packages/scap-security-guide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Optimize 80 rules for openEuler

Browse Source
This commit is contained in:
qsw33 2023-12-08 10:01:20 +08:00
parent acad8fdc43
commit e9867f49c4
2 changed files with 615 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

759
add-80-rules-for-openeuler.patch → optimize-80-rules-for-openEuler.patch
View File

@ -1,101 +1,101 @@
From 51df8c46acfa272186a64cd166bb134675b1f031 Mon Sep 17 00:00:00 2001
From a7932d8cba91edbc359c520cd67361b3bb6680aa Mon Sep 17 00:00:00 2001
From: qsw333 <wangqingsan@huawei.com>
Date: Thu, 16 Nov 2023 13:50:38 +0800
Subject: [PATCH] add 80 rules for openEuler
Subject: [PATCH] second
---
.../base/service_haveged_enabled/rule.yml | 31 ++++++
.../service_dhcpd_disabled/rule.yml | 2 +-
.../service_named_disabled/rule.yml | 2 +-
.../package_httpd_removed/rule.yml | 2 +-
.../package_openldap-clients_removed/rule.yml | 23 +++++
.../service_rpcbind_disabled/rule.yml | 2 +-
.../service_nfs-server_disabled/rule.yml | 33 +++++++
linux_os/guide/services/rsync/group.yml | 9 ++
.../rsync/service_rsyncd_disabled/rule.yml | 20 ++++
.../service_smb_disabled/rule.yml | 2 +-
.../oval/shared.xml | 25 +++++
.../rule.yml | 23 +++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 26 +++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 25 +++++
.../oval/shared.xml | 25 +++++
.../sshd_configure_correct_interface/rule.yml | 26 +++++
.../oval/shared.xml | 25 +++++
.../sshd_disable_AllowTcpForwardindg/rule.yml | 28 ++++++
.../oval/shared.xml | 25 +++++
.../sshd_disable_x11_forwarding/rule.yml | 23 +++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 25 +++++
.../uninstall_software_service/group.yml | 5 +
.../network_sniffing_tools/rule.yml | 24 +++++
.../rule.yml | 2 +-
.../no_forward_files/oval/shared.xml | 20 ++++
.../no_forward_files/rule.yml | 17 ++++
.../rule.yml | 31 ++++++
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 39 ++++++++
.../oval/shared.xml | 25 +++++
.../audit_rule_admin_privilege/rule.yml | 30 ++++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 56 +++++++++++
.../auditd_data_retention_space_left/rule.yml | 2 +-
.../auditing/grub2_audit_argument/rule.yml | 2 +-
.../rule.yml | 2 +-
.../oval/shared.xml | 25 +++++
.../configure_dump_journald_log/rule.yml | 25 +++++
.../rule.yml | 24 +++++
.../configure_rsyslog_log_rotate/rule.yml | 48 ++++++++++
.../configure_service_logging/rule.yml | 26 +++++
.../diasable_root_accessing_system/rule.yml | 50 ++++++++++
.../rsyslog_files_permissions/oval/shared.xml | 1 +
.../oval/shared.xml | 25 +++++
.../rule.yml | 22 +++++
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rsyslog_remote_loghost/oval/shared.xml | 1 +
.../rule.yml | 36 +++++++
.../rule.yml | 36 +++++++
.../rule.yml | 27 ++++++
.../rule.yml | 36 +++++++
.../rule.yml | 28 ++++++
.../wireless_disable_interfaces/rule.yml | 2 +-
.../rule.yml | 26 +++++
.../system/network/network_nftables/group.yml | 12 +++
.../rule.yml | 31 ++++++
.../rule.yml | 29 ++++++
.../rule.yml | 24 +++++
.../rule.yml | 28 ++++++
.../rule.yml | 25 +++++
.../service_nftables_enabled/rule.yml | 22 +++++
.../define_ld_lib_path_correctly/rule.yml | 41 ++++++++
.../files/define_path_strictly/rule.yml | 44 +++++++++
.../no_files_globally_writable_files/rule.yml | 34 +++++++
.../rule.yml | 38 ++++++++
.../rule.yml | 33 +++++++
.../partitions_mounted_nodev_mode/rule.yml | 47 +++++++++
.../partitions_mounted_noexec_mode/rule.yml | 23 +++++
.../partitions_mounted_nosuid_mode/rule.yml | 31 ++++++
.../rule.yml | 29 ++++++
.../read_only_partitions_no_modified/rule.yml | 16 ++++
.../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +-
.../rule.yml | 33 +++++++
.../system/software/enabled_seccomp/rule.yml | 47 +++++++++
.../crypto/configure_crypto_policy/rule.yml | 2 +-
.../aide/aide_build_database/oval/shared.xml | 1 +
.../aide/enable_aide_detection/rule.yml | 40 ++++++++
.../ima_verification/rule.yml | 55 +++++++++++
.../rule.yml | 33 +++++++
.../disabled_SysRq/oval/shared.xml | 25 +++++
.../system-tools/disabled_SysRq/rule.yml | 30 ++++++
.../uninstall_debugging_tools/rule.yml | 35 +++++++
.../rule.yml | 39 ++++++++
openeuler2203/profiles/standard.profile | 96 +++++++++++++++++++
91 files changed, 2134 insertions(+), 16 deletions(-)
.../base/service_haveged_enabled/rule.yml | 31 ++
.../service_dhcpd_disabled/rule.yml | 2 +-
.../service_named_disabled/rule.yml | 2 +-
.../package_httpd_removed/rule.yml | 2 +-
.../package_openldap-clients_removed/rule.yml | 23 ++
.../service_rpcbind_disabled/rule.yml | 2 +-
.../service_nfs-server_disabled/rule.yml | 33 ++
linux_os/guide/services/rsync/group.yml | 9 +
.../rsync/service_rsyncd_disabled/rule.yml | 20 ++
.../service_smb_disabled/rule.yml | 2 +-
.../oval/shared.xml | 25 ++
.../rule.yml | 23 ++
.../oval/shared.xml | 25 ++
.../rule.yml | 26 ++
.../oval/shared.xml | 25 ++
.../rule.yml | 25 ++
.../oval/shared.xml | 25 ++
.../sshd_configure_correct_interface/rule.yml | 26 ++
.../oval/shared.xml | 25 ++
.../sshd_disable_AllowTcpForwardindg/rule.yml | 28 ++
.../oval/shared.xml | 25 ++
.../sshd_disable_x11_forwarding/rule.yml | 23 ++
.../oval/shared.xml | 54 +++
.../rule.yml | 25 ++
.../uninstall_software_service/group.yml | 5 +
.../network_sniffing_tools/rule.yml | 24 ++
.../rule.yml | 2 +-
.../no_forward_files/oval/shared.xml | 20 ++
.../no_forward_files/rule.yml | 31 ++
.../rule.yml | 31 ++
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 39 ++
.../oval/shared.xml | 44 +++
.../audit_rules_admin_privilege/rule.yml | 28 ++
.../oval/shared.xml | 25 ++
.../rule.yml | 56 +++
.../auditd_data_retention_space_left/rule.yml | 2 +-
.../auditing/grub2_audit_argument/rule.yml | 2 +-
.../rule.yml | 2 +-
.../oval/shared.xml | 25 ++
.../configure_dump_journald_log/rule.yml | 25 ++
.../rule.yml | 24 ++
.../configure_rsyslog_log_rotate/rule.yml | 48 +++
.../configure_service_logging/rule.yml | 26 ++
.../diasable_root_accessing_system/rule.yml | 50 +++
.../rsyslog_files_permissions/oval/shared.xml | 1 +
.../oval/shared.xml | 25 ++
.../rule.yml | 22 ++
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rsyslog_remote_loghost/oval/shared.xml | 1 +
.../rule.yml | 36 ++
.../rule.yml | 36 ++
.../rule.yml | 27 ++
.../rule.yml | 36 ++
.../rule.yml | 28 ++
.../wireless_disable_interfaces/rule.yml | 2 +-
.../rule.yml | 26 ++
.../system/network/network_nftables/group.yml | 12 +
.../rule.yml | 31 ++
.../rule.yml | 29 ++
.../rule.yml | 24 ++
.../rule.yml | 28 ++
.../rule.yml | 25 ++
.../service_nftables_enabled/rule.yml | 22 ++
.../define_ld_lib_path_correctly/rule.yml | 41 +++
.../files/define_path_strictly/rule.yml | 44 +++
.../no_files_globally_writable_files/rule.yml | 34 ++
.../rule.yml | 38 ++
.../rule.yml | 33 ++
.../partitions_mounted_nodev_mode/rule.yml | 47 +++
.../partitions_mounted_noexec_mode/rule.yml | 23 ++
.../partitions_mounted_nosuid_mode/rule.yml | 31 ++
.../rule.yml | 29 ++
.../read_only_partitions_no_modified/rule.yml | 21 ++
.../sysctl_kernel_yama_ptrace_scope/rule.yml | 3 +-
.../rule.yml | 33 ++
.../system/software/enabled_seccomp/rule.yml | 47 +++
.../crypto/configure_crypto_policy/rule.yml | 2 +-
.../aide/aide_build_database/oval/shared.xml | 1 +
.../aide/enable_aide_detection/rule.yml | 40 +++
.../ima_verification/rule.yml | 55 +++
.../rule.yml | 33 ++
.../disabled_SysRq/oval/shared.xml | 25 ++
.../system-tools/disabled_SysRq/rule.yml | 30 ++
.../uninstall_debugging_tools/rule.yml | 35 ++
.../rule.yml | 39 ++
openeuler2203/profiles/standard.profile | 340 +++++++++++++++++-
91 files changed, 2443 insertions(+), 17 deletions(-)
create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml
create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
create mode 100644 linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml
@ -121,8 +121,8 @@ Subject: [PATCH] add 80 rules for openEuler
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml
create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml
@ -763,10 +763,10 @@ index 0000000..c301259
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml
new file mode 100644
index 0000000..2c7044f
index 0000000..e451290
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml
@@ -0,0 +1,25 @@
@@ -0,0 +1,54 @@
+<def-group>
+ <definition class="compliance" id="sshd_prohibit_preset_authorized_keys" version="1">
+ <metadata>
@ -774,25 +774,53 @@ index 0000000..2c7044f
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>SSH service prohibits preset authorized_Keys.</description>
+ <description>Prohibit SSH service shuold setting authorized_Keys</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH service prohibits preset authorized_Keys"
+ test_ref="test_sshd_prohibit_preset_authorized_keys" />
+ <criteria operator="OR">
+ <criterion comment="Set authorized_Keys in /root" test_ref="test_authorized_Keys_root" />
+ <criterion comment="Set authorized_Keys /home" test_ref="test_authorized_Keys_home" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH service prohibits preset authorized_Keys"
+ id="test_sshd_prohibit_preset_authorized_keys" version="1">
+ <ind:object object_ref="obj_test_sshd_prohibit_preset_authorized_keys" />
+
+ <!-- NIST scapval validation tool complains that a variable passed to
+ rsyslog_remote_loghost OVAL check from the XCCDF Rule doesn't have
+ the correct type according to the SCAP specifications.
+
+ This happens because we don't use the received variable in the check,
+ thus its type is not defined anywhere in the check, we only use it when
+ remediating the rule.
+
+ To work around this we define an external variable just to set
+ the type of the variable to be as SCAP specification defines. -->
+ <external_variable comment="used for remediation only" datatype="string" id="sshd_prohibit_preset_authorized_keys_address" version="1"/>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="Ensures authorized_Keys set in /root"
+ id="test_authorized_Keys_root" version="1">
+ <ind:object object_ref="object_authorized_Keys_root" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_prohibit_preset_authorized_keys" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">authorized_keys</ind:pattern>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="Ensures authorized_Keys set in /home"
+ id="test_authorized_Keys_home" version="1">
+ <ind:object object_ref="object_authorized_Keys_home" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_authorized_Keys_root" version="1">
+ <ind:path>/root</ind:path>
+ <ind:filename operation="pattern match">authorized_keys</ind:filename>
+ <ind:pattern operation="pattern match">.*</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_authorized_Keys_home" version="1">
+ <ind:path>/home</ind:path>
+ <ind:filename operation="pattern match">authorized_keys</ind:filename>
+ <ind:pattern operation="pattern match">.*</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml
new file mode 100644
index 0000000..145f45d
@ -909,10 +937,10 @@ index 0000000..eab54dd
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
new file mode 100644
index 0000000..9d8969f
index 0000000..92ca05a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
@@ -0,0 +1,17 @@
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: openeuler2203
@ -925,6 +953,20 @@ index 0000000..9d8969f
+ no related email forwarding scenarios, it is recommended to delete the
+ <tt>.forward</tt> file.
+
+ <p><tt>Use the following script to check:</tt></p>
+ <ul>
+ <li>If there is no return output, it means that there is no ".forward" file in all Home directories:
+ <pre>#!/bin/bash
+
+ grep -E -v '^(halt|sync|shutdown)' "/etc/passwd" | awk -F ":" '($7 != "/bin/false" &amp;&amp; $7 != "/sbin/nologin") {print $6}' | while read home;
+ do
+ if [ -d "$home" ]; then
+ find $home -name ".forward"
+ fi
+ done</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ If there is a <tt>.forward</tt> file, it may cause user emails carrying
+ sensitive information to be automatically forwarded to high-risk mailboxes.
@ -1063,47 +1105,63 @@ index 0000000..1e4f780
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml
new file mode 100644
index 0000000..b70b4d9
index 0000000..55af169
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml
@@ -0,0 +1,25 @@
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml
@@ -0,0 +1,44 @@
+<def-group>
+ <definition class="compliance" id="audit_rule_admin_privilege" version="1">
+ <definition class="compliance" id="audit_rules_admin_privilege" version="1">
+ <metadata>
+ <title>Audit rules for administrator privileged operations should be configured</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ {{{- oval_affected(products) }}}
+ <description>Configure audit rules for administrator privileged operations</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Configure audit rules for administrator privileged operations"
+ test_ref="test_audit_rule_admin_privilege" />
+
+<criteria operator="OR">
+
+ <!-- Test the augenrules case -->
+ <criteria operator="AND">
+ <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+ <criterion comment="audit augenrules configuration locked" test_ref="test_admin_privilege_augenrules" />
+ </criteria>
+
+ <!-- Test the auditctl case -->
+ <criteria operator="AND">
+ <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+ <criterion comment="audit auditctl configuration locked" test_ref="test_admin_privilege_auditctl" />
+ </criteria>
+
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="recorded authentication-related event"
+ id="test_audit_rule_admin_privilege" version="1">
+ <ind:object object_ref="obj_test_audit_rule_admin_privilege" />
+
+ <ind:textfilecontent54_test check="all" comment="audit augenrules configuration locked" id="test_admin_privilege_augenrules" version="1">
+ <ind:object object_ref="object_admin_privilege_augenrules" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_audit_rule_admin_privilege" version="1">
+ <ind:textfilecontent54_object id="object_admin_privilege_augenrules" version="1">
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+ <ind:pattern operation="pattern match">^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" comment="audit auditctl configuration locked" id="test_admin_privilege_auditctl" version="1">
+ <ind:object object_ref="object_admin_privilege_auditctl" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_admin_privilege_auditctl" version="1">
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml
new file mode 100644
index 0000000..a5e0923
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml
new file mode 100644
index 0000000..63304a8
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+title: 'Audit rules for administrator privileged operations should be configured'
+
@ -1359,7 +1417,7 @@ index 0000000..ec95d20
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml
new file mode 100644
index 0000000..d0bcf1f
index 0000000..e45ebb7
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml
@@ -0,0 +1,48 @@
@ -1400,7 +1458,7 @@ index 0000000..d0bcf1f
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <ul>
+ <li>Check whether the relevant fields have been configured in the /etc/logrotate.d/rsyslog file:
+ <pre>$ cat /etc/logrotate.d/rsyslog | grep -iE "\/var\/log|maxage|rotate|compress|size"</pre>
+ <pre>$ cat /etc/logrotate.d/rsyslog | grep -iE "\/var\/log|maxage|\&lt;rotate\&gt;|compress|size"</pre>
+ </li>
+ </ul>
+
@ -2457,10 +2515,10 @@ index 0000000..848fed1
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml
new file mode 100644
index 0000000..f929c84
index 0000000..b63d688
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml
@@ -0,0 +1,16 @@
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+prodtype: openeuler2203
@ -2472,6 +2530,11 @@ index 0000000..f929c84
+ avoid unintentional or malicious data tampering and reduce the attack surface.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <ul>
+ <li>Use the mount command to check whether the mounted file system meets the requirements:
+ <pre>$ mount | grep "/root/readonly" | grep "\&lt;ro\&gt;"</pre>
+ </li>
+ </ul>
+
+rationale: |-
+
@ -2479,7 +2542,7 @@ index 0000000..f929c84
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
index cd07fd0..ce86997 100644
index cd07fd0..cd68dad 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -1,6 +1,6 @@
@ -2490,6 +2553,12 @@ index cd07fd0..ce86997 100644
title: 'Restrict usage of ptrace to descendant processes'
@@ -33,4 +33,5 @@ template:
vars:
sysctlvar: kernel.yama.ptrace_scope
sysctlval: '1'
+ sysctlval@openeuler2203: '0'
datatype: int
diff --git a/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml
new file mode 100644
index 0000000..dc1881b
@ -2915,109 +2984,507 @@ index 0000000..69b0c59
+severity: high
\ No newline at end of file
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
index de6890c..0297edc 100644
index de6890c..1f4de10 100644
--- a/openeuler2203/profiles/standard.profile
+++ b/openeuler2203/profiles/standard.profile
@@ -164,3 +164,99 @@ selections:
@@ -9,158 +9,496 @@ description: |-
selections:
- package_telnet_removed
+ - package_telnet_removed.severity=high
- package_tftp-server_removed
+ - package_tftp-server_removed.severity=high
- package_tftp_removed
+ - package_tftp_removed.severity=high
- package_net-snmp_removed
+ - package_net-snmp_removed.severity=high
- accounts_no_uid_except_zero
+ - accounts_no_uid_except_zero.severity=high
- file_owner_etc_passwd
+ - file_owner_etc_passwd.severity=high
- file_groupowner_etc_passwd
+ - file_groupowner_etc_passwd.severity=high
- file_permissions_etc_passwd
+ - file_permissions_etc_passwd.severity=high
- file_owner_etc_shadow
+ - file_owner_etc_shadow.severity=high
- file_groupowner_etc_shadow
+ - file_groupowner_etc_shadow.severity=high
- file_permissions_etc_shadow
+ - file_permissions_etc_shadow.severity=high
- file_owner_etc_group
+ - file_owner_etc_group.severity=high
- file_groupowner_etc_group
+ - file_groupowner_etc_group.severity=high
- file_permissions_etc_group
+ - file_permissions_etc_group.severity=high
- file_owner_etc_gshadow
+ - file_owner_etc_gshadow.severity=high
- file_groupowner_etc_gshadow
+ - file_groupowner_etc_gshadow.severity=high
- file_permissions_etc_gshadow
+ - file_permissions_etc_gshadow.severity=high
- accounts_user_interactive_home_directory_exists
+ - accounts_user_interactive_home_directory_exists.severity=high
- gid_passwd_group_same
+ - gid_passwd_group_same.severity=high
- var_password_pam_minlen=8
- accounts_password_pam_minlen
+ - accounts_password_pam_minlen.severity=high
- accounts_password_pam_minclass
+ - accounts_password_pam_minclass.severity=high
- var_password_pam_ucredit=0
- accounts_password_pam_ucredit
+ - accounts_password_pam_ucredit.severity=high
- var_password_pam_lcredit=0
- accounts_password_pam_lcredit
+ - accounts_password_pam_lcredit.severity=high
- var_password_pam_dcredit=0
- accounts_password_pam_dcredit
+ - accounts_password_pam_dcredit.severity=high
- var_password_pam_ocredit=0
- accounts_password_pam_ocredit
+ - accounts_password_pam_ocredit.severity=high
- accounts_password_pam_retry
+ - accounts_password_pam_retry.severity=high
- accounts_password_pam_unix_remember
+ - accounts_password_pam_unix_remember.severity=high
- set_password_hashing_algorithm_systemauth
+ - set_password_hashing_algorithm_systemauth.severity=high
- accounts_maximum_age_login_defs
- - var_accounts_minimum_age_login_defs=0
+ - accounts_maximum_age_login_defs.severity=high
+ - var_accounts_maximum_age_login_defs=90
- accounts_minimum_age_login_defs
+ - accounts_minimum_age_login_defs.severity=high
+ - var_accounts_minimum_age_login_defs=0
- accounts_password_warn_age_login_defs
+ - accounts_password_warn_age_login_defs.severity=high
- sshd_disable_empty_passwords
+ - sshd_disable_empty_passwords.severity=high
- grub2_uefi_password
+ - grub2_uefi_password.severity=high
- require_singleuser_auth
+ - require_singleuser_auth.severity=high
- accounts_passwords_pam_faillock_deny
+ - accounts_passwords_pam_faillock_deny.severity=high
- accounts_passwords_pam_faillock_deny_root
+ - accounts_passwords_pam_faillock_deny_root.severity=high
- var_accounts_passwords_pam_faillock_unlock_time=300
- accounts_passwords_pam_faillock_unlock_time
+ - accounts_passwords_pam_faillock_unlock_time.severity=high
- var_accounts_tmout=5_min
- accounts_tmout
+ - accounts_tmout.severity=high
- sshd_allow_only_protocol2
+ - sshd_allow_only_protocol2.severity=high
- sshd_disable_rhosts
+ - sshd_disable_rhosts.severity=high
- disable_host_auth
+ - disable_host_auth.severity=high
- configure_ssh_crypto_policy
+ - configure_ssh_crypto_policy.severity=high
- sysctl_kernel_randomize_va_space
+ - sysctl_kernel_randomize_va_space.severity=high
- sysctl_kernel_dmesg_restrict
+ - sysctl_kernel_dmesg_restrict.severity=high
- sysctl_kernel_kptr_restrict
+ - sysctl_kernel_kptr_restrict.severity=high
- no_files_unowned_by_user
+ - no_files_unowned_by_user.severity=high
- file_permissions_ungroupowned
+ - file_permissions_ungroupowned.severity=high
- dir_perms_world_writable_sticky_bits
+ - dir_perms_world_writable_sticky_bits.severity=high
- var_accounts_user_umask=077
- accounts_umask_etc_bashrc
+ - accounts_umask_etc_bashrc.severity=high
- service_auditd_enabled
+ - service_auditd_enabled.severity=high
- auditd_data_retention_max_log_file_action
+ - auditd_data_retention_max_log_file_action.severity=high
- auditd_data_retention_num_logs
+ - auditd_data_retention_num_logs.severity=high
- service_rsyslog_enabled
+ - service_rsyslog_enabled.severity=high
- package_python2_removed
+ - package_python2_removed.severity=high
- ensure_gpgcheck_never_disabled
+ - ensure_gpgcheck_never_disabled.severity=high
- login_accounts_are_necessary
+ - login_accounts_are_necessary.severity=high
- accounts_are_necessary
+ - accounts_are_necessary.severity=high
- group_unique_id
+ - group_unique_id.severity=high
- account_unique_id
+ - account_unique_id.severity=high
- account_unique_group_id
+ - account_unique_group_id.severity=high
- account_unique_name
+ - account_unique_name.severity=high
- group_unique_name
+ - group_unique_name.severity=high
- accounts_password_pam_dictcheck
+ - accounts_password_pam_dictcheck.severity=high
- verify_owner_password
+ - verify_owner_password.severity=high
- no_name_contained_in_password
+ - no_name_contained_in_password.severity=high
- sshd_strong_kex=standard_openeuler2203
- sshd_use_strong_kex
+ - sshd_use_strong_kex.severity=high
- sshd_use_strong_pubkey
+ - sshd_use_strong_pubkey.severity=high
- sshd_enable_pam
+ - sshd_enable_pam.severity=high
- sshd_use_strong_macs
+ - sshd_use_strong_macs.severity=high
- sshd_use_strong_ciphers
+ - sshd_use_strong_ciphers.severity=high
- grub2_nosmap_argument_absent
+ - grub2_nosmap_argument_absent.severity=high
- grub2_nosmep_argument_absent
+ - grub2_nosmep_argument_absent.severity=high
- package_ftp_removed
+ - package_ftp_removed.severity=high
- no_empty_symlink_files
+ - no_empty_symlink_files.severity=high
- no_hide_exec_files
+ - no_hide_exec_files.severity=high
- no_lowprivilege_users_writeable_cmds_in_crontab_file
+ - no_lowprivilege_users_writeable_cmds_in_crontab_file.severity=high
- service_debug-shell_disabled
+ - service_debug-shell_disabled.severity=high
- service_avahi-daemon_disabled
+ - service_avahi-daemon_disabled.severity=high
- package_openldap-servers_removed
+ - package_openldap-servers_removed.severity=high
- service_cups_disabled
+ - service_cups_disabled.severity=high
- package_ypserv_removed
+ - package_ypserv_removed.severity=high
- package_ypbind_removed
+ - package_ypbind_removed.severity=high
- account_temp_expire_date
+ - account_temp_expire_date.severity=low
- no_netrc_files
+ - no_netrc_files.severity=low
- service_chronyd_or_ntpd_enabled
+ - service_chronyd_or_ntpd_enabled.severity=low
- chronyd_or_ntpd_specify_remote_server
+ - chronyd_or_ntpd_specify_remote_server.severity=low
- kernel_module_sctp_disabled
+ - kernel_module_sctp_disabled.severity=low
- kernel_module_tipc_disabled
+ - kernel_module_tipc_disabled.severity=low
- sshd_set_loglevel_verbose
+ - sshd_set_loglevel_verbose.severity=low
- sshd_set_max_auth_tries
+ - sshd_set_max_auth_tries.severity=low
- sshd_max_auth_tries_value=3
- sshd_do_not_permit_user_env
+ - sshd_do_not_permit_user_env.severity=high
- sshd_disable_user_known_hosts_ex
+ - sshd_disable_user_known_hosts_ex.severity=high
- sshd_disable_rhosts_rsa
+ - sshd_disable_rhosts_rsa.severity=high
- service_firewalld_enabled
+ - service_firewalld_enabled.severity=low
- set_firewalld_default_zone
+ - set_firewalld_default_zone.severity=low
- disable_unnecessary_service_and_ports
+ - disable_unnecessary_service_and_ports.severity=low
- service_iptables_enabled
+ - service_iptables_enabled.severity=low
- service_ip6tables_enabled
+ - service_ip6tables_enabled.severity=low
- set_iptables_default_rule
+ - set_iptables_default_rule.severity=low
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high
- sysctl_net_ipv4_conf_all_accept_redirects
+ - sysctl_net_ipv4_conf_all_accept_redirects.severity=high
- sysctl_net_ipv6_conf_all_accept_redirects
+ - sysctl_net_ipv6_conf_all_accept_redirects.severity=high
- sysctl_net_ipv4_conf_all_secure_redirects
+ - sysctl_net_ipv4_conf_all_secure_redirects.severity=high
- sysctl_net_ipv4_conf_default_secure_redirects
+ - sysctl_net_ipv4_conf_default_secure_redirects.severity=high
- sysctl_net_ipv4_conf_all_send_redirects
+ - sysctl_net_ipv4_conf_all_send_redirects.severity=high
- sysctl_net_ipv4_conf_default_send_redirects
+ - sysctl_net_ipv4_conf_default_send_redirects.severity=high
- sysctl_net_ipv4_conf_all_rp_filter
+ - sysctl_net_ipv4_conf_all_rp_filter.severity=high
- sysctl_net_ipv4_ip_forward
+ - sysctl_net_ipv4_ip_forward.severity=high
- sysctl_net_ipv6_conf_all_forwarding
+ - sysctl_net_ipv6_conf_all_forwarding.severity=high
- sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv4_conf_all_accept_source_route.severity=high
- sysctl_net_ipv6_conf_all_accept_source_route
+ - sysctl_net_ipv6_conf_all_accept_source_route.severity=high
- sysctl_net_ipv4_tcp_syncookies
+ - sysctl_net_ipv4_tcp_syncookies.severity=high
- sysctl_net_ipv4_conf_all_log_martians
+ - sysctl_net_ipv4_conf_all_log_martians.severity=low
- sysctl_net_ipv4_conf_default_log_martians
+ - sysctl_net_ipv4_conf_default_log_martians.severity=low
- sysctl_fs_suid_dumpable
+ - sysctl_fs_suid_dumpable.severity=high
- selinux_state
+ - selinux_state.severity=low
- selinux_policytype
+ - selinux_policytype.severity=low
- sysctl_fs_protected_symlinks
+ - sysctl_fs_protected_symlinks.severity=high
- sysctl_fs_protected_hardlinks
+ - sysctl_fs_protected_hardlinks.severity=high
- kernel_module_usb-storage_disabled
+ - kernel_module_usb-storage_disabled.severity=low
- service_crond_enabled
+ - service_crond_enabled.severity=high
- cron_and_at_config
+ - cron_and_at_config.severity=high
- audit_rules_login_events
+ - audit_rules_login_events.severity=low
- audit_rules_usergroup_modification_group
+ - audit_rules_usergroup_modification_group.severity=low
- audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_gshadow.severity=low
- audit_rules_usergroup_modification_opasswd
+ - audit_rules_usergroup_modification_opasswd.severity=low
- audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_passwd.severity=low
- audit_rules_usergroup_modification_shadow
+ - audit_rules_usergroup_modification_shadow.severity=low
- audit_rules_kernel_module_install_and_remove
+ - audit_rules_kernel_module_install_and_remove.severity=low
- rsyslog_cron_logging
+ - rsyslog_cron_logging.severity=high
- ensure_minimum_permission
+ - ensure_minimum_permission.severity=high
- opened_files_count_limited
+ - opened_files_count_limited.severity=high
- sysctl_net_ipv4_tcp_timestamps
+ - sysctl_net_ipv4_tcp_timestamps.severity=low
- sysctl_net_ipv4_tcp_fin_timeout
+ - sysctl_net_ipv4_tcp_fin_timeout.severity=high
- sysctl_net_ipv4_tcp_max_syn_backlog
+ - sysctl_net_ipv4_tcp_max_syn_backlog.severity=low
- sysctl_net_ipv4_disable_arp_proxy
+ - sysctl_net_ipv4_disable_arp_proxy.severity=high
- sysctl_net_ipv4_icmp_echo_ignore_all
+ - sysctl_net_ipv4_icmp_echo_ignore_all.severity=low
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high
- su_only_for_wheel
+ - su_only_for_wheel.severity=high
- sudo_not_for_all_users
+ - sudo_not_for_all_users.severity=high
- only_root_can_run_pkexec
+ - only_root_can_run_pkexec.severity=high
- su_always_set_path
+ - su_always_set_path.severity=high
- file_permissions_unauthorized_world_writable
+ - file_permissions_unauthorized_world_writable.severity=low
- file_permissions_unauthorized_suid
+ - file_permissions_unauthorized_suid.severity=high
- file_permissions_unauthorized_sgid
+ - file_permissions_unauthorized_sgid.severity=high
+ - network_sniffing_tools
+ - network_sniffing_tools.severity=high
+ - service_rsyncd_disabled
+ - service_rsyncd_disabled.severity=high
+ - package_openldap-clients_removed
+ - package_openldap-clients_removed.severity=high
+ - no_forward_files
+ - no_forward_files.severity=low
+ - sshd_configure_correct_interface
+ - sshd_configure_correct_interface.severity=low
+ - sshd_concurrent_unauthenticated_connections
+ - sshd_concurrent_unauthenticated_connections.severity=low
+ - sshd_configure_concurrent_sessions
+ - sshd_configure_concurrent_sessions.severity=low
+ - sshd_disable_x11_forwarding
+ - sshd_disable_x11_forwarding.severity=high
+ - sshd_configure_correct_LoginGraceTime
+ - sshd_configure_correct_LoginGraceTime.severity=low
+ - sshd_disable_AllowTcpForwardindg
+ - sshd_disable_AllowTcpForwardindg.severity=high
+ - sshd_prohibit_preset_authorized_keys
+ - sshd_prohibit_preset_authorized_keys.severity=high
+ - network_interface_binding_corrently
+ - network_interface_binding_corrently.severity=low
+ - iptables_loopback_policy_configured_corrently
+ - iptables_loopback_policy_configured_corrently.severity=low
+ - iptables_input_policy_configured_corrently
+ - iptables_input_policy_configured_corrently.severity=low
+ - iptables_output_policy_configured_corrently
+ - iptables_output_policy_configured_corrently.severity=low
+ - iptables_association_policy_configured_corrently
+ - iptables_association_policy_configured_corrently.severity=low
+ - service_nftables_enabled
+ - service_nftables_enabled.severity=low
+ - nftables_configure_default_deny_policy
+ - nftables_configure_default_deny_policy.severity=low
+ - nftables_loopback_policy_configured_corrently
+ - nftables_loopback_policy_configured_corrently.severity=low
+ - nftables_input_policy_configured_corrently
+ - nftables_input_policy_configured_corrently.severity=low
+ - nftables_output_policy_configured_corrently
+ - nftables_output_policy_configured_corrently.severity=low
+ - nftables_association_policy_configured_corrently
+ - nftables_association_policy_configured_corrently.severity=low
+ - sudoers_disable_low_privileged_configure
+ - sudoers_disable_low_privileged_configure.severity=high
+ - no_files_globally_writable_files
+ - no_files_globally_writable_files.severity=high
+ - removed_unnecessary_file_mount_support
+ - removed_unnecessary_file_mount_support.severity=high
+ - read_only_partitions_no_modified
+ - read_only_partitions_no_modified.severity=high
+ - partitions_mounted_nodev_mode
+ - partitions_mounted_nodev_mode.severity=high
+ - partitions_mounted_noexec_mode
+ - partitions_mounted_noexec_mode.severity=high
+ - partitoin_mounted_noexec_or_nodev
+ - partitoin_mounted_noexec_or_nodev.severity=high
+ - partitions_mounted_nosuid_mode
+ - partitions_mounted_nosuid_mode.severity=high
+ - audit_privilege_escalation_command
+ - audit_rule_admin_privilege
+ - audit_privilege_escalation_command.severity=low
+ - audit_rules_admin_privilege
+ - audit_rules_admin_privilege.severity=low
+ - recorded_authentication_related_event
+ - recorded_authentication_related_event.severity=high
+ - rsyslog_files_permissions
+ - rsyslog_files_permissions.severity=low
+ - partitions_manage_hard_drive_data
+ - partitions_manage_hard_drive_data.severity=low
+ - uninstall_debugging_tools
+ - uninstall_debugging_tools.severity=high
+ - uninstall_development_and_compliation_tools
+ - uninstall_development_and_compliation_tools.severity=high
+ - package_xorg-x11-server-common_removed
+ - package_xorg-x11-server-common_removed.severity=high
+ - package_httpd_removed
+ - package_httpd_removed.severity=low
+ - service_smb_disabled
+ - service_smb_disabled.severity=low
+ - service_named_disabled
+ - service_named_disabled.severity=high
+ - service_nfs-server_disabled
+ - service_nfs-server_disabled.severity=low
+ - service_rpcbind_disabled
+ - service_rpcbind_disabled.severity=low
+ - service_dhcpd_disabled
+ - service_dhcpd_disabled.severity=low
+ - configure_first_logging_change_password
+ - configure_first_logging_change_password.severity=high
+ - sshd_disable_root_login
+ - sshd_disable_root_login.severity=high
+ - warning_banners_contain_reasonable_information
+ - warning_banners_contain_reasonable_information.severity=high
+ - diasable_root_accessing_system
+ - diasable_root_accessing_system.severity=low
+ - wireless_disable_interfaces
+ - wireless_disable_interfaces.severity=low
+ - sshd_enable_warning_banner
+ - sshd_enable_warning_banner.severity=low
+ - disabled_SysRq
+ - disabled_SysRq.severity=high
+ - sysctl_kernel_yama_ptrace_scope
+ - sysctl_kernel_yama_ptrace_scope.severity=low
+ - disabled_unconfined_service_t_programs
+ - disabled_unconfined_service_t_programs.severity=low
+ - enabled_seccomp
+ - enabled_seccomp.severity=low
+ - define_ld_lib_path_correctly
+ - define_ld_lib_path_correctly.severity=high
+ - define_path_strictly
+ - define_path_strictly.severity=low
+ - grub2_audit_argument
+ - grub2_audit_argument.severity=low
+ - grub2_audit_backlog_limit_argument
+ - grub2_audit_backlog_limit_argument.severity=low
+ - audit_rules_immutable
+ - audit_rules_immutable.severity=low
+ - auditd_data_retention_max_log_file
+ - auditd_data_retention_max_log_file.severity=high
+ - auditd_data_retention_max_log_file_action
+ - auditd_data_retention_max_log_file_action.severity=high
+ - auditd_data_retention_space_left
+ - auditd_data_retention_space_left.severity=low
+ - auditd_data_retention_space_left_action
+ - auditd_data_retention_space_left_action.severity=low
+ - auditd_data_retention_admin_space_left
+ - auditd_data_retention_admin_space_left.severity=low
+ - auditd_data_retention_admin_space_left_action
+ - auditd_data_retention_admin_space_left_action.severity=low
+ - auditd_data_disk_error_action
+ - auditd_data_disk_error_action.severity=low
+ - auditd_data_disk_full_action
+ - auditd_data_disk_full_action.severity=low
+ - audit_rules_sysadmin_actions
+ - audit_rules_sysadmin_actions.severity=low
+ - audit_rules_session_events
+ - audit_rules_session_events.severity=low
+ - audit_rules_time_adjtimex
+ - audit_rules_time_adjtimex.severity=low
+ - audit_rules_time_clock_settime
+ - audit_rules_time_clock_settime.severity=low
+ - audit_rules_time_settimeofday
+ - audit_rules_time_settimeofday.severity=low
+ - audit_rules_time_stime
+ - audit_rules_time_stime.severity=low
+ - audit_rules_time_watch_localtime
+ - audit_rules_time_watch_localtime.severity=low
+ - audit_rules_mac_modification
+ - audit_rules_mac_modification.severity=low
+ - audit_rules_networkconfig_modification
+ - audit_rules_networkconfig_modification.severity=low
+ - audit_rules_successful_file_modification
+ - audit_rules_successful_file_modification.severity=low
+ - audit_rules_unsuccessful_file_modification_open
+ - audit_rules_unsuccessful_file_modification_open.severity=low
+ - audit_rules_unsuccessful_file_modification_ftruncate
+ - audit_rules_unsuccessful_file_modification_ftruncate.severity=low
+ - audit_rules_unsuccessful_file_modification_creat
+ - audit_rules_unsuccessful_file_modification_creat.severity=low
+ - audit_rules_unsuccessful_file_modification_openat
+ - audit_rules_unsuccessful_file_modification_openat.severity=low
+ - audit_rules_file_deletion_events_rename
+ - audit_rules_file_deletion_events_rename.severity=low
+ - audit_rules_file_deletion_events_renameat
+ - audit_rules_file_deletion_events_renameat.severity=low
+ - audit_rules_file_deletion_events_unlink
+ - audit_rules_file_deletion_events_unlink.severity=low
+ - audit_rules_file_deletion_events_unlinkat
+ - audit_rules_file_deletion_events_unlinkat.severity=low
+ - audit_rules_media_export
+ - audit_rules_media_export.severity=low
+ - configure_service_logging
+ - configure_service_logging.severity=low
+ - configure_dump_journald_log
+ - configure_dump_journald_log.severity=high
+ - configure_rsyslog_log_rotate
+ - configure_rsyslog_log_rotate.severity=high
+ - rsyslog_remote_loghost
+ - rsyslog_remote_loghost.severity=low
+ - rsyslog_accept_remote_messages_tcp
+ - rsyslog_accept_remote_messages_tcp.severity=low
+ - rsyslog_accept_remote_messages_udp
+ - rsyslog_accept_remote_messages_udp.severity=low
+ - ima_verification
+ - ima_verification.severity=low
+ - enable_aide_detection
+ - enable_aide_detection.severity=low
+ - service_haveged_enabled
+ - service_haveged_enabled.severity=low
+ - configure_crypto_policy
+ - configure_crypto_policy.severity=low
--
2.42.0.windows.2

4
scap-security-guide.spec
View File

@ -15,7 +15,7 @@ Patch0006:init-openEuler-ssg-project.patch
Patch0007:enable-76-rules-for-openEuler.patch
Patch0008:enable-54-rules-for-openEuler.patch
Patch0009:add-15-rules-for-openeuler.patch
Patch0010:add-80-rules-for-openeuler.patch
Patch0010:optimize-80-rules-for-openEuler.patch
BuildArch: noarch
BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
@ -70,7 +70,7 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
* Mon Dec 4 2023 wangqingsan <wangqingsan@huawei.com> - 0.1.49-10
* Fri Dec 8 2023 wangqingsan <wangqingsan@huawei.com> - 0.1.49-10
- enable 80 rules for openEuler
* Fri Nov 17 2023 wangqingsan <wangqingsan@huawei.com> - 0.1.49-9