From acad8fdc439305ecc9098ef81d3f5fc44a17cdb9 Mon Sep 17 00:00:00 2001 From: qsw33 Date: Mon, 4 Dec 2023 12:28:24 +0800 Subject: [PATCH] Optimization check instructions. --- add-80-rules-for-openeuler.patch | 959 ++++++++++++++++++++----------- scap-security-guide.spec | 5 +- 2 files changed, 628 insertions(+), 336 deletions(-) diff --git a/add-80-rules-for-openeuler.patch b/add-80-rules-for-openeuler.patch index 8eac405..ba9a093 100644 --- a/add-80-rules-for-openeuler.patch +++ b/add-80-rules-for-openeuler.patch @@ -1,10 +1,10 @@ -From 941e961d84f0c1610134b367364a0f66b82cc9f9 Mon Sep 17 00:00:00 2001 +From 51df8c46acfa272186a64cd166bb134675b1f031 Mon Sep 17 00:00:00 2001 From: qsw333 Date: Thu, 16 Nov 2023 13:50:38 +0800 -Subject: [PATCH] second +Subject: [PATCH] add 80 rules for openEuler --- - .../base/service_haveged_enabled/rule.yml | 31 +++++++ + .../base/service_haveged_enabled/rule.yml | 31 ++++++ .../service_dhcpd_disabled/rule.yml | 2 +- .../service_named_disabled/rule.yml | 2 +- .../package_httpd_removed/rule.yml | 2 +- @@ -15,85 +15,87 @@ Subject: [PATCH] second .../rsync/service_rsyncd_disabled/rule.yml | 20 ++++ .../service_smb_disabled/rule.yml | 2 +- .../oval/shared.xml | 25 +++++ - .../rule.yml | 16 ++++ + .../rule.yml | 23 +++++ .../oval/shared.xml | 25 +++++ - .../rule.yml | 19 ++++ + .../rule.yml | 26 +++++ .../oval/shared.xml | 25 +++++ - .../rule.yml | 18 ++++ + .../rule.yml | 25 +++++ .../oval/shared.xml | 25 +++++ - .../sshd_configure_correct_interface/rule.yml | 18 ++++ + .../sshd_configure_correct_interface/rule.yml | 26 +++++ .../oval/shared.xml | 25 +++++ - .../sshd_disable_AllowTcpForwardindg/rule.yml | 18 ++++ + .../sshd_disable_AllowTcpForwardindg/rule.yml | 28 ++++++ .../oval/shared.xml | 25 +++++ - .../sshd_disable_x11_forwarding/rule.yml | 16 ++++ + .../sshd_disable_x11_forwarding/rule.yml | 23 +++++ .../oval/shared.xml | 25 +++++ - .../rule.yml | 18 ++++ + .../rule.yml | 25 +++++ .../uninstall_software_service/group.yml | 5 + .../network_sniffing_tools/rule.yml | 24 +++++ .../rule.yml | 2 +- .../no_forward_files/oval/shared.xml | 20 ++++ .../no_forward_files/rule.yml | 17 ++++ - .../rule.yml | 27 ++++++ + .../rule.yml | 31 ++++++ .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- - .../rule.yml | 25 +++++ + .../rule.yml | 39 ++++++++ .../oval/shared.xml | 25 +++++ - .../audit_rule_admin_privilege/rule.yml | 27 ++++++ + .../audit_rule_admin_privilege/rule.yml | 30 ++++++ .../oval/shared.xml | 25 +++++ .../rule.yml | 56 +++++++++++ .../auditd_data_retention_space_left/rule.yml | 2 +- .../auditing/grub2_audit_argument/rule.yml | 2 +- .../rule.yml | 2 +- .../oval/shared.xml | 25 +++++ - .../configure_dump_journald_log/rule.yml | 22 +++++ - .../rule.yml | 19 ++++ - .../configure_rsyslog_log_rotate/rule.yml | 45 +++++++++ - .../configure_service_logging/rule.yml | 21 +++++ - .../diasable_root_accessing_system/rule.yml | 35 +++++++ + .../configure_dump_journald_log/rule.yml | 25 +++++ + .../rule.yml | 24 +++++ + .../configure_rsyslog_log_rotate/rule.yml | 48 ++++++++++ + .../configure_service_logging/rule.yml | 26 +++++ + .../diasable_root_accessing_system/rule.yml | 50 ++++++++++ .../rsyslog_files_permissions/oval/shared.xml | 1 + .../oval/shared.xml | 25 +++++ - .../rule.yml | 24 +++++ + .../rule.yml | 22 +++++ + .../rule.yml | 1 + + .../rule.yml | 1 + .../rsyslog_remote_loghost/oval/shared.xml | 1 + - .../rule.yml | 28 ++++++ + .../rule.yml | 36 +++++++ .../rule.yml | 36 +++++++ .../rule.yml | 27 ++++++ .../rule.yml | 36 +++++++ .../rule.yml | 28 ++++++ .../wireless_disable_interfaces/rule.yml | 2 +- - .../rule.yml | 26 ++++++ + .../rule.yml | 26 +++++ .../system/network/network_nftables/group.yml | 12 +++ - .../rule.yml | 32 +++++++ - .../rule.yml | 24 +++++ - .../rule.yml | 21 +++++ - .../rule.yml | 23 +++++ - .../rule.yml | 22 +++++ - .../service_nftables_enabled/rule.yml | 22 +++++ - .../define_ld_lib_path_correctly/rule.yml | 25 +++++ - .../files/define_path_strictly/rule.yml | 31 +++++++ - .../no_files_globally_writable_files/rule.yml | 34 +++++++ - .../rule.yml | 28 ++++++ - .../partitions_mounted_nodev_mode/rule.yml | 48 ++++++++++ - .../partitions_mounted_noexec_mode/rule.yml | 19 ++++ - .../partitions_mounted_nosuid_mode/rule.yml | 27 ++++++ - .../rule.yml | 28 ++++++ - .../read_only_partitions_no_modified/rule.yml | 19 ++++ + .../rule.yml | 31 ++++++ .../rule.yml | 29 ++++++ - .../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +- + .../rule.yml | 24 +++++ .../rule.yml | 28 ++++++ - .../system/software/enabled_seccomp/rule.yml | 35 +++++++ + .../rule.yml | 25 +++++ + .../service_nftables_enabled/rule.yml | 22 +++++ + .../define_ld_lib_path_correctly/rule.yml | 41 ++++++++ + .../files/define_path_strictly/rule.yml | 44 +++++++++ + .../no_files_globally_writable_files/rule.yml | 34 +++++++ + .../rule.yml | 38 ++++++++ + .../rule.yml | 33 +++++++ + .../partitions_mounted_nodev_mode/rule.yml | 47 +++++++++ + .../partitions_mounted_noexec_mode/rule.yml | 23 +++++ + .../partitions_mounted_nosuid_mode/rule.yml | 31 ++++++ + .../rule.yml | 29 ++++++ + .../read_only_partitions_no_modified/rule.yml | 16 ++++ + .../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +- + .../rule.yml | 33 +++++++ + .../system/software/enabled_seccomp/rule.yml | 47 +++++++++ .../crypto/configure_crypto_policy/rule.yml | 2 +- .../aide/aide_build_database/oval/shared.xml | 1 + - .../aide/enable_aide_detection/rule.yml | 29 ++++++ - .../ima_verification/rule.yml | 47 ++++++++++ - .../rule.yml | 18 ++++ + .../aide/enable_aide_detection/rule.yml | 40 ++++++++ + .../ima_verification/rule.yml | 55 +++++++++++ + .../rule.yml | 33 +++++++ .../disabled_SysRq/oval/shared.xml | 25 +++++ - .../system-tools/disabled_SysRq/rule.yml | 20 ++++ - .../uninstall_debugging_tools/rule.yml | 23 +++++ - .../rule.yml | 26 ++++++ - openeuler2203/profiles/standard.profile | 93 +++++++++++++++++++ - 89 files changed, 1869 insertions(+), 16 deletions(-) + .../system-tools/disabled_SysRq/rule.yml | 30 ++++++ + .../uninstall_debugging_tools/rule.yml | 35 +++++++ + .../rule.yml | 39 ++++++++ + openeuler2203/profiles/standard.profile | 96 +++++++++++++++++++ + 91 files changed, 2134 insertions(+), 16 deletions(-) create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml create mode 100644 linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml @@ -147,13 +149,13 @@ Subject: [PATCH] second create mode 100644 linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml create mode 100644 linux_os/guide/system/permissions/files/define_path_strictly/rule.yml create mode 100644 linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml + create mode 100644 linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml create mode 100644 linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml create mode 100644 linux_os/guide/system/software/enabled_seccomp/rule.yml create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml @@ -337,7 +339,7 @@ index 0000000..0482394 \ No newline at end of file diff --git a/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml new file mode 100644 -index 0000000..5afaa7c +index 0000000..09a17a9 --- /dev/null +++ b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml @@ -0,0 +1,20 @@ @@ -347,7 +349,7 @@ index 0000000..5afaa7c + +title: 'Disable Rsync Server Software' + -+description: '{{{ describe_service_disable(service="rsync-daemon") }}}' ++description: '{{{ describe_service_disable(service="rsync") }}}' + +rationale: |- + If the rsync service is enabled and data is transmitted between @@ -408,10 +410,10 @@ index 0000000..e6c1a0e \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml new file mode 100644 -index 0000000..60d2ccd +index 0000000..cba25f2 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml -@@ -0,0 +1,16 @@ +@@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -423,6 +425,13 @@ index 0000000..60d2ccd + concurrent connections with incomplete authentication without knowing the + password. + ++

Use the grep command to view the configuration.

++ ++ +rationale: |- + The MaxStartups setting specifies the maximum number of concurrent unauthenticated + connections to the SSH daemon. @@ -431,12 +440,12 @@ index 0000000..60d2ccd \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml new file mode 100644 -index 0000000..d30df39 +index 0000000..916fe29 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml @@ -0,0 +1,25 @@ + -+ ++ + + The allowed number of concurrent sessions for a single SSH connection should be configured correctly + @@ -463,10 +472,10 @@ index 0000000..d30df39 \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml new file mode 100644 -index 0000000..2517850 +index 0000000..e7daae7 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml -@@ -0,0 +1,19 @@ +@@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -480,6 +489,13 @@ index 0000000..2517850 + system resources from being unlimited occupied by a single or a few connections, + leading to denial of service attacks. + ++

Use the grep command to view the configuration.

++
    ++
  • ++ 
    $ grep -i "^MaxSessions" /etc/ssh/sshd_config
    ++
    • ++
++ +rationale: |- + Setting MaxSessions to 1 will disable session multiplexing, meaning that only + one session is allowed for a connection, while setting it to 0 will block all @@ -521,10 +537,10 @@ index 0000000..fb79aff \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml new file mode 100644 -index 0000000..2c97751 +index 0000000..b02eb1f --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -536,6 +552,13 @@ index 0000000..2c97751 + fails to complete the login action within the time limit specified + by LoginGraceTime, the connection will be automatically disconnected. + ++

Use the grep command to view the configuration.

++
    ++
  • ++ 
    $ grep -i "^LoginGraceTime" /etc/ssh/sshd_config
    ++
    • ++
++ +rationale: |- + It is recommended to set this value to less than or equal to 60 seconds. + If the value is set too high, attackers can utilize a large number of @@ -578,10 +601,10 @@ index 0000000..47510c8 \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml new file mode 100644 -index 0000000..0e1cb5c +index 0000000..3f4490b --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -595,6 +618,14 @@ index 0000000..0e1cb5c + SSH connections. You can configure to limit SSH connections to + only specified IP addresses to reduce the attack surface. + ++

If the listening address has been configured, you can query the corresponding configuration through the grep command.

++
    ++
  • ++ 
    $ grep -i "^ListenAddress" /etc/ssh/sshd_config
    ++
    • ++
++ ++ +rationale: |- + Unconfigured IP addresses cannot connect to the server through SSH. + It is recommended to plan and configure according to the actual situation. @@ -635,10 +666,10 @@ index 0000000..9146f4c \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml new file mode 100644 -index 0000000..1cdfb4e +index 0000000..eebb3b2 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -651,6 +682,16 @@ index 0000000..1cdfb4e + feature may cause the client to attack other servers from the external network through + the SSH channel. + ++

Make sure SSH's AllowTcpForwarding parameter is configured correctly.

++
    ++
  • Execute the following command to verify whether the allowtcpforwarding configuration of SSH is correct (it also meets the following two command line checks): ++ 
    $ sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep allowtcpforwarding
    ++
    • ++
  • ++ 
    $ grep -Ei '^\s*AllowTcpForwarding\s+yes\b' /etc/ssh/sshd_config
    ++
    • ++
++ +rationale: |- + If AllowTcpForwarding is configured as yes, attackers can bypass firewall monitoring on + the client through the SSH channel and send attack commands to the intranet server where @@ -692,10 +733,10 @@ index 0000000..5f4d777 \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml new file mode 100644 -index 0000000..bc5f1fe +index 0000000..c301259 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -0,0 +1,16 @@ +@@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -707,6 +748,13 @@ index 0000000..bc5f1fe + hosts on the local host. If not required in the business scenario, this feature must + be disabled. + ++

Use the grep command to view the configuration.

++
    ++
  • ++ 
    $ grep -i "^X11Forwarding" /etc/ssh/sshd_config
    ++
    • ++
++ +rationale: |- + Enabling the X11 Forwarding function expands the scope of attacks and poses a possibility + of being attacked by other users on the X11 server. @@ -715,7 +763,7 @@ index 0000000..bc5f1fe \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml new file mode 100644 -index 0000000..3edae48 +index 0000000..2c7044f --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml @@ -0,0 +1,25 @@ @@ -740,17 +788,17 @@ index 0000000..3edae48 + + + /etc/ssh/sshd_config -+ ^LoginGraceTime\s+\d+$ ++ authorized_keys + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml new file mode 100644 -index 0000000..1c139fa +index 0000000..145f45d --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -762,6 +810,13 @@ index 0000000..1c139fa + store in their home directory $HOME/. ssh/authorized_ In the keys file, + for public key authentication, you can directly log in to the system. + ++

Use the grep command to view the configuration. If the return value is empty, it means authorized_keys is not preset:

++ ++ +rationale: |- + If authorized is preset in the system_ Keys, and the server has enabled + the login method of public and private key authentication, allowing @@ -784,7 +839,7 @@ index 0000000..0a269ba \ No newline at end of file diff --git a/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml new file mode 100644 -index 0000000..b41c210 +index 0000000..3afd602 --- /dev/null +++ b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml @@ -0,0 +1,24 @@ @@ -804,7 +859,7 @@ index 0000000..b41c210 +

It can not be scanned automatically,please check it manually.

+

check the network_sniffing_tools,such as wireshark,netcat,tcpdump,namp,ethereal:

+ + +rationale: |- @@ -854,7 +909,7 @@ index 0000000..eab54dd \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml new file mode 100644 -index 0000000..318131a +index 0000000..9d8969f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml @@ -0,0 +1,17 @@ @@ -870,7 +925,7 @@ index 0000000..318131a + no related email forwarding scenarios, it is recommended to delete the + .forward file. + -+rationale: |- ++rationale: |- + If there is a .forward file, it may cause user emails carrying + sensitive information to be automatically forwarded to high-risk mailboxes. + @@ -878,15 +933,15 @@ index 0000000..318131a \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml new file mode 100644 -index 0000000..b01dad4 +index 0000000..6ba68e8 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml -@@ -0,0 +1,27 @@ +@@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Ensure the network interface is bound to the correct area' ++title: 'Configure file access permissions audit rules' + +description: |- + File access permission control is the basic permission management in Linux. Different users @@ -901,8 +956,12 @@ index 0000000..b01dad4 + openEuler does not configure file access control permission audit rules by default. It is + recommended that users configure corresponding rules based on actual business scenarios. + -+

It can not be scanned automatically, please check it manually.

-+ ++

Check the configuration with the following command:

++ +rationale: |- + Configuring auditing, because audit logs need to be recorded when file permissions and owners + are modified, will have a slight impact on performance. However, since such operations should @@ -960,33 +1019,47 @@ index e8ec755..20b4d42 100644 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml new file mode 100644 -index 0000000..6cebb2c +index 0000000..1e4f780 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml -@@ -0,0 +1,25 @@ +@@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure to remove unnecessary file system mount support' ++title: 'Privilege escalation command audit rules should be configured' + +description: |- + Ordinary users can obtain super administrator privileges by calling privilege -+ escalation commands (with SUID/SGID set), so the use of privilege escalation -+ commands carries high risks and is often used by attackers to attack the system. ++ escalation commands (with SUID/SGID set). + -+ It is recommended to audit and monitor privilege escalation commands to facilitate -+ traceability afterwards. -+ -+ openEuler does not configure audit rules for privilege escalation commands by ++

It is recommended to audit and monitor privilege escalation commands to facilitate ++ traceability afterwards.

++

openEuler does not configure audit rules for privilege escalation commands by + default. It is recommended that users configure corresponding rules based on actual -+ business scenarios. ++ business scenarios.

++

It can not be scanned automatically, please check it manually.

++ + +rationale: |- -+ Configuring auditing requires audit logging when using privilege escalation -+ commands, which has a slight impact on performance. If the user business has -+ a large number of scenarios where privilege escalation commands are frequently -+ called, there may be a cumulative effect. ++ The use of privilege escalation ++ commands carries high risks and is often used by attackers to attack the system. + +severity: low \ No newline at end of file @@ -1024,10 +1097,10 @@ index 0000000..b70b4d9 \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml new file mode 100644 -index 0000000..8d548e5 +index 0000000..a5e0923 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml -@@ -0,0 +1,27 @@ +@@ -0,0 +1,30 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1040,19 +1113,22 @@ index 0000000..8d548e5 + in the /var/log/secure log file by default. Other authentication-related security + logs are also recorded in this file. If the user wants to audit the sudo extraction + command, it is recommended that the sudo related logs be Record separately and -+ output to /var/log/sudo.log, and then audit and monitor the sudo log file. Sudo -+ privilege escalation is a high-risk operation and is relatively common in attacks. It -+ is recommended to configure audit rules for later tracing. ++ output to /var/log/sudo.log, and then audit and monitor the sudo log file. + + openEuler does not configure audit rules for administrator privileged operations + by default. It is recommended that users configure corresponding rules based on + actual business scenarios. + ++

Check the audit rules for administrator privileged operations by running the following command.

++ +rationale: |- -+ Configure auditing. Since audit logging is required for any sudo privilege escalation -+ operation, it will have a slight impact on performance. If there are a large number -+ of frequent sudo operations in the user's business scenario, the impact on performance -+ will have a cumulative effect. ++ Sudo ++ privilege escalation is a high-risk operation and is relatively common in attacks. It ++ is recommended to configure audit rules for later tracing. + +severity: high \ No newline at end of file @@ -1220,10 +1296,10 @@ index 0000000..1e95b34 \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml new file mode 100644 -index 0000000..7247e27 +index 0000000..34e511b --- /dev/null +++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml -@@ -0,0 +1,22 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1238,6 +1314,9 @@ index 0000000..7247e27 + must be dumped in a timely manner to ensure that the logs are more + consistent with the system. Safety. + ++

Check whether the relevant fields have been configured in the /etc/rsyslog.conf file:

++ 
$ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*
++ +rationale: |- + If there is a volatile storage device for the log, failure to dump + the log in time may result in log loss. If there is a persistent @@ -1249,10 +1328,10 @@ index 0000000..7247e27 \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml new file mode 100644 -index 0000000..16c62e7 +index 0000000..ec95d20 --- /dev/null +++ b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml -@@ -0,0 +1,19 @@ +@@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1267,6 +1346,11 @@ index 0000000..16c62e7 + the root password. + +

It can not be scanned automatically, please check it manually.

++ + +rationale: |- + none. @@ -1275,15 +1359,15 @@ index 0000000..16c62e7 \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml new file mode 100644 -index 0000000..4257677 +index 0000000..d0bcf1f --- /dev/null +++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml -@@ -0,0 +1,45 @@ +@@ -0,0 +1,48 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Ensure that the iptables input and output association policies configuration is correct' ++title: 'Ensure that Rsyslog log rotate is configured' + +description: |- + rsyslog is responsible for collecting log records from the system into files, and logrotate @@ -1291,11 +1375,6 @@ index 0000000..4257677 + that excessive hard disk resources are not occupied due to excessive log file size, or that + the log files are even unmaintainable. + -+ If the rotate policy is not configured, the log file will continue to grow, which may -+ eventually lead to the exhaustion of space on the hard disk partition where the log is -+ located, which may affect log recording at best, or may cause the system and business to be -+ unable to continue to execute normally. -+ + By default, openEuler has configured the rsyslog rotate policy in the /etc/logrotate.d/rsyslog + file as follows:. + @@ -1319,17 +1398,25 @@ index 0000000..4257677 + The log file reaches 4MB, perform rotate operation. + +

It can not be scanned automatically, please check it manually.

++ + +rationale: |- -+ none. ++ If the rotate policy is not configured, the log file will continue to grow, which may ++ eventually lead to the exhaustion of space on the hard disk partition where the log is ++ located, which may affect log recording at best, or may cause the system and business to be ++ unable to continue to execute normally. + +severity: high diff --git a/linux_os/guide/system/logging/configure_service_logging/rule.yml b/linux_os/guide/system/logging/configure_service_logging/rule.yml new file mode 100644 -index 0000000..c15d25b +index 0000000..4eccadf --- /dev/null +++ b/linux_os/guide/system/logging/configure_service_logging/rule.yml -@@ -0,0 +1,21 @@ +@@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1345,6 +1432,11 @@ index 0000000..c15d25b + auditing cannot be performed when problems occur. + +

It can not be scanned automatically, please check it manually.

++ + +rationale: |- + After logging is configured, if the logs are not cleared in time, the logs may fill up the current partition, causing the @@ -1353,10 +1445,10 @@ index 0000000..c15d25b +severity: low diff --git a/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml new file mode 100644 -index 0000000..b235f0e +index 0000000..763f023 --- /dev/null +++ b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml -@@ -0,0 +1,35 @@ +@@ -0,0 +1,50 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1386,7 +1478,22 @@ index 0000000..b235f0e + the root account in actual scenarios, it is recommended to disable local login + with the root account. + -+

It can not be scanned automatically, please check it manually.

++

The checking method is as follows:

++ + +rationale: |- + The root account cannot access the system locally. @@ -1439,10 +1546,10 @@ index 0000000..63bce75 \ No newline at end of file diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml new file mode 100644 -index 0000000..1a52982 +index 0000000..26abd58 --- /dev/null +++ b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml -@@ -0,0 +1,24 @@ +@@ -0,0 +1,22 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1454,20 +1561,42 @@ index 0000000..1a52982 + Events related to system authentication must be recorded to help + analyze user logins, use of root privileges, and monitor suspicious + system actions. ++ |- ++ Check whether auth-related fields have been configured in the /etc/rsyslog.conf file: ++

$ grep auth /etc/rsyslog.conf | grep -v "^#"

++ ++rationale: |- + Failure to record system authentication-related event logs will + result in the inability to analyze suspicious attack actions from + the logs, such as login actions performed by attackers trying to + guess administrator passwords. + -+rationale: |- -+ If there is a volatile storage device for the log, failure to -+ dump the log in time may result in log loss. If there is a persistent -+ storage device, the amount of logs may be very large. If the logs -+ are not dumped in time, the logs may fill up the current partition, -+ causing the risk of other processes or system failures. -+ +severity: high \ No newline at end of file +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml +index ec1256d..e42fd58 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml +@@ -9,6 +9,7 @@ description: |- + /etc/rsyslog.conf to enable reception of messages over TCP: + 
$ModLoad imtcp
+     $InputTCPServerRun 514
++

It can not be scanned automatically, please check it manually.

+ + rationale: |- + If the system needs to act as a log server, this ensures that it can receive +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml +index b42ba95..8c08059 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml +@@ -9,6 +9,7 @@ description: |- + /etc/rsyslog.conf to enable reception of messages over UDP: + 
$ModLoad imudp
+     $UDPServerRun 514
++

It can not be scanned automatically, please check it manually.

+ + rationale: |- + Many devices, such as switches, routers, and other Unix-like systems, may only support diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml index 22307d4..c3e2752 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml @@ -1482,10 +1611,10 @@ index 22307d4..c3e2752 100644 diff --git a/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml new file mode 100644 -index 0000000..d5d2335 +index 0000000..7148507 --- /dev/null +++ b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml -@@ -0,0 +1,28 @@ +@@ -0,0 +1,36 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1508,7 +1637,15 @@ index 0000000..d5d2335 + needs to be configured correctly, otherwise unauthorized users may modify + files with incorrect or misleading information. + -+

It can not be scanned automatically, please check it manually.

++

It can not be scanned automatically, please check it manually.

++ + +rationale: |- + none. @@ -1517,7 +1654,7 @@ index 0000000..d5d2335 \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..278556e +index 0000000..2f405be --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml @@ -0,0 +1,36 @@ @@ -1544,10 +1681,10 @@ index 0000000..278556e +

Check if the input and output chains are configured with associated policies.

+ + @@ -1560,7 +1697,7 @@ index 0000000..278556e \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..0f7e91a +index 0000000..28f7f5d --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml @@ -0,0 +1,27 @@ @@ -1579,10 +1716,10 @@ index 0000000..0f7e91a +

Check if the policy configured for the input chain meets business needs.

+ + @@ -1594,7 +1731,7 @@ index 0000000..0f7e91a \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..9d8bafe +index 0000000..ddee908 --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml @@ -0,0 +1,36 @@ @@ -1614,16 +1751,16 @@ index 0000000..9d8bafe +

Check if the loopback address policy has been correctly configured.

+ + @@ -1637,7 +1774,7 @@ index 0000000..9d8bafe \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..c10cd44 +index 0000000..ea672eb --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml @@ -0,0 +1,28 @@ @@ -1657,10 +1794,10 @@ index 0000000..c10cd44 +

Check if the policy configured for the output chain meets business needs.

+ + @@ -1684,7 +1821,7 @@ index bbea345..19cc6f5 100644 diff --git a/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml new file mode 100644 -index 0000000..ee66dd7 +index 0000000..c918fd8 --- /dev/null +++ b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml @@ -0,0 +1,26 @@ @@ -1704,7 +1841,7 @@ index 0000000..ee66dd7 +

It can not be scanned automatically, please check it manually.

+

Check the interface configuration of each region:

+ + +rationale: |- @@ -1736,49 +1873,48 @@ index 0000000..68ecddd \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..73b0e5e +index 0000000..fb45bfe --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml -@@ -0,0 +1,32 @@ +@@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Configure nftables input strategy' ++title: 'Ensure that the nftables input and output association policies configuration is correct' + +description: |- -+ Although you can configure the policy of packets in and out of the server to -+ the input and output chains by configuring the protocol, IP and port, etc, -+ it is more complicated in some cases. For example, the client accesses the -+ server through a certain port, but when the server returns a response message -+ It does not necessarily return from the original port, but may use a random -+ source port. In this case, it is difficult to configure an accurate policy -+ through the sport parameter. -+ -+ At this time, you need to consider using the associated link method to configure -+ the policy. If an outgoing packet belongs to an existing network link, it is -+ directly allowed; if a received packet belongs to an existing network link, it -+ is also directly allowed. Because these existing links must have been filtered -+ and checked by other policies, otherwise they cannot be established. -+ -+ If you do not configure policies through associated links, you need to analyze -+ all possible link situations and configure corresponding policies. If the -+ configuration is too loose, it may lead to security risks. If the configuration -+ is too strict, it may cause business interruption.lll ++ Although it is possible to configure packet policies for incoming and outgoing servers to the ++ input and output chains by configuring protocols, IPs, and ports, in some cases it may be more ++ complex. For example, if the client accesses the server through a certain port, the server may ++ not necessarily return the response message from the original port, and may use a random source ++ port. In this case, it is difficult to configure accurate policies through the sport parameter. + ++

At this point, it is necessary to consider using association links to configure the strategy. ++ If an outgoing message belongs to an existing network link, it will be directly released; If a ++ received message belongs to an existing network link, it is also directly released. Because ++ these existing links must have been filtered and checked by other policies, otherwise they ++ cannot be established.

+

It can not be scanned automatically, please check it manually.

++ + +rationale: |- -+ none. ++ If the policy is not configured through associated links, it is necessary to analyze all possible ++ link situations and configure corresponding policies. If the configuration is too loose, it may ++ cause security risks, and if the configuration is too strict, it may cause business interruption. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml new file mode 100644 -index 0000000..9a95f50 +index 0000000..804c3b5 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml -@@ -0,0 +1,24 @@ +@@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1791,11 +1927,16 @@ index 0000000..9a95f50 + policy for all packets, and then add the allow policy to the basic + chain to open related services and ports. + -+ If the basic chain is not configured, or the hook rules of the basic ++

If the basic chain is not configured, or the hook rules of the basic + chain are not specified, the packet will not be captured by nftables, -+ and filtering will not be possible. ++ and filtering will not be possible.

+ +

It can not be scanned automatically, please check it manually.

++ + +rationale: |- + If the basic chain is not configured with a DROP or REJECT policy, the @@ -1806,10 +1947,10 @@ index 0000000..9a95f50 \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..a1fb377 +index 0000000..a4c1563 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml -@@ -0,0 +1,21 @@ +@@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1822,22 +1963,25 @@ index 0000000..a1fb377 + corresponding input policy and open the relevant port so that external + clients can access the service through the port. + -+ If not configured, since the default policy is configured as DROP, all -+ external packets trying to access related services will be dropped. -+ +

It can not be scanned automatically, please check it manually.

++ + +rationale: |- -+ none. ++ If not configured, since the default policy is configured as DROP, all ++ external packets trying to access related services will be dropped. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..c71aabe +index 0000000..b3ca58a --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml -@@ -0,0 +1,23 @@ +@@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1848,31 +1992,36 @@ index 0000000..c71aabe + The loopback address is a special address on the server, represented by 127.0.0.0/8. It + has nothing to do with the network card. It is mainly used for inter-process communication + on this machine. Packets with the source address 127.0.0.0/8 should not be received from -+ the network card. Such messages should be discarded. If the loopback address policy is -+ set incorrectly, inter-process communication on the local machine may fail, or spoofed -+ packets may be received from the network card. ++ the network card. Such messages should be discarded. + -+ The server needs to set a policy to allow receiving and processing the loopback address -+ packets of the lo interface, but reject the packets received from the network card. ++

The server needs to set a policy to allow receiving and processing the loopback address ++ packets of the lo interface, but reject the packets received from the network card.

+ +

It can not be scanned automatically, please check it manually.

-+ ++ ++ +rationale: |- -+ none. ++ If the loopback address policy is ++ set incorrectly, inter-process communication on the local machine may fail, or spoofed ++ packets may be received from the network card. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml new file mode 100644 -index 0000000..b3a795f +index 0000000..6c4cdc6 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml -@@ -0,0 +1,22 @@ +@@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Configure nftables input strategy' ++title: 'Configure nftables output strategy' + +description: |- + There are two main situations when the server sends outbound messages. One @@ -1881,19 +2030,22 @@ index 0000000..b3a795f + the host process externally accesses local services and the local machine + responds arts. + -+ If no output policy is configured, all outgoing packets from the server will -+ be discarded because the default policy is DROP. -+ +

It can not be scanned automatically, please check it manually.

++ + +rationale: |- -+ none. ++ If no output policy is configured, all outgoing packets from the server will ++ be discarded because the default policy is DROP. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml new file mode 100644 -index 0000000..ddc0939 +index 0000000..9f37bdf --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml @@ -0,0 +1,22 @@ @@ -1903,7 +2055,7 @@ index 0000000..ddc0939 + +title: 'Verify nftables Enabled' + -+description: '{{{ describe_service_enable(service="docker") }}}' ++description: '{{{ describe_service_enable(service="nftables") }}}' + +rationale: |- + If multiple firewall services are enabled, business @@ -1922,10 +2074,10 @@ index 0000000..ddc0939 \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml new file mode 100644 -index 0000000..b5a1142 +index 0000000..175fa9c --- /dev/null +++ b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml -@@ -0,0 +1,25 @@ +@@ -0,0 +1,41 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -1946,6 +2098,22 @@ index 0000000..b5a1142 + value is correct in all user contexts. + +

It can not be scanned automatically, please check it manually.

++

There are multiple configuration files that can permanently set the LD_LIBRARY_PATH ++ value, which need to be investigated. These files include: /etc/profile, ~/.bashrc, ~/.bash_profile. ++ The latter two files are files in the user's home directory. Each user Yes, be ++ sure not to miss it during inspection.

++ + +rationale: |- + none. @@ -1954,15 +2122,15 @@ index 0000000..b5a1142 \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml new file mode 100644 -index 0000000..68adae3 +index 0000000..0d9cfeb --- /dev/null +++ b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml -@@ -0,0 +1,31 @@ +@@ -0,0 +1,44 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly' ++title: 'Ensure the user PATH variable is strictly defined' + +description: |- + The PATH variable under Linux defines the search path for executable files @@ -1984,6 +2152,19 @@ index 0000000..68adae3 + it is correct. + +

It can not be scanned automatically, please check it manually.

++

Use the echo command to print out the value of PATH in the current user context and check whether it is correct.

++ + +rationale: |- + none. @@ -1992,7 +2173,7 @@ index 0000000..68adae3 \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml new file mode 100644 -index 0000000..e4fa75f +index 0000000..a2c3208 --- /dev/null +++ b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml @@ -0,0 +1,34 @@ @@ -2019,10 +2200,10 @@ index 0000000..e4fa75f +

Check globally writable files(directories "/sys" and "/proc" have been excluded).

+ + @@ -2031,12 +2212,57 @@ index 0000000..e4fa75f + +severity: low \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml +diff --git a/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml new file mode 100644 -index 0000000..a80fe6a +index 0000000..9a3535e --- /dev/null -+++ b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml -@@ -0,0 +1,28 @@ ++++ b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that unneeded file system mount is removed' ++ ++description: |- ++ The Linux system supports a variety of file systems, which are ++ loaded into the kernel through ko mode. As a general operating ++ system platform, openEuler will provide various file systems ko, ++ which are stored in the /lib/modules/(kernel version)/kernel/fs/ ++ directory and can be loaded through the insmod/modprobe command. ++ ++

Users should determine which file systems do not need to be supported ++ based on actual scenarios, and prohibit these file systems from being ++ mounted through configuration. These file systems usually include:

++

cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs

++

It can not be scanned automatically, please check it manually.

++

Use the following command to check the file system mounting status, such as cramfs.

++ ++ ++rationale: |- ++ Disabling mount support for unnecessary file systems can reduce ++ the attack surface and prevent attackers from attacking the system ++ by exploiting vulnerabilities in some uncommon file systems. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml +new file mode 100644 +index 0000000..545a238 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml +@@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2060,23 +2286,28 @@ index 0000000..a80fe6a + of other directories based on the actual scenario. + +

It can not be scanned automatically, please check it manually.

++ + +rationale: |- + none. + +severity: low \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml +diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml new file mode 100644 -index 0000000..86766f1 +index 0000000..c3008b4 --- /dev/null -+++ b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml -@@ -0,0 +1,48 @@ ++++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml +@@ -0,0 +1,47 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Partitions that do not need to be mounted are mounted in nodev mode' ++title: 'Mounting in nodev mode does not require mounting the device' + +description: |- + nodev means that device files are not allowed to be mounted, which is used @@ -2095,43 +2326,42 @@ index 0000000..86766f1 + is a maliciously constructed device file on the hard disk or partition, an attack + can be formed. + -+ The following directories are mounted by nodev by default in the openEuler system: -+ -+ /sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、 ++

The following directories are mounted by nodev by default in the openEuler system:

++

/sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、 + /sys/fs/pstore、/sys/fs/bpf、/sys/fs/cgroup/files、/sys/fs/cgroup/net_cls,net_prio、 + /sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/cpu,cpuacct、/sys/fs/cgroup/perf_event、 + /sys/fs/cgroup/pids、/sys/fs/cgroup/hugetlb、/sys/fs/cgroup/memory、/sys/fs/cgroup/blkio、 + /sys/fs/cgroup/cpuset、/sys/fs/cgroup/rdma、/sys/kernel/config、/sys/kernel/debug、/dev/mqueue、 -+ /tmp、/run/user/0 -+ -+ openEuler has the following directories (some directories vary depending on hard disk partitions -+ and deployment platforms). These directories are not mounted by nodev by default: -+ -+ /dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、 -+ /var/lib/nfs/rpc_pipefs、/boot/efi、/home -+ -+ In actual scenarios, based on business needs, the nodev method is used to mount partitions -+ that do not require device mounting. -+ -+

It can not be scanned automatically, please check it manually.

++ /tmp、/run/user/0

++

penEuler has the following directories (some directories vary depending on hard disk partitions ++ and deployment platforms). These directories are not mounted by nodev by default:

++

/dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、 ++ /var/lib/nfs/rpc_pipefs、/boot/efi、/home

++

In actual scenarios, based on business needs, the nodev method is used to mount partitions ++ that do not require device mounting.

+ -+ ++

It can not be scanned automatically, please check it manually.

++ +rationale: |- -+ none. ++ + +severity: high \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml +diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml new file mode 100644 -index 0000000..21a7390 +index 0000000..c7900b9 --- /dev/null -+++ b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml -@@ -0,0 +1,19 @@ ++++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml +@@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure to remove unnecessary file system mount support' ++title: 'Mount a partition without executable files in noexec mode' + +description: |- + The data disk is only used to save data during system operation. There @@ -2140,19 +2370,23 @@ index 0000000..21a7390 + and reduce the attack surface. + +

It can not be scanned automatically, please check it manually.

++ + +rationale: |- -+ If the hard disk or partition is mounted in noexec mode, the executable -+ file in the mount point directory cannot be run directly. ++ + +severity: high \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml +diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml new file mode 100644 -index 0000000..ddbe5c6 +index 0000000..16f795d --- /dev/null -+++ b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml -@@ -0,0 +1,27 @@ ++++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml +@@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2169,29 +2403,33 @@ index 0000000..ddbe5c6 + the permissions of the group to which the file belongs. For partitions that do not + need SUID/SGID, use the nosuid method to mount them. This can invalidate the S bit of + files with SUID/SGID in the partition, prevent privilege escalation through the -+ executable files of the partition, and strengthen the security of the partition. -+ -+ Users need to plan each mounted hard drive and partition and set nosuid mounting items -+ based on actual scenarios. ++ executable files of the partition, and strengthen the security of the partition. + ++

Users need to plan each mounted hard drive and partition and set nosuid mounting items ++ based on actual scenarios.

++ +

It can not be scanned automatically, please check it manually.

++ + +rationale: |- -+ none. -+ ++ +severity: high \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml +diff --git a/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml new file mode 100644 -index 0000000..512d8c1 +index 0000000..848fed1 --- /dev/null -+++ b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml -@@ -0,0 +1,28 @@ ++++ b/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml +@@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure to remove unnecessary file system mount support' ++title: 'Make sure the removable partition is mounted in noexec/nodev mode' + +description: |- + Removable devices themselves are uncertain, and their origin, past usage, @@ -2200,28 +2438,29 @@ index 0000000..512d8c1 + Therefore, for removable devices, it is required to mount them in noexec + or nodev mode to improve security and reduce the attack surface. + -+ noexec can prevent files on removable devices from being directly executed, -+ such as virus files, attack scripts, etc.; -+ -+ nodev prevents incorrect device files on removable devices from being linked -+ to real devices on the server, leading to attacks; -+ -+ Common removable devices such as: CD/DVD/USB, etc. -+ ++

noexec can prevent files on removable devices from being directly executed, ++ such as virus files, attack scripts, etc;

++

nodev prevents incorrect device files on removable devices from being linked ++ to real devices on the server, leading to attacks;

++

Common removable devices such as: CD/DVD/USB, etc.

++ +

It can not be scanned automatically, please check it manually.

++ + +rationale: |- -+ If a removable device is mounted in noexec mode, the executable file -+ in the mount point directory cannot be run directly. + +severity: high \ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml +diff --git a/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml new file mode 100644 -index 0000000..b54202f +index 0000000..f929c84 --- /dev/null -+++ b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml -@@ -0,0 +1,19 @@ ++++ b/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml +@@ -0,0 +1,16 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2235,47 +2474,8 @@ index 0000000..b54202f +

It can not be scanned automatically, please check it manually.

+ +rationale: |- -+ Once the file system is mounted in read-only mode, files and directories cannot -+ be created, modified, or deleted. Users need to configure it according to the actual -+ scenario. This requirement can be ignored for file mounting necessary for the -+ operation of the operating system. -+ -+severity: high -\ No newline at end of file -diff --git a/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml -new file mode 100644 -index 0000000..8c4eff8 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml -@@ -0,0 +1,29 @@ -+documentation_complete: true -+ -+prodtype: openeuler2203 -+ -+title: 'Make sure to remove unnecessary file system mount support' -+ -+description: |- -+ The Linux system supports a variety of file systems, which are -+ loaded into the kernel through ko mode. As a general operating -+ system platform, openEuler will provide various file systems ko, -+ which are stored in the /lib/modules/(kernel version)/kernel/fs/ -+ directory and can be loaded through the insmod/modprobe command. -+ Disabling mount support for unnecessary file systems can reduce -+ the attack surface and prevent attackers from attacking the system -+ by exploiting vulnerabilities in some uncommon file systems. -+ -+ Users should determine which file systems do not need to be supported -+ based on actual scenarios, and prohibit these file systems from being -+ mounted through configuration. These file systems usually include: -+ -+ cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs -+ -+

It can not be scanned automatically, please check it manually.

+ + -+rationale: |- -+ The removed file system is no longer supported. -+ +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -2292,10 +2492,10 @@ index cd07fd0..ce86997 100644 diff --git a/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml new file mode 100644 -index 0000000..cb8f534 +index 0000000..dc1881b --- /dev/null +++ b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml -@@ -0,0 +1,28 @@ +@@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2318,7 +2518,12 @@ index 0000000..cb8f534 + configured for the process will not take effect. If it is attacked, + it will have a greater impact on the system. + -+

It can not be scanned automatically, please check it manually.

++

It can not be scanned automatically, please check it manually.

++ + +rationale: |- + Programs labeled unconfined_service_t are restricted from running. @@ -2327,10 +2532,10 @@ index 0000000..cb8f534 \ No newline at end of file diff --git a/linux_os/guide/system/software/enabled_seccomp/rule.yml b/linux_os/guide/system/software/enabled_seccomp/rule.yml new file mode 100644 -index 0000000..3e68100 +index 0000000..82d0734 --- /dev/null +++ b/linux_os/guide/system/software/enabled_seccomp/rule.yml -@@ -0,0 +1,35 @@ +@@ -0,0 +1,47 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2355,7 +2560,19 @@ index 0000000..3e68100 + set seccomp rules. + +

It can not be scanned automatically, please check it manually.

-+ ++

Check whether the target process has seccomp mode enabled. Here we take checking the test_seccomp process as an example.

++ +rationale: |- + seccomp cannot set the opening, closing or rules globally, but is specific to each + process. That is, the process can set and enable seccomp by itself, which affects @@ -2393,10 +2610,10 @@ index f9835af..4fb6a78 100644 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml new file mode 100644 -index 0000000..d2e80fa +index 0000000..bd51174 --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml -@@ -0,0 +1,29 @@ +@@ -0,0 +1,40 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2419,7 +2636,18 @@ index 0000000..d2e80fa + need to query the check report to determine whether there is malicious tampering. + +

It can not be scanned automatically, please check it manually.

-+ ++

Check if the loopback address policy has been correctly configured.

++ +rationale: |- + The more files that need to be checked, the longer the checking process will take. If users + enable aide, they should configure the inspection strategy appropriately based on their own @@ -2429,10 +2657,10 @@ index 0000000..d2e80fa \ No newline at end of file diff --git a/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml new file mode 100644 -index 0000000..426be91 +index 0000000..8437388 --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml -@@ -0,0 +1,47 @@ +@@ -0,0 +1,55 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2466,7 +2694,15 @@ index 0000000..426be91 + IMA measurement does not support container environments and virtual machine + environments, requires UEFI startup, and does not support Legacy mode. + -+

It can not be scanned automatically, please check it manually.

++

Use the following command to check whether the current system has IMA measurement enabled.

++ + +rationale: |- + Turning on IMA metrics will cause a slight increase in system startup time and file @@ -2483,10 +2719,10 @@ index 0000000..426be91 \ No newline at end of file diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml new file mode 100644 -index 0000000..788eab7 +index 0000000..cd59e60 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -2501,6 +2737,21 @@ index 0000000..788eab7 + low-privilege users cannot be configured. If low-privilege users are configured, they can be written + by root. script, the user can perform privilege escalation operations by modifying the script. + ++

It can not be scanned automatically, please check it manually.

++

Check related configuration.

++ ++ +rationale: |- + none. + @@ -2540,10 +2791,10 @@ index 0000000..ea4e9cf \ No newline at end of file diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml new file mode 100644 -index 0000000..ce7e977 +index 0000000..75f55a9 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml -@@ -0,0 +1,20 @@ +@@ -0,0 +1,30 @@ + +prodtype: openeuler2203 + @@ -2560,6 +2811,16 @@ index 0000000..ce7e977 + + openEuler prohibits the use of SysRq keys by default. + ++

Check whether the system prohibits the use of the SysRq key:

++ ++ +rationale: |- + SysRq related commands cannot be used in the system. + @@ -2567,15 +2828,15 @@ index 0000000..ce7e977 \ No newline at end of file diff --git a/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml new file mode 100644 -index 0000000..c537c20 +index 0000000..1b92235 --- /dev/null +++ b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml -@@ -0,0 +1,23 @@ +@@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure to remove unnecessary file system mount support' ++title: 'uninstall debugging tools' + +description: |- + If the business environment contains debugging scripts and tools, they can @@ -2589,7 +2850,19 @@ index 0000000..c537c20 + include: strace, gdb, readelf, perf, etc. + +

It can not be scanned automatically, please check it manually.

-+ ++

Use keyword scanning to determine whether debugging tools exist in the business environment or mirror environment.

++ +rationale: |- + none. + @@ -2597,15 +2870,15 @@ index 0000000..c537c20 \ No newline at end of file diff --git a/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml new file mode 100644 -index 0000000..f3bfd27 +index 0000000..69b0c59 --- /dev/null +++ b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml -@@ -0,0 +1,26 @@ +@@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: openeuler2203 + -+title: 'Make sure to remove unnecessary file system mount support' ++title: 'Uninstall development and compilation tools' + +description: |- + If the business environment contains compilation tools, they can @@ -2622,6 +2895,19 @@ index 0000000..f3bfd27 + environment can be retained. + +

It can not be scanned automatically, please check it manually.

++

Use keyword scanning to determine whether debugging tools exist in the business environment or mirror environment.

++ + +rationale: |- + none. @@ -2629,10 +2915,10 @@ index 0000000..f3bfd27 +severity: high \ No newline at end of file diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile -index de6890c..543712a 100644 +index de6890c..0297edc 100644 --- a/openeuler2203/profiles/standard.profile +++ b/openeuler2203/profiles/standard.profile -@@ -164,3 +164,96 @@ selections: +@@ -164,3 +164,99 @@ selections: - file_permissions_unauthorized_world_writable - file_permissions_unauthorized_suid - file_permissions_unauthorized_sgid @@ -2670,6 +2956,7 @@ index de6890c..543712a 100644 + - audit_rule_admin_privilege + - recorded_authentication_related_event + - rsyslog_files_permissions ++ - partitions_manage_hard_drive_data + - uninstall_debugging_tools + - uninstall_development_and_compliation_tools + - package_xorg-x11-server-common_removed @@ -2681,6 +2968,7 @@ index de6890c..543712a 100644 + - service_dhcpd_disabled + - configure_first_logging_change_password + - sshd_disable_root_login ++ - warning_banners_contain_reasonable_information + - diasable_root_accessing_system + - wireless_disable_interfaces + - sshd_enable_warning_banner @@ -2726,6 +3014,7 @@ index de6890c..543712a 100644 + - rsyslog_remote_loghost + - rsyslog_accept_remote_messages_tcp + - rsyslog_accept_remote_messages_udp ++ - ima_verification + - enable_aide_detection + - service_haveged_enabled + - configure_crypto_policy diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 13c82a4..ae01ab9 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.49 -Release: 9 +Release: 10 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -70,6 +70,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Mon Dec 4 2023 wangqingsan - 0.1.49-10 +- enable 80 rules for openEuler + * Fri Nov 17 2023 wangqingsan - 0.1.49-9 - enable 80 rules for openEuler