.0.0.0/8 should not be received from
+ the network card. Such messages should be discarded. If the loopback address policy is
+ set incorrectly, inter-process communication on the local machine may fail, or spoofed
+ packets may be received from the network card.
+
+ The server needs to set a policy to allow receiving and processing the loopback address
+ packets of the lo interface, but reject the packets received from the network card.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..b3a795f
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Configure nftables input strategy'
+
+description: |-
+ There are two main situations when the server sends outbound messages. One
+ is when the host process actively connects to an external server, such as
+ http access, or sends outgoing data to a log server, etc. The other is when
+ the host process externally accesses local services and the local machine
+ responds arts.
+
+ If no output policy is configured, all outgoing packets from the server will
+ be discarded because the default policy is DROP.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml
new file mode 100644
index 0000000..ddc0939
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Verify nftables Enabled'
+
+description: '{{{ describe_service_enable(service="docker") }}}'
+
+rationale: |-
+ If multiple firewall services are enabled, business
+ interruption may occur due to inconsistent policy configurations.
+
+severity: low
+
+ocil: '{{{ ocil_service_enabled(service="nftables") }}}'
+
+platform: machine
+
+template:
+ name: service_enabled
+ vars:
+ servicename: nftables
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml
new file mode 100644
index 0000000..b5a1142
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly'
+
+description: |-
+ LD_LIBRARY_PATH is a Linux environment variable. When a program loads a
+ dynamic link library, it will first obtain it from the path specified by
+ this environment variable. Normally, this environment variable should
+ not be set. If it is maliciously set to an incorrect value, the program
+ may be linked to an incorrect dynamic library when running, resulting in
+ security risks. Note: The configuration in /etc/ld.so.conf.d will also
+ affect dynamic library loading, so you need to ensure correct configuration.
+
+ openEuler does not set this variable by default. According to the actual
+ scenario, if LD_LIBRARY_PATH must be set, you need to ensure that the
+ value is correct in all user contexts.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml
new file mode 100644
index 0000000..68adae3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly'
+
+description: |-
+ The PATH variable under Linux defines the search path for executable files
+ in the current user context. For example, if the user uses the ls command
+ in any directory, the system will search for the ls command in the directory
+ specified by the PATH variable and execute it after finding it. The PATH
+ variable in all user contexts cannot contain the current directory "." .The
+ directory must be a path that actually exists in the file system and meets
+ the design expectations of the system. The correct PATH value can effectively
+ prevent system commands from being replaced by malicious instructions and
+ ensure that system commands can be executed safely.
+
+ So the PATH variable should be defined to the correct value, and the openEuler
+ system default setting is:
+
+ /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
+
+ PATH can be modified according to the actual scenario, but be sure to make sure
+ it is correct.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml
new file mode 100644
index 0000000..e4fa75f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Disallow globally writable files'
+
+description: |-
+ Globally writable means that all users can write to the file, but usually this
+ permission is not necessary. If a file is unreasonably set with globally writable
+ permissions, it can easily be tampered with by attackers, leading to security risks.
+ Therefore, if the file must have globally writable permissions, the security risks
+ need to be analyzed based on actual scenarios to ensure that attackers cannot use
+ this file to carry out attacks.
+
+ You can search for globally writable files in the root directory. The exceptions
+ are: There are a large number of globally writable files in the two system directories
+ "/sys" and "/proc" when Linux is running, so these two should be excluded when checking
+ directory to avoid confusion.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check globally writable filesdirectories "/sys" and "/proc" have been excluded.</p>
+ <ul>
+ <li>You can use below command to check :
+ <pre>find / -path /proc -prune -o -path /sys -prune -o -type f -perm -0002 -exec ls -lg {} \;</pre>
+ </li>
+ <li>or:
+ <pre>find / -xdev -type f -perm -0002 -exec ls -lg {} \</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml
new file mode 100644
index 0000000..a80fe6a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Hard drive data should be managed in partitions'
+
+description: |-
+ When installing the operating system, the operating system data and business data
+ partitions should be managed according to the characteristics of the actual scenario
+ to avoid placing all data on one hard disk or partition. Proper planning of hard disk
+ partitions can avoid or reduce the following risks:
+
+ The log file is too large, causing the business or system data disk to become full;
+ The home directory of ordinary accounts is too large, causing the system or business disk to become full;
+ The system partition is not independent, causing the basic service of the operating system to fail when the disk is full, causing a full-scale DOS attack;
+ It is not conducive to minimizing permissions and encrypting data disks;
+ It is not conducive to system or data recovery after the disk is damaged.
+
+ As a general operating system, openEuler installs separate partitions "/boot, /tmp,
+ /home, /" by default. It is recommended to determine the partition mounting and size
+ of other directories based on the actual scenario.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml
new file mode 100644
index 0000000..86766f1
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml
@@ -0,0 +1,48 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Partitions that do not need to be mounted are mounted in nodev mode'
+
+description: |-
+ nodev means that device files are not allowed to be mounted, which is used
+ to reduce the attack surface and increase security. When the directory is
+ mounted, if the nodev option is set, all block devices, character devices
+ and other device files in the directory will be parsed into ordinary files
+ and cannot be operated on device files. If nodev is not set when mounting,
+ it will lead to security risks. For example, an attacker creates a file system
+ on the USB flash drive and creates a block device file in it (his own USB flash
+ drive, with corresponding permissions), and this block The device actually
+ points to the server hard disk or partition such as /dev/sda. If an attacker
+ has the opportunity to insert a USB flash drive into the server and the server
+ loads the USB flash drive, the attacker can access the corresponding file through
+ this block device file. Hard drive data. If the U disk in the above case is changed
+ to another hard disk or partition, a similar problem will exist. As long as there
+ is a maliciously constructed device file on the hard disk or partition, an attack
+ can be formed.
+
+ The following directories are mounted by nodev by default in the openEuler system:
+
+ /sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、
+ /sys/fs/pstore、/sys/fs/bpf、/sys/fs/cgroup/files、/sys/fs/cgroup/net_cls,net_prio、
+ /sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/cpu,cpuacct、/sys/fs/cgroup/perf_event、
+ /sys/fs/cgroup/pids、/sys/fs/cgroup/hugetlb、/sys/fs/cgroup/memory、/sys/fs/cgroup/blkio、
+ /sys/fs/cgroup/cpuset、/sys/fs/cgroup/rdma、/sys/kernel/config、/sys/kernel/debug、/dev/mqueue、
+ /tmp、/run/user/0
+
+ openEuler has the following directories (some directories vary depending on hard disk partitions
+ and deployment platforms). These directories are not mounted by nodev by default:
+
+ /dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、
+ /var/lib/nfs/rpc_pipefs、/boot/efi、/home
+
+ In actual scenarios, based on business needs, the nodev method is used to mount partitions
+ that do not require device mounting.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml
new file mode 100644
index 0000000..21a7390
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ The data disk is only used to save data during system operation. There
+ is no need to execute relevant commands on the data disk. In this case,
+ the hard disk or partition must be mounted in noexec mode to improve security
+ and reduce the attack surface.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ If the hard disk or partition is mounted in noexec mode, the executable
+ file in the mount point directory cannot be run directly.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml
new file mode 100644
index 0000000..ddbe5c6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure partitions that do not require SUID/SGID are mounted in nosuid mode'
+
+description: |-
+ After the SUID bit is set on an executable file, even if the user executing the file
+ is not the owner of the file, the process will be temporarily granted the permissions
+ of the file owner during execution. For example, the ordinary user test executes a
+ program with permissions 755 and owner root. If the program does not set the SUID bit,
+ the process only has the permissions of the test user; if the SUID is set, the process
+ has root permissions during execution. . SGID has a similar function, but it only has
+ the permissions of the group to which the file belongs. For partitions that do not
+ need SUID/SGID, use the nosuid method to mount them. This can invalidate the S bit of
+ files with SUID/SGID in the partition, prevent privilege escalation through the
+ executable files of the partition, and strengthen the security of the partition.
+
+ Users need to plan each mounted hard drive and partition and set nosuid mounting items
+ based on actual scenarios.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml
new file mode 100644
index 0000000..512d8c1
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ Removable devices themselves are uncertain, and their origin, past usage,
+ and transportation processes cannot guarantee absolute safety. Therefore,
+ removable devices are often the main host devices for virus transmission.
+ Therefore, for removable devices, it is required to mount them in noexec
+ or nodev mode to improve security and reduce the attack surface.
+
+ noexec can prevent files on removable devices from being directly executed,
+ such as virus files, attack scripts, etc.;
+
+ nodev prevents incorrect device files on removable devices from being linked
+ to real devices on the server, leading to attacks;
+
+ Common removable devices such as: CD/DVD/USB, etc.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ If a removable device is mounted in noexec mode, the executable file
+ in the mount point directory cannot be run directly.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml
new file mode 100644
index 0000000..b54202f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Partitions that do not need to be modified are mounted read-only.'
+
+description: |-
+ Mounting file systems that do not require data modification in read-only mode can
+ avoid unintentional or malicious data tampering and reduce the attack surface.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ Once the file system is mounted in read-only mode, files and directories cannot
+ be created, modified, or deleted. Users need to configure it according to the actual
+ scenario. This requirement can be ignored for file mounting necessary for the
+ operation of the operating system.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml
new file mode 100644
index 0000000..8c4eff8
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ The Linux system supports a variety of file systems, which are
+ loaded into the kernel through ko mode. As a general operating
+ system platform, openEuler will provide various file systems ko,
+ which are stored in the /lib/modules/(kernel version)/kernel/fs/
+ directory and can be loaded through the insmod/modprobe command.
+ Disabling mount support for unnecessary file systems can reduce
+ the attack surface and prevent attackers from attacking the system
+ by exploiting vulnerabilities in some uncommon file systems.
+
+ Users should determine which file systems do not need to be supported
+ based on actual scenarios, and prohibit these file systems from being
+ mounted through configuration. These file systems usually include:
+
+ cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+
+rationale: |-
+ The removed file system is no longer supported.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
index cd07fd0..ce86997 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,openeuler2203
title: 'Restrict usage of ptrace to descendant processes'
diff --git a/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml
new file mode 100644
index 0000000..cb8f534
--- /dev/null
+++ b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Avoid using programms labeled unconfined_service_t'
+
+description: |-
+ The purpose of SELinux setting the unconfined_service_t label
+ is to enable some third-party service processes that are not
+ configured with SELinux policies to run unfettered. By default,
+ when systemd runs a third-party application with the label bin_t
+ or usr_t (generally located in /usr/bin, /opt, etc. directories),
+ the generated process label is unconfined_service_t.
+
+ The difference from other high-privilege labels (such as unconfined_t,
+ initrc_t, etc.) is that unconfined_service_t has very few domain
+ conversion rules, which means that even if the process runs applications
+ that have been configured with SELinux policies, the label of the
+ new process will still be unconfined_service_t. The SELinux policy
+ configured for the process will not take effect. If it is attacked,
+ it will have a greater impact on the system.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ Programs labeled unconfined_service_t are restricted from running.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/software/enabled_seccomp/rule.yml b/linux_os/guide/system/software/enabled_seccomp/rule.yml
new file mode 100644
index 0000000..3e68100
--- /dev/null
+++ b/linux_os/guide/system/software/enabled_seccomp/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'seccomp should be enabled'
+
+description: |-
+ seccomp (full name: secure computing mode), when it was first introduced into the
+ Linux kernel, limited the system calls available to the process to four types: read,
+ write, _exit, sigreturn. In the original whitelisting method, in addition to the
+ four system calls allowed by the open file descriptor, if other system calls are
+ attempted, the kernel will use SIGKILL or SIGSYS to terminate the process.
+
+ The whitelist method is too restrictive and has little practical effect. In practical
+ applications, more precise restrictions are needed. In order to solve this problem,
+ BPF was introduced. The combination of seccomp and BPF rules allows users to filter
+ system calls using configurable policies. The policy is implemented using Berkeley
+ Packet Filter rules, which can filter any system calls and their parameters.
+
+ The openEuler kernel already provides seccomp function support by default, and also
+ provides the libseccomp peripheral package to help user-mode programs conveniently
+ set seccomp rules.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ seccomp cannot set the opening, closing or rules globally, but is specific to each
+ process. That is, the process can set and enable seccomp by itself, which affects
+ itself and all child threads, but does not affect other processes.
+
+ If seccomp is enabled in a process, there will be a performance loss when making
+ system calls. Users need to determine whether the performance loss is acceptable
+ based on actual business scenarios.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
index 787d897..6d9c09d 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,openeuler2203
title: 'Configure System Cryptography Policy'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
index f9835af..4fb6a78 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
@@ -7,6 +7,7 @@
<platform>multi_platform_fedora</platform>
<platform>multi_platform_ol</platform>
<platform>multi_platform_rhel</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>The aide database must be initialized.</description>
</metadata>
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml
new file mode 100644
index 0000000..d2e80fa
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'aide intrusion detection should be enabled'
+
+description: |-
+ aide (advanced intrusion detection environment) is an intrusion detection tool that
+ can be used to check the integrity of files and directories in the system and identify
+ files or directories that have been maliciously tampered with. The principle of the
+ integrity check is to first construct a baseline database, which contains some attributes
+ of the file or directory such as permissions, users, etc. When performing the integrity
+ check, the current system status is compared with the baseline database to obtain the
+ check results. Finally, the file or directory changes of the current system are reported,
+ that is, the inspection report.
+
+ Enabling aide intrusion detection can effectively identify malicious tampering with files
+ or directories, thereby improving system integrity and security. The files or directories
+ that need to be checked can be configured as needed, which is highly flexible. Users only
+ need to query the check report to determine whether there is malicious tampering.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ The more files that need to be checked, the longer the checking process will take. If users
+ enable aide, they should configure the inspection strategy appropriately based on their own
+ business scenarios.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml
new file mode 100644
index 0000000..426be91
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml
@@ -0,0 +1,47 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'IMA metrics should be enabled'
+
+description: |-
+ IMA (Integrity Measurement Architecture) is an integrity protection function provided
+ by the kernel. When IMA is turned on, it can provide integrity measurements for
+ important files in the system based on user-defined policies. The measurement results
+ can be used locally and remotely. Proof of integrity.
+
+ When the IMA measurement function is not enabled in the system, summary information
+ of key files cannot be recorded in real time, and tampering with file contents or
+ attributes cannot be identified. Functions such as local attestation and remote
+ attestation that protect system integrity rely on the summary value provided by IMA
+ metrics, so they cannot be used, or the integrity protection is incomplete.
+
+ IMA global policy configuration is related to the specific environment. Normally,
+ integrity protection is only targeted at immutable files (such as executable files,
+ dynamic libraries, etc.). If the policy is improperly configured, it may lead to
+ excessive performance and memory overhead. It is recommended that users use their
+ own The situation determines whether to enable IMA and configure the correct policy.
+
+ Note: Since IMA is only the measurement part of the global integrity protection
+ mechanism, complete use requires TPM 2.0 and remote attestation services. This
+ specification only explains and recommends the measurement part of IMA. If the
+ system does not integrate TPM 2.0 and remote attestation services, the IMA measurement
+ function should not be enabled.
+
+ IMA measurement does not support container environments and virtual machine
+ environments, requires UEFI startup, and does not support Legacy mode.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ Turning on IMA metrics will cause a slight increase in system startup time and file
+ access time.
+ If the policy is improperly configured (such as measuring real-time changing log files,
+ temporary files, etc.), the measurement log may grow too fast and occupy too much system
+ memory, and the memory occupied by the measurement log will not be released before the
+ next restart of the system. , thus affecting the normal operation of the business. In
+ addition, because the measured files are constantly changing, the measurement value changes,
+ and the remote certification baseline value cannot be updated synchronously, causing the
+ remote certification to fail and losing the meaning of integrity protection.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml
new file mode 100644
index 0000000..788eab7
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure sudoers cannot configure scripts writable by low-privileged users'
+
+description: |-
+ sudo can enable the set ordinary user to execute certain specific programs with root privileges,
+ and the corresponding configuration file is /etc/sudoers. Administrator users can configure
+ corresponding rules to make certain scripts or binary files run with root permissions. Therefore,
+ the scripts configured by sudo should only be writable by root. Scripts that can be written by
+ low-privilege users cannot be configured. If low-privilege users are configured, they can be written
+ by root. script, the user can perform privilege escalation operations by modifying the script.
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml
new file mode 100644
index 0000000..ea4e9cf
--- /dev/null
+++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="disabled_SysRq" version="1">
+ <metadata>
+ <title>Disable use of SysRq key</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Disable SysRq.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="disable sysrq"
+ test_ref="test_disabled_SysRq" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="disable sysrq"
+ id="test_disabled_SysRq" version="1">
+ <ind:object object_ref="obj_test_disabled_SysRq" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_disabled_SysRq" version="1">
+ <ind:filepath>/proc/sys/kernel/sysrq</ind:filepath>
+ <ind:pattern operation="pattern match">0</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml
new file mode 100644
index 0000000..ce7e977
--- /dev/null
+++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml
@@ -0,0 +1,20 @@
+
+prodtype: openeuler2203
+
+title: 'Disable use of SysRq key'
+
+description: |-
+
+ SysRq allows users with physical access to access dangerous system-level commands
+ in the computer, and the use of SysRq functions needs to be restricted.
+
+ If the SysRq key is not disabled, the SysRq call can be triggered through the
+ keyboard, which may cause commands to be sent directly to the kernel, affecting
+ the system.
+
+ openEuler prohibits the use of SysRq keys by default.
+
+rationale: |-
+ SysRq related commands cannot be used in the system.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml
new file mode 100644
index 0000000..c537c20
--- /dev/null
+++ b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ If the business environment contains debugging scripts and tools, they can
+ easily be exploited and attacked by attackers. Therefore, it is strictly
+ prohibited to install various debugging tools and files in the production
+ environment, including but not limited to: code debugging tools, privilege
+ escalation commands, scripts, and tools used for debugging functions, certificates,
+ and keys used in the debugging phase. Perf tools, point management and piling
+ tools for performance testing, attack scripts and tool scripts for verifying
+ security issues such as CVE, etc. Common open source third-party debugging tools
+ include: strace, gdb, readelf, perf, etc.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml
new file mode 100644
index 0000000..f3bfd27
--- /dev/null
+++ b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ If the business environment contains compilation tools, they can
+ easily be used by attackers to edit, tamper with, and reverse analyze
+ key files in the environment to carry out attacks. Therefore, it is
+ strictly prohibited to install various compilation, decompilation,
+ and binary analysis tools in the production environment, including
+ but not limited to: compilation tools, decompilation tools, compilation
+ environments, etc. Common third-party development and compilation tools
+ include: gcc, cpp, mcpp, flex, cmake, make, rpm-build, ld, ar, etc.
+
+ If the business environment relies on interpreters such as python, lua,
+ and perl during deployment or operation, the interpreter running
+ environment can be retained.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
index de6890c..543712a 100644
--- a/openeuler2203/profiles/standard.profile
+++ b/openeuler2203/profiles/standard.profile
@@ -164,3 +164,96 @@ selections:
- file_permissions_unauthorized_world_writable
- file_permissions_unauthorized_suid
- file_permissions_unauthorized_sgid
+ - network_sniffing_tools
+ - service_rsyncd_disabled
+ - package_openldap-clients_removed
+ - no_forward_files
+ - sshd_configure_correct_interface
+ - sshd_concurrent_unauthenticated_connections
+ - sshd_configure_concurrent_sessions
+ - sshd_disable_x11_forwarding
+ - sshd_configure_correct_LoginGraceTime
+ - sshd_disable_AllowTcpForwardindg
+ - sshd_prohibit_preset_authorized_keys
+ - network_interface_binding_corrently
+ - iptables_loopback_policy_configured_corrently
+ - iptables_input_policy_configured_corrently
+ - iptables_output_policy_configured_corrently
+ - iptables_association_policy_configured_corrently
+ - service_nftables_enabled
+ - nftables_configure_default_deny_policy
+ - nftables_loopback_policy_configured_corrently
+ - nftables_input_policy_configured_corrently
+ - nftables_output_policy_configured_corrently
+ - nftables_association_policy_configured_corrently
+ - sudoers_disable_low_privileged_configure
+ - no_files_globally_writable_files
+ - removed_unnecessary_file_mount_support
+ - read_only_partitions_no_modified
+ - partitions_mounted_nodev_mode
+ - partitions_mounted_noexec_mode
+ - partitoin_mounted_noexec_or_nodev
+ - partitions_mounted_nosuid_mode
+ - audit_privilege_escalation_command
+ - audit_rule_admin_privilege
+ - recorded_authentication_related_event
+ - rsyslog_files_permissions
+ - uninstall_debugging_tools
+ - uninstall_development_and_compliation_tools
+ - package_xorg-x11-server-common_removed
+ - package_httpd_removed
+ - service_smb_disabled
+ - service_named_disabled
+ - service_nfs-server_disabled
+ - service_rpcbind_disabled
+ - service_dhcpd_disabled
+ - configure_first_logging_change_password
+ - sshd_disable_root_login
+ - diasable_root_accessing_system
+ - wireless_disable_interfaces
+ - sshd_enable_warning_banner
+ - disabled_SysRq
+ - sysctl_kernel_yama_ptrace_scope
+ - disabled_unconfined_service_t_programs
+ - enabled_seccomp
+ - define_ld_lib_path_correctly
+ - define_path_strictly
+ - grub2_audit_argument
+ - grub2_audit_backlog_limit_argument
+ - audit_rules_immutable
+ - auditd_data_retention_max_log_file
+ - auditd_data_retention_max_log_file_action
+ - auditd_data_retention_space_left
+ - auditd_data_retention_space_left_action
+ - auditd_data_retention_admin_space_left
+ - auditd_data_retention_admin_space_left_action
+ - auditd_data_disk_error_action
+ - auditd_data_disk_full_action
+ - audit_rules_sysadmin_actions
+ - audit_rules_session_events
+ - audit_rules_time_adjtimex
+ - audit_rules_time_clock_settime
+ - audit_rules_time_settimeofday
+ - audit_rules_time_stime
+ - audit_rules_time_watch_localtime
+ - audit_rules_mac_modification
+ - audit_rules_networkconfig_modification
+ - audit_rules_successful_file_modification
+ - audit_rules_unsuccessful_file_modification_open
+ - audit_rules_unsuccessful_file_modification_ftruncate
+ - audit_rules_unsuccessful_file_modification_creat
+ - audit_rules_unsuccessful_file_modification_openat
+ - audit_rules_file_deletion_events_rename
+ - audit_rules_file_deletion_events_renameat
+ - audit_rules_file_deletion_events_unlink
+ - audit_rules_file_deletion_events_unlinkat
+ - audit_rules_media_export
+ - configure_service_logging
+ - configure_dump_journald_log
+ - configure_rsyslog_log_rotate
+ - rsyslog_remote_loghost
+ - rsyslog_accept_remote_messages_tcp
+ - rsyslog_accept_remote_messages_udp
+ - enable_aide_detection
+ - service_haveged_enabled
+ - configure_crypto_policy
--
2.42.0.windows.2
Reference in New Issue Copy Permalink