From a7932d8cba91edbc359c520cd67361b3bb6680aa Mon Sep 17 00:00:00 2001 From: qsw333 Date: Thu, 16 Nov 2023 13:50:38 +0800 Subject: [PATCH] second --- .../base/service_haveged_enabled/rule.yml | 31 ++ .../service_dhcpd_disabled/rule.yml | 2 +- .../service_named_disabled/rule.yml | 2 +- .../package_httpd_removed/rule.yml | 2 +- .../package_openldap-clients_removed/rule.yml | 23 ++ .../service_rpcbind_disabled/rule.yml | 2 +- .../service_nfs-server_disabled/rule.yml | 33 ++ linux_os/guide/services/rsync/group.yml | 9 + .../rsync/service_rsyncd_disabled/rule.yml | 20 ++ .../service_smb_disabled/rule.yml | 2 +- .../oval/shared.xml | 25 ++ .../rule.yml | 23 ++ .../oval/shared.xml | 25 ++ .../rule.yml | 26 ++ .../oval/shared.xml | 25 ++ .../rule.yml | 25 ++ .../oval/shared.xml | 25 ++ .../sshd_configure_correct_interface/rule.yml | 26 ++ .../oval/shared.xml | 25 ++ .../sshd_disable_AllowTcpForwardindg/rule.yml | 28 ++ .../oval/shared.xml | 25 ++ .../sshd_disable_x11_forwarding/rule.yml | 23 ++ .../oval/shared.xml | 54 +++ .../rule.yml | 25 ++ .../uninstall_software_service/group.yml | 5 + .../network_sniffing_tools/rule.yml | 24 ++ .../rule.yml | 2 +- .../no_forward_files/oval/shared.xml | 20 ++ .../no_forward_files/rule.yml | 31 ++ .../rule.yml | 31 ++ .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 39 ++ .../oval/shared.xml | 44 +++ .../audit_rules_admin_privilege/rule.yml | 28 ++ .../oval/shared.xml | 25 ++ .../rule.yml | 56 +++ .../auditd_data_retention_space_left/rule.yml | 2 +- .../auditing/grub2_audit_argument/rule.yml | 2 +- .../rule.yml | 2 +- .../oval/shared.xml | 25 ++ .../configure_dump_journald_log/rule.yml | 25 ++ .../rule.yml | 24 ++ .../configure_rsyslog_log_rotate/rule.yml | 48 +++ .../configure_service_logging/rule.yml | 26 ++ .../diasable_root_accessing_system/rule.yml | 50 +++ .../rsyslog_files_permissions/oval/shared.xml | 1 + .../oval/shared.xml | 25 ++ .../rule.yml | 22 ++ .../rule.yml | 1 + .../rule.yml | 1 + .../rsyslog_remote_loghost/oval/shared.xml | 1 + .../rule.yml | 36 ++ .../rule.yml | 36 ++ .../rule.yml | 27 ++ .../rule.yml | 36 ++ .../rule.yml | 28 ++ .../wireless_disable_interfaces/rule.yml | 2 +- .../rule.yml | 26 ++ .../system/network/network_nftables/group.yml | 12 + .../rule.yml | 31 ++ .../rule.yml | 29 ++ .../rule.yml | 24 ++ .../rule.yml | 28 ++ .../rule.yml | 25 ++ .../service_nftables_enabled/rule.yml | 22 ++ .../define_ld_lib_path_correctly/rule.yml | 41 +++ .../files/define_path_strictly/rule.yml | 44 +++ .../no_files_globally_writable_files/rule.yml | 34 ++ .../rule.yml | 38 ++ .../rule.yml | 33 ++ .../partitions_mounted_nodev_mode/rule.yml | 47 +++ .../partitions_mounted_noexec_mode/rule.yml | 23 ++ .../partitions_mounted_nosuid_mode/rule.yml | 31 ++ .../rule.yml | 29 ++ .../read_only_partitions_no_modified/rule.yml | 21 ++ .../sysctl_kernel_yama_ptrace_scope/rule.yml | 3 +- .../rule.yml | 33 ++ .../system/software/enabled_seccomp/rule.yml | 47 +++ .../crypto/configure_crypto_policy/rule.yml | 2 +- .../aide/aide_build_database/oval/shared.xml | 1 + .../aide/enable_aide_detection/rule.yml | 40 +++ .../ima_verification/rule.yml | 55 +++ .../rule.yml | 33 ++ .../disabled_SysRq/oval/shared.xml | 25 ++ .../system-tools/disabled_SysRq/rule.yml | 30 ++ .../uninstall_debugging_tools/rule.yml | 35 ++ .../rule.yml | 39 ++ openeuler2203/profiles/standard.profile | 340 +++++++++++++++++- 91 files changed, 2443 insertions(+), 17 deletions(-) create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml create mode 100644 linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml create mode 100644 linux_os/guide/services/rsync/group.yml create mode 100644 linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml create mode 100644 linux_os/guide/services/uninstall_software_service/group.yml create mode 100644 linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/rule.yml create mode 100644 linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml create mode 100644 linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml create mode 100644 linux_os/guide/system/logging/configure_service_logging/rule.yml create mode 100644 linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml create mode 100644 linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml create mode 100644 linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_interface_binding_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/group.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml create mode 100644 linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml create mode 100644 linux_os/guide/system/permissions/files/define_path_strictly/rule.yml create mode 100644 linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml create mode 100644 linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml create mode 100644 linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml create mode 100644 linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml create mode 100644 linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml create mode 100644 linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml create mode 100644 linux_os/guide/system/software/enabled_seccomp/rule.yml create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml create mode 100644 linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml create mode 100644 linux_os/guide/system/software/uninstall_debugging_tools/rule.yml create mode 100644 linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml diff --git a/linux_os/guide/services/base/service_haveged_enabled/rule.yml b/linux_os/guide/services/base/service_haveged_enabled/rule.yml new file mode 100644 index 0000000..a2e373a --- /dev/null +++ b/linux_os/guide/services/base/service_haveged_enabled/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Enable haveged service' + +description: |- + The haveged service provides an easy-to-use, unpredictable random number + generator. The generated random numbers are used to supplement the system + entropy pool, which can solve the problem of low system entropy in some + cases. It is recommended to enable this service in scenarios where encryption, + decryption or key generation is required (such as using openssl and gnutls). + + If the haveged service is not turned on, when the process that needs to + generate strong pseudo-random numbers gets values from /dev/random, it will + be stuck in waiting because it cannot get enough values, and will not return + until new random bytes are obtained. + +severity: low + +rationale: |- + none. + +ocil: '{{{ ocil_service_disabled(service="haveged") }}}' + +platform: machine + +template: + name: service_enabled + vars: + servicename: haveged \ No newline at end of file diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml index efe3519..4d41613 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7,rhel8,openeuler2203 title: 'Disable DHCP Service' diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml index 62c1bf0..7add584 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7,rhel8,openeuler2203 title: 'Disable named Service' diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml index b9a6437..8156243 100644 --- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7,rhel8,openeuler2203 title: 'Uninstall httpd Package' diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml new file mode 100644 index 0000000..717c04b --- /dev/null +++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml @@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Remove LDAP Client' + +description: |- + LDAP (Lightweight Directory Access Protocol) is a lightweight directory + access protocol that provides access control and maintains distributed + directory information. + +rationale: |- + Providing an LDAP client (openldap-clients) in the system can cause + waste of system resources and expand the scope of attacks. If the business + scenario does not require the use of LDAP services, it is prohibited to + install the LDAP client. + +severity: high + +template: + name: package_removed + vars: + pkgname: openldap-clients \ No newline at end of file diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml index 902117f..9bd2182 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7,rhel8,openeuler2203 title: 'Disable rpcbind Service' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml new file mode 100644 index 0000000..32a4889 --- /dev/null +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: fedora,rhel6,rhel7,rhel8,openeuler2203 + +title: 'Disable Network File System (nfs) Service' + +description: |- + Network File System (NFS) is one of the oldest and most widely distributed + file systems in UNIX environments. It provides the system with the ability + to mount other servers' file systems over the network. If the system does + not export NFS shares, it is recommended to disable NFS to reduce the remote + attack surface.. + {{{ describe_service_disable(service="nfs-server") }}} + +rationale: |- + 'Disabling NFS affects services and applications on the system that rely on NFS, + as well as existing NFS mount points. Before disabling NFS, you should make sure + you understand the usage on your system and consider whether there are alternatives + to meet your file sharing and data access needs.' + +severity: low + +ocil_clause: 'it does not' + +ocil: '{{{ ocil_service_disabled(service="nfs") }}}' + +platform: machine + +template: + name: service_disabled + vars: + servicename: nfs-server + packagename: nfs-utils diff --git a/linux_os/guide/services/rsync/group.yml b/linux_os/guide/services/rsync/group.yml new file mode 100644 index 0000000..0482394 --- /dev/null +++ b/linux_os/guide/services/rsync/group.yml @@ -0,0 +1,9 @@ +documentation_complete: true + +title: 'Rsync Server' + +description: |- + The rsync service can be used to synchronize data between + servers or between different Disk partitioning on the server, + but because rsync uses an unencrypted transmission protocol, + there is a risk of information disclosure. \ No newline at end of file diff --git a/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml new file mode 100644 index 0000000..09a17a9 --- /dev/null +++ b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml @@ -0,0 +1,20 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Disable Rsync Server Software' + +description: '{{{ describe_service_disable(service="rsync") }}}' + +rationale: |- + If the rsync service is enabled and data is transmitted between + different servers through the network, attackers can steal data + by listening to server ports, routers, and switch data packets. + +severity: high + +template: + name: service_disabled + vars: + servicename: rsyncd + packagename: rsync \ No newline at end of file diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml index aec5800..c13311f 100644 --- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7,rhel8,openeuler2203 title: 'Disable Samba' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml new file mode 100644 index 0000000..e6c1a0e --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml @@ -0,0 +1,25 @@ + + + + SSH concurrent unauthenticated connections should be configured correctly + + multi_platform_openeuler + + Configure the specified IP address for SSH connection. + + + + + + + + + + /etc/ssh/sshd_config + ^maxstartups\s+\d+:\d+:\d+$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml new file mode 100644 index 0000000..cba25f2 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml @@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'SSH concurrent unauthenticated connections should be configured correctly' + +description: |- + Attackers can consume system resources by establishing a large number of + concurrent connections with incomplete authentication without knowing the + password. + +

Use the grep command to view the configuration.

+ + +rationale: |- + The MaxStartups setting specifies the maximum number of concurrent unauthenticated + connections to the SSH daemon. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml new file mode 100644 index 0000000..916fe29 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml @@ -0,0 +1,25 @@ + + + + The allowed number of concurrent sessions for a single SSH connection should be configured correctly + + multi_platform_openeuler + + Configure the allowed number of concurrent sessions. + + + + + + + + + + /etc/ssh/sshd_config + ^MaxSessions\s+\d+$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml new file mode 100644 index 0000000..e7daae7 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'The allowed number of concurrent sessions for a single SSH connection should be configured correctly' + +description: |- + SSH allows clients that support multiplexing to establish multiple sessions + based on a single network connection. MaxSessions limits the number of SSH + concurrent sessions allowed for each network connection, which can prevent + system resources from being unlimited occupied by a single or a few connections, + leading to denial of service attacks. + +

Use the grep command to view the configuration.

+ + +rationale: |- + Setting MaxSessions to 1 will disable session multiplexing, meaning that only + one session is allowed for a connection, while setting it to 0 will block all + connected sessions. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml new file mode 100644 index 0000000..fb79aff --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml @@ -0,0 +1,25 @@ + + + + LoginGraceTime should be configured correctly + + multi_platform_openeuler + + Configure the LoginGraceTime for SSH connection. + + + + + + + + + + /etc/ssh/sshd_config + ^LoginGraceTime\s+\d+$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml new file mode 100644 index 0000000..b02eb1f --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'LoginGraceTime should be configured correctly' + +description: |- + LoginGraceTime is used to limit the user's login time. If the user + fails to complete the login action within the time limit specified + by LoginGraceTime, the connection will be automatically disconnected. + +

Use the grep command to view the configuration.

+ + +rationale: |- + It is recommended to set this value to less than or equal to 60 seconds. + If the value is set too high, attackers can utilize a large number of + incomplete login actions to consume server resources, resulting in normal + administrator login failures. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml new file mode 100644 index 0000000..47510c8 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml @@ -0,0 +1,25 @@ + + + + SSH service interface should be configured correctly + + multi_platform_openeuler + + Configure the specified IP address for SSH connection. + + + + + + + + + + /etc/ssh/sshd_config + ^ListenAddress\s+((?:\d{1,3}\.){3}\d{1,3})$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml new file mode 100644 index 0000000..3f4490b --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'SSH service interface should be configured correctly' + +description: |- + Generally, the server has multiple network cards and multiple + IP addresses. IP addresses should be planned for business and + management. Therefore, not every IP address needs to listen for + SSH connections. You can configure to limit SSH connections to + only specified IP addresses to reduce the attack surface. + +

If the listening address has been configured, you can query the corresponding configuration through the grep command.

+ + + +rationale: |- + Unconfigured IP addresses cannot connect to the server through SSH. + It is recommended to plan and configure according to the actual situation. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml new file mode 100644 index 0000000..9146f4c --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Does not allow the use of AllowTcpForwarding + + multi_platform_openeuler + + Sshd does not allow the use of AllowTcpForwarding. + + + + + + + + + + /etc/ssh/sshd_config + ^AllowTcpForwarding\s+no$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml new file mode 100644 index 0000000..eebb3b2 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Does not allow the use of AllowTcpForwarding' + +description: |- + AllowTcpForwarding allows the SSH server to act as a proxy to forward TCP requests from + clients, similar to establishing an SSH tunnel between the server and the client. This + feature may cause the client to attack other servers from the external network through + the SSH channel. + +

Make sure SSH's AllowTcpForwarding parameter is configured correctly.

+ + +rationale: |- + If AllowTcpForwarding is configured as yes, attackers can bypass firewall monitoring on + the client through the SSH channel and send attack commands to the intranet server where + the SSH server is located, thereby attacking it. So AllowTcpForwarding must be closed. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml new file mode 100644 index 0000000..5f4d777 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Does not allow the use of X11 Forwarding + + multi_platform_openeuler + + Sshd does not allow the use of X11 Forwarding. + + + + + + + + + + /etc/ssh/sshd_config + ^X11Forwarding\s+no$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml new file mode 100644 index 0000000..c301259 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Does not allow the use of X11 Forwarding' + +description: |- + The X11 Forwarding feature of SSH allows for the execution of GUI programs for remote + hosts on the local host. If not required in the business scenario, this feature must + be disabled. + +

Use the grep command to view the configuration.

+ + +rationale: |- + Enabling the X11 Forwarding function expands the scope of attacks and poses a possibility + of being attacked by other users on the X11 server. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml new file mode 100644 index 0000000..e451290 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml @@ -0,0 +1,54 @@ + + + + Prohibit SSH service pre setting authorized_Keys + + multi_platform_openeuler + + Prohibit SSH service shuold setting authorized_Keys + + + + + + + + + + + + + + + + + + + + /root + authorized_keys + .* + 1 + + + + /home + authorized_keys + .* + 1 + + + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml new file mode 100644 index 0000000..145f45d --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Prohibit SSH service pre setting authorized_Keys' + +description: |- + Authorized_ Keys is the public key of the remote host, which users can + store in their home directory $HOME/. ssh/authorized_ In the keys file, + for public key authentication, you can directly log in to the system. + +

Use the grep command to view the configuration. If the return value is empty, it means authorized_keys is not preset:

+ + +rationale: |- + If authorized is preset in the system_ Keys, and the server has enabled + the login method of public and private key authentication, allowing + attackers to bypass authentication and directly log in to the specified + system to attack it. So authorized cannot be preset in the system_ Keys. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/services/uninstall_software_service/group.yml b/linux_os/guide/services/uninstall_software_service/group.yml new file mode 100644 index 0000000..0a269ba --- /dev/null +++ b/linux_os/guide/services/uninstall_software_service/group.yml @@ -0,0 +1,5 @@ +documentation_complete: true + +title: 'Do not install some software packages.' + +description: |- \ No newline at end of file diff --git a/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml new file mode 100644 index 0000000..3afd602 --- /dev/null +++ b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Uninstall network sniffing Package' + +description: |- + If the production environment contains network sniffing tools, attackers + can easily use these tools to conduct network analysis and assist network + attacks. Therefore, installation of various network sniffing and packet + capture analysis tools, such as tcpdump, ethereal, wireshark, etc., should + be prohibited in the production environment. + +

It can not be scanned automatically,please check it manually.

+

check the network_sniffing_tools,such as wireshark,netcat,tcpdump,namp,ethereal:

+ + +rationale: |- + There is no need to install various network sniffing and packet capture + analysis tools in the production environment. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml index 84a64db..625f15d 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,rhel6,rhel7,rhel8,rhv4,openeuler2203 title: 'Remove the X Windows Package Group' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml new file mode 100644 index 0000000..eab54dd --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml @@ -0,0 +1,20 @@ + + + + Verify No forward Files Exist + {{{- oval_affected(products) }}} + If there are no related email forwarding scenarios, it is recommended to delete the .forward file. + + + + + + + + + + + /home + ^\.forward$ + + \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml new file mode 100644 index 0000000..92ca05a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Verify No forward Files Exist' + +description: |- + The .forward file can be configured with an email address, which + will be automatically forwarded to when users receive emails. If there are + no related email forwarding scenarios, it is recommended to delete the + .forward file. + +

Use the following script to check:

+ + +rationale: |- + If there is a .forward file, it may cause user emails carrying + sensitive information to be automatically forwarded to high-risk mailboxes. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml new file mode 100644 index 0000000..6ba68e8 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Configure file access permissions audit rules' + +description: |- + File access permission control is the basic permission management in Linux. Different users + are authorized to access different files, preventing the leakage of sensitive information + between users or the tampering of file data. It can also prevent ordinary users from + unauthorized access to high-privilege files or configurations in the system. + + It is recommended to audit and monitor system calls that modify file permissions and file + owners in the operating system. If relevant auditing is not configured, if illegal + modification occurs, it will not be conducive to traceability. + + openEuler does not configure file access control permission audit rules by default. It is + recommended that users configure corresponding rules based on actual business scenarios. + +

Check the configuration with the following command:

+ +rationale: |- + Configuring auditing, because audit logs need to be recorded when file permissions and owners + are modified, will have a slight impact on performance. However, since such operations should + not be performed frequently, it is actually not perceptible to users. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index ebd52e2..2e7f907 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 title: 'Record Unsuccessful Access Attempts to Files - creat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 3634935..cac6a0d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 title: 'Record Unsuccessful Access Attempts to Files - ftruncate' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 8d813fa..425ecb7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 title: 'Record Unsuccessful Access Attempts to Files - open' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index e8ec755..20b4d42 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 title: 'Record Unsuccessful Access Attempts to Files - openat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml new file mode 100644 index 0000000..1e4f780 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml @@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Privilege escalation command audit rules should be configured' + +description: |- + Ordinary users can obtain super administrator privileges by calling privilege + escalation commands (with SUID/SGID set). + +

It is recommended to audit and monitor privilege escalation commands to facilitate + traceability afterwards.

+

openEuler does not configure audit rules for privilege escalation commands by + default. It is recommended that users configure corresponding rules based on actual + business scenarios.

+

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + The use of privilege escalation + commands carries high risks and is often used by attackers to attack the system. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml new file mode 100644 index 0000000..55af169 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml @@ -0,0 +1,44 @@ + + + + Audit rules for administrator privileged operations should be configured + {{{- oval_affected(products) }}} + Configure audit rules for administrator privileged operations + + + + + + + + + + + + + + + + + + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + + + + + /etc/audit/audit.rules + ^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml new file mode 100644 index 0000000..63304a8 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +title: 'Audit rules for administrator privileged operations should be configured' + +description: |- + + The sudo extraction command operation log in the openEuler system is recorded + in the /var/log/secure log file by default. Other authentication-related security + logs are also recorded in this file. If the user wants to audit the sudo extraction + command, it is recommended that the sudo related logs be Record separately and + output to /var/log/sudo.log, and then audit and monitor the sudo log file. + + openEuler does not configure audit rules for administrator privileged operations + by default. It is recommended that users configure corresponding rules based on + actual business scenarios. + +

Check the audit rules for administrator privileged operations by running the following command.

+ +rationale: |- + Sudo + privilege escalation is a high-risk operation and is relatively common in attacks. It + is recommended to configure audit rules for later tracing. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml new file mode 100644 index 0000000..bf0b651 --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml @@ -0,0 +1,25 @@ + + + + auditd data retention admin space left + + multi_platform_openeuler + + auditd data retention admin space left. + + + + + + + + + + /etc/audit/auditd.conf + ^[\s]*admin_space_left[\s]+=[\s]+(\d+)[\s]*$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml new file mode 100644 index 0000000..2c9273d --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml @@ -0,0 +1,56 @@ +documentation_complete: true + +title: 'Configure auditd admin_space_left on Low Disk Space' + +description: |- + The auditd service can be configured to take an action + when disk space is running low but prior to running out of space completely. + Edit the file /etc/audit/auditd.conf. Add or modify the following line, + substituting ACTION appropriately: + 
admin_space_left_action = ACTION
+ Set this value to single to cause the system to switch to single user + mode for corrective action. Acceptable values also include suspend and + halt. For certain systems, the need for availability + outweighs the need to log all actions, and a different setting should be + determined. Details regarding all possible values for ACTION are described in the + auditd.conf man page. + +rationale: |- + Administrators should be made aware of an inability to record + audit records. If a separate partition or logical volume of adequate size + is used, running low on space for audit records should never occur. + +severity: medium + +identifiers: + cce@rhel6: 27239-3 + cce@rhel7: 27370-6 + cce@rhel8: 80679-4 + cce@ocp4: 82677-6 + +references: + stigid@rhel6: "000163" + srg@rhel6: SRG-OS-999999 + cis: 5.2.1.2 + cjis: 5.4.1.1 + cui: 3.3.1 + disa: 140,1343 + hipaa: 164.312(a)(2)(ii) + iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 + nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) + nist-csf: DE.AE-3,DE.AE-5,PR.DS-4,PR.PT-1,RS.AN-1,RS.AN-4 + pcidss: Req-10.7 + stigid@rhel7: "030340" + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 7.1,SR 7.2' + isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 + +ocil_clause: 'the system is not configured to switch to single user mode for corrective action' + +ocil: |- + Inspect /etc/audit/auditd.conf and locate the following line to + determine if the system is configured to either suspend, switch to single user mode, + or halt when disk space has run low: + 
admin_space_left_action single
+ diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index cb1ff1d..080e1ee 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 title: 'Configure auditd space_left on Low Disk Space' diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml index 2c17ee1..0f4cdf0 100644 --- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,openeuler2203 title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml index 36f3200..34ca8aa 100644 --- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8 +prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,openeuler2203 title: 'Extend Audit Backlog Limit for the Audit Daemon' diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml new file mode 100644 index 0000000..1e95b34 --- /dev/null +++ b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Make sure rsyslog dump journald log is configured + + multi_platform_openeuler + + Configure rsyslog dump journald log. + + + + + + + + + + /etc/rsyslog.conf + ^[^#]*imjournal + 1 + + \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml new file mode 100644 index 0000000..34e511b --- /dev/null +++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure rsyslog dump journald log is configured' + +description: |- + + The system uses journald to collect logs. The logs may be stored on + volatile storage devices or on persistent storage devices. If there + are problems such as log loss or logs filling up the disk, the logs + must be dumped in a timely manner to ensure that the logs are more + consistent with the system. Safety. + +

Check whether the relevant fields have been configured in the /etc/rsyslog.conf file:

+ 
$ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*
+ +rationale: |- + If there is a volatile storage device for the log, failure to dump + the log in time may result in log loss. If there is a persistent + storage device, the amount of logs may be very large. If the logs + are not dumped in time, the logs may fill up the current partition, + causing the risk of other processes or system failures. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml new file mode 100644 index 0000000..ec95d20 --- /dev/null +++ b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the account is forced to change the password when logging in for the first time' + +description: |- + Passwords that are not set by users themselves, such as passwords reset by + administrators, if not modified in a timely manner in the business environment, + can easily cause low-cost attacks. Therefore, users are required to forcibly change + their passwords when logging in to their accounts for the first time. Except for + the root password. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml new file mode 100644 index 0000000..e45ebb7 --- /dev/null +++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml @@ -0,0 +1,48 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that Rsyslog log rotate is configured' + +description: |- + rsyslog is responsible for collecting log records from the system into files, and logrotate + is responsible for regularly or quantitatively copying and compressing log files to ensure + that excessive hard disk resources are not occupied due to excessive log file size, or that + the log files are even unmaintainable. + + By default, openEuler has configured the rsyslog rotate policy in the /etc/logrotate.d/rsyslog + file as follows:. + + rotate log file: + /var/log/cron + + /var/log/maillog + + /var/log/messages + + /var/log/secure + + /var/log/spooler + + The maximum retention period of log files is 365 days; + + A maximum of 30 log files can be retained; + + Log files are retained in a compressed manner; + + The log file reaches 4MB, perform rotate operation. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + If the rotate policy is not configured, the log file will continue to grow, which may + eventually lead to the exhaustion of space on the hard disk partition where the log is + located, which may affect log recording at best, or may cause the system and business to be + unable to continue to execute normally. + +severity: high diff --git a/linux_os/guide/system/logging/configure_service_logging/rule.yml b/linux_os/guide/system/logging/configure_service_logging/rule.yml new file mode 100644 index 0000000..4eccadf --- /dev/null +++ b/linux_os/guide/system/logging/configure_service_logging/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Each service logging should be configured correctly' + +description: |- + Configure logging so that important system behaviors and security-related information will + be recorded using rsyslog. The configuration files /etc/rsyslog.conf and /etc/rsyslog.d/*.conf + can specify logging rules and which files will be used to record specific types of logs. + + If logging is not configured, system behavior cannot be recorded, and problem location and + auditing cannot be performed when problems occur. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + After logging is configured, if the logs are not cleared in time, the logs may fill up the current partition, causing the + risk of other processes or system failures. + +severity: low diff --git a/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml new file mode 100644 index 0000000..763f023 --- /dev/null +++ b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml @@ -0,0 +1,50 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Prevent root users from accessing the system locally' + +description: |- + Root is a super-privileged user in a Linux system and has access to all + Linux system resources. If you are allowed to directly use the root account + to log in to the Linux system to operate the system, it will bring many + potential security risks. In order to avoid the risks caused by this, it + should be prohibited to directly use the root account to log in to the + operating system, and only use other technologies when necessary. Methods + (such as: sudo or su) indirectly use the root account. + + Since the root account has the highest authority, logging in directly with + root has the following risks: + + High-risk misoperations may directly cause server paralysis, such as accidentally + deleting or modifying key system files; + + If multiple people need root privileges to operate, the root password will be + kept by multiple people, which can easily lead to password leakage and increase + password maintenance costs. + + openEuler is not configured by default. If there is no need to log in locally using + the root account in actual scenarios, it is recommended to disable local login + with the root account. + +

The checking method is as follows:

+ + +rationale: |- + The root account cannot access the system locally. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml index a78cd69..3bd9887 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml @@ -9,6 +9,7 @@ multi_platform_ol multi_platform_rhel multi_platform_ubuntu + multi_platform_openeuler File permissions for all syslog log files should be set correctly. diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml new file mode 100644 index 0000000..63bce75 --- /dev/null +++ b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Ensure that system authentication related event logs are recorded + + multi_platform_openeuler + + Configure the System to Record Authentication-related Event. + + + + + + + + + + /etc/rsyslog.conf + ^[^#]*auth + 1 + + \ No newline at end of file diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml new file mode 100644 index 0000000..26abd58 --- /dev/null +++ b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml @@ -0,0 +1,22 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that system authentication related event logs are recorded' + +description: |- + + Events related to system authentication must be recorded to help + analyze user logins, use of root privileges, and monitor suspicious + system actions. + |- + Check whether auth-related fields have been configured in the /etc/rsyslog.conf file: +

$ grep auth /etc/rsyslog.conf | grep -v "^#"

+ +rationale: |- + Failure to record system authentication-related event logs will + result in the inability to analyze suspicious attack actions from + the logs, such as login actions performed by attackers trying to + guess administrator passwords. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml index ec1256d..e42fd58 100644 --- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml @@ -9,6 +9,7 @@ description: |- /etc/rsyslog.conf to enable reception of messages over TCP: 
$ModLoad imtcp
     $InputTCPServerRun 514
+

It can not be scanned automatically, please check it manually.

rationale: |- If the system needs to act as a log server, this ensures that it can receive diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml index b42ba95..8c08059 100644 --- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml @@ -9,6 +9,7 @@ description: |- /etc/rsyslog.conf to enable reception of messages over UDP: 
$ModLoad imudp
     $UDPServerRun 514
+

It can not be scanned automatically, please check it manually.

rationale: |- Many devices, such as switches, routers, and other Unix-like systems, may only support diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml index 22307d4..c3e2752 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml @@ -10,6 +10,7 @@ multi_platform_rhel multi_platform_ubuntu multi_platform_wrlinux + multi_platform_openeuler Syslog logs should be sent to a remote loghost diff --git a/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml new file mode 100644 index 0000000..7148507 --- /dev/null +++ b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml @@ -0,0 +1,36 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure Warning Banners contain reasonable information' + +description: |- + Warning Banners include warning information added to the system login + interface, which identifies the system's security warnings for all + users who log in to the system. Security warnings can include the + organization to which the system belongs, monitoring or recording of + login behaviors, and unauthorized logins based on business scenarios. Or + the legal sanctions that will be imposed upon intrusion. Inappropriate + security warning information may increase the risk of system attacks + or violate local laws and regulations. + + Warning Banners should not expose the system version, application server + type, functions, etc. to users to prevent attackers from obtaining system + information and carrying out attacks. In addition to this, file ownership + needs to be configured correctly, otherwise unauthorized users may modify + files with incorrect or misleading information. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..2f405be --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml @@ -0,0 +1,36 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the iptables input and output association policies configuration is correct' + +description: |- + Although it is possible to configure packet policies for incoming and outgoing servers to the + Input and OUTPUT chains by configuring protocols, IP, and ports, in some cases it may be more + complex. For example, if the client accesses the server through a certain port, the server may + not necessarily return the response packet from the original port, and may use a random source + port. In this case, it is difficult to configure accurate policies through the sport parameter. + + At this point, it is necessary to consider using association links to configure the strategy. + If an outgoing message belongs to an existing network link, it will be directly released; If a + received message belongs to an existing network link, it is also directly released. Because + these existing links must have been filtered and checked by other policies, otherwise they cannot + be established. + +

It can not be scanned automatically, please check it manually.

+

Check if the input and output chains are configured with associated policies.

+ + +rationale: |- + If the policy is not configured through associated links, it is necessary to analyze all possible + link situations and configure corresponding policies. If the configuration is too loose, it may + cause security risks, and if the configuration is too strict, it may cause business interruption. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..28f7f5d --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the iptables input policy configuration is correct' + +description: |- + The function of the Input chain is to filter packets received from external sources. Any + externally provided service requires configuring the corresponding Input policy and opening + the relevant port, so that external clients can access the service through that port. + +

It can not be scanned automatically, please check it manually.

+

Check if the policy configured for the input chain meets business needs.

+ + +rationale: |- + If not configured, all external attempts to access related services will be discarded due to + the default policy configuration being DROP. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..ddee908 --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml @@ -0,0 +1,36 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the iptables loopback policy configuration is correct' + +description: |- + The loopback address is a special address on the server, represented by 127.0.0.0/8,which is + not related to the network card and is mainly used for communication between local processes. + Messages with a source address of 127.0.0.0/8 should not be received from the network card, + and such messages should be discarded. + +

It can not be scanned automatically, please check it manually.

+

Check if the loopback address policy has been correctly configured.

+ + +rationale: |- + If the loopback address policy is not set correctly, it may cause communication failure between + local processes or receive spoofing messages from the network card. The server needs to set + policies that allow receiving and processing loopback address messages from the lo interface, + but reject messages received from the network card. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..ea672eb --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the iptables output policy configuration is correct' + +description: |- + There are two main situations for server outgoing messages: one is when the host process + actively connects to an external server, such as HTTP access, or sends data to a log server, + etc.; the other is when the host process accesses the local service externally and the local + machine responds to the message. + +

It can not be scanned automatically, please check it manually.

+

Check if the policy configured for the output chain meets business needs.

+ + +rationale: |- + If the OUTPUT policy is not configured, all outgoing messages from the server will be discarded + due to the default policy being DROP. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index bbea345..19cc6f5 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4,openeuler2203 title: 'Deactivate Wireless Network Interfaces' diff --git a/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml new file mode 100644 index 0000000..c918fd8 --- /dev/null +++ b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure the network interface is bound to the correct area' + +description: |- + Different firewall regions can develop different filtering strategies. If the server network + is complex and has multiple interfaces, and different interfaces undertake different business + functions, it is recommended to configure the interfaces to different regions and develop + different firewall strategies. For example, the external network business interface does not + allow SSH access, while the internal network management interface can open SSH access. + +

It can not be scanned automatically, please check it manually.

+

Check the interface configuration of each region:

+ + +rationale: |- + If all interfaces are configured in one area, firewall policies are not conducive to configuring + different interfaces differently, increasing management complexity, and reducing the filtering + efficiency of firewall security protection. Due to configuration issues, messages that should + not be received may not be rejected or discarded. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/group.yml b/linux_os/guide/system/network/network_nftables/group.yml new file mode 100644 index 0000000..68ecddd --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/group.yml @@ -0,0 +1,12 @@ +documentation_complete: true + +title: 'nftables' + +description: |- + nftables is a subsystem of the Linux kernel that provides filtering + and classification of network packets. nftables replaces the iptables + part of Netfilter. Compared with iptables, nftable is easier to extend + to new protocols, and nftables will replace iptables in the future. + In addition, nftables is different from firewalld and iptables. The + operating system does not configure any policies by default and + requires manual configuration by the administrator. \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..fb45bfe --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the nftables input and output association policies configuration is correct' + +description: |- + Although it is possible to configure packet policies for incoming and outgoing servers to the + input and output chains by configuring protocols, IPs, and ports, in some cases it may be more + complex. For example, if the client accesses the server through a certain port, the server may + not necessarily return the response message from the original port, and may use a random source + port. In this case, it is difficult to configure accurate policies through the sport parameter. + +

At this point, it is necessary to consider using association links to configure the strategy. + If an outgoing message belongs to an existing network link, it will be directly released; If a + received message belongs to an existing network link, it is also directly released. Because + these existing links must have been filtered and checked by other policies, otherwise they + cannot be established.

+

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + If the policy is not configured through associated links, it is necessary to analyze all possible + link situations and configure corresponding policies. If the configuration is too loose, it may + cause security risks, and if the configuration is too strict, it may cause business interruption. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml new file mode 100644 index 0000000..804c3b5 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml @@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Configure nftables default deny policy' + +description: |- + From a security perspective, the nftables basic chain is similar to + iptables. (Input, output, forward) you need to configure the rejection + policy for all packets, and then add the allow policy to the basic + chain to open related services and ports. + +

If the basic chain is not configured, or the hook rules of the basic + chain are not specified, the packet will not be captured by nftables, + and filtering will not be possible.

+ +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + If the basic chain is not configured with a DROP or REJECT policy, the + packets will be ACCEPT by default, which may easily lead to security + risks due to omission of the rejection policy. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..a4c1563 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Configure nftables input strategy' + +description: |- + The function of the input chain is to filter messages received from the + outside. Any externally provided service needs to configure the + corresponding input policy and open the relevant port so that external + clients can access the service through the port. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + If not configured, since the default policy is configured as DROP, all + external packets trying to access related services will be dropped. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..b3ca58a --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Configure nftables loopback policy' + +description: |- + The loopback address is a special address on the server, represented by 127.0.0.0/8. It + has nothing to do with the network card. It is mainly used for inter-process communication + on this machine. Packets with the source address 127.0.0.0/8 should not be received from + the network card. Such messages should be discarded. + +

The server needs to set a policy to allow receiving and processing the loopback address + packets of the lo interface, but reject the packets received from the network card.

+ +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + If the loopback address policy is + set incorrectly, inter-process communication on the local machine may fail, or spoofed + packets may be received from the network card. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..6c4cdc6 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Configure nftables output strategy' + +description: |- + There are two main situations when the server sends outbound messages. One + is when the host process actively connects to an external server, such as + http access, or sends outgoing data to a log server, etc. The other is when + the host process externally accesses local services and the local machine + responds arts. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + If no output policy is configured, all outgoing packets from the server will + be discarded because the default policy is DROP. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml new file mode 100644 index 0000000..9f37bdf --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml @@ -0,0 +1,22 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Verify nftables Enabled' + +description: '{{{ describe_service_enable(service="nftables") }}}' + +rationale: |- + If multiple firewall services are enabled, business + interruption may occur due to inconsistent policy configurations. + +severity: low + +ocil: '{{{ ocil_service_enabled(service="nftables") }}}' + +platform: machine + +template: + name: service_enabled + vars: + servicename: nftables \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml new file mode 100644 index 0000000..175fa9c --- /dev/null +++ b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml @@ -0,0 +1,41 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly' + +description: |- + LD_LIBRARY_PATH is a Linux environment variable. When a program loads a + dynamic link library, it will first obtain it from the path specified by + this environment variable. Normally, this environment variable should + not be set. If it is maliciously set to an incorrect value, the program + may be linked to an incorrect dynamic library when running, resulting in + security risks. Note: The configuration in /etc/ld.so.conf.d will also + affect dynamic library loading, so you need to ensure correct configuration. + + openEuler does not set this variable by default. According to the actual + scenario, if LD_LIBRARY_PATH must be set, you need to ensure that the + value is correct in all user contexts. + +

It can not be scanned automatically, please check it manually.

+

There are multiple configuration files that can permanently set the LD_LIBRARY_PATH + value, which need to be investigated. These files include: /etc/profile, ~/.bashrc, ~/.bash_profile. + The latter two files are files in the user's home directory. Each user Yes, be + sure not to miss it during inspection.

+ + +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml new file mode 100644 index 0000000..0d9cfeb --- /dev/null +++ b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml @@ -0,0 +1,44 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure the user PATH variable is strictly defined' + +description: |- + The PATH variable under Linux defines the search path for executable files + in the current user context. For example, if the user uses the ls command + in any directory, the system will search for the ls command in the directory + specified by the PATH variable and execute it after finding it. The PATH + variable in all user contexts cannot contain the current directory "." .The + directory must be a path that actually exists in the file system and meets + the design expectations of the system. The correct PATH value can effectively + prevent system commands from being replaced by malicious instructions and + ensure that system commands can be executed safely. + + So the PATH variable should be defined to the correct value, and the openEuler + system default setting is: + + /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin + + PATH can be modified according to the actual scenario, but be sure to make sure + it is correct. + +

It can not be scanned automatically, please check it manually.

+

Use the echo command to print out the value of PATH in the current user context and check whether it is correct.

+ + +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml new file mode 100644 index 0000000..a2c3208 --- /dev/null +++ b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml @@ -0,0 +1,34 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Disallow globally writable files' + +description: |- + Globally writable means that all users can write to the file, but usually this + permission is not necessary. If a file is unreasonably set with globally writable + permissions, it can easily be tampered with by attackers, leading to security risks. + Therefore, if the file must have globally writable permissions, the security risks + need to be analyzed based on actual scenarios to ensure that attackers cannot use + this file to carry out attacks. + + You can search for globally writable files in the root directory. The exceptions + are: There are a large number of globally writable files in the two system directories + "/sys" and "/proc" when Linux is running, so these two should be excluded when checking + directory to avoid confusion. + +

It can not be scanned automatically, please check it manually.

+

Check globally writable files(directories "/sys" and "/proc" have been excluded).

+ + +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml new file mode 100644 index 0000000..9a3535e --- /dev/null +++ b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml @@ -0,0 +1,38 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that unneeded file system mount is removed' + +description: |- + The Linux system supports a variety of file systems, which are + loaded into the kernel through ko mode. As a general operating + system platform, openEuler will provide various file systems ko, + which are stored in the /lib/modules/(kernel version)/kernel/fs/ + directory and can be loaded through the insmod/modprobe command. + +

Users should determine which file systems do not need to be supported + based on actual scenarios, and prohibit these file systems from being + mounted through configuration. These file systems usually include:

+

cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs

+

It can not be scanned automatically, please check it manually.

+

Use the following command to check the file system mounting status, such as cramfs.

+ + +rationale: |- + Disabling mount support for unnecessary file systems can reduce + the attack surface and prevent attackers from attacking the system + by exploiting vulnerabilities in some uncommon file systems. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml new file mode 100644 index 0000000..545a238 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Hard drive data should be managed in partitions' + +description: |- + When installing the operating system, the operating system data and business data + partitions should be managed according to the characteristics of the actual scenario + to avoid placing all data on one hard disk or partition. Proper planning of hard disk + partitions can avoid or reduce the following risks: + + The log file is too large, causing the business or system data disk to become full; + The home directory of ordinary accounts is too large, causing the system or business disk to become full; + The system partition is not independent, causing the basic service of the operating system to fail when the disk is full, causing a full-scale DOS attack; + It is not conducive to minimizing permissions and encrypting data disks; + It is not conducive to system or data recovery after the disk is damaged. + + As a general operating system, openEuler installs separate partitions "/boot, /tmp, + /home, /" by default. It is recommended to determine the partition mounting and size + of other directories based on the actual scenario. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml new file mode 100644 index 0000000..c3008b4 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml @@ -0,0 +1,47 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Mounting in nodev mode does not require mounting the device' + +description: |- + nodev means that device files are not allowed to be mounted, which is used + to reduce the attack surface and increase security. When the directory is + mounted, if the nodev option is set, all block devices, character devices + and other device files in the directory will be parsed into ordinary files + and cannot be operated on device files. If nodev is not set when mounting, + it will lead to security risks. For example, an attacker creates a file system + on the USB flash drive and creates a block device file in it (his own USB flash + drive, with corresponding permissions), and this block The device actually + points to the server hard disk or partition such as /dev/sda. If an attacker + has the opportunity to insert a USB flash drive into the server and the server + loads the USB flash drive, the attacker can access the corresponding file through + this block device file. Hard drive data. If the U disk in the above case is changed + to another hard disk or partition, a similar problem will exist. As long as there + is a maliciously constructed device file on the hard disk or partition, an attack + can be formed. + +

The following directories are mounted by nodev by default in the openEuler system:

+

/sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、 + /sys/fs/pstore、/sys/fs/bpf、/sys/fs/cgroup/files、/sys/fs/cgroup/net_cls,net_prio、 + /sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/cpu,cpuacct、/sys/fs/cgroup/perf_event、 + /sys/fs/cgroup/pids、/sys/fs/cgroup/hugetlb、/sys/fs/cgroup/memory、/sys/fs/cgroup/blkio、 + /sys/fs/cgroup/cpuset、/sys/fs/cgroup/rdma、/sys/kernel/config、/sys/kernel/debug、/dev/mqueue、 + /tmp、/run/user/0

+

penEuler has the following directories (some directories vary depending on hard disk partitions + and deployment platforms). These directories are not mounted by nodev by default:

+

/dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、 + /var/lib/nfs/rpc_pipefs、/boot/efi、/home

+

In actual scenarios, based on business needs, the nodev method is used to mount partitions + that do not require device mounting.

+ +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml new file mode 100644 index 0000000..c7900b9 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml @@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Mount a partition without executable files in noexec mode' + +description: |- + The data disk is only used to save data during system operation. There + is no need to execute relevant commands on the data disk. In this case, + the hard disk or partition must be mounted in noexec mode to improve security + and reduce the attack surface. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml new file mode 100644 index 0000000..16f795d --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure partitions that do not require SUID/SGID are mounted in nosuid mode' + +description: |- + After the SUID bit is set on an executable file, even if the user executing the file + is not the owner of the file, the process will be temporarily granted the permissions + of the file owner during execution. For example, the ordinary user test executes a + program with permissions 755 and owner root. If the program does not set the SUID bit, + the process only has the permissions of the test user; if the SUID is set, the process + has root permissions during execution. . SGID has a similar function, but it only has + the permissions of the group to which the file belongs. For partitions that do not + need SUID/SGID, use the nosuid method to mount them. This can invalidate the S bit of + files with SUID/SGID in the partition, prevent privilege escalation through the + executable files of the partition, and strengthen the security of the partition. + +

Users need to plan each mounted hard drive and partition and set nosuid mounting items + based on actual scenarios.

+ +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml new file mode 100644 index 0000000..848fed1 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml @@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure the removable partition is mounted in noexec/nodev mode' + +description: |- + Removable devices themselves are uncertain, and their origin, past usage, + and transportation processes cannot guarantee absolute safety. Therefore, + removable devices are often the main host devices for virus transmission. + Therefore, for removable devices, it is required to mount them in noexec + or nodev mode to improve security and reduce the attack surface. + +

noexec can prevent files on removable devices from being directly executed, + such as virus files, attack scripts, etc;

+

nodev prevents incorrect device files on removable devices from being linked + to real devices on the server, leading to attacks;

+

Common removable devices such as: CD/DVD/USB, etc.

+ +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml new file mode 100644 index 0000000..b63d688 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml @@ -0,0 +1,21 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Partitions that do not need to be modified are mounted read-only.' + +description: |- + Mounting file systems that do not require data modification in read-only mode can + avoid unintentional or malicious data tampering and reduce the attack surface. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml index cd07fd0..cd68dad 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8 +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,openeuler2203 title: 'Restrict usage of ptrace to descendant processes' @@ -33,4 +33,5 @@ template: vars: sysctlvar: kernel.yama.ptrace_scope sysctlval: '1' + sysctlval@openeuler2203: '0' datatype: int diff --git a/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml new file mode 100644 index 0000000..dc1881b --- /dev/null +++ b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Avoid using programms labeled unconfined_service_t' + +description: |- + The purpose of SELinux setting the unconfined_service_t label + is to enable some third-party service processes that are not + configured with SELinux policies to run unfettered. By default, + when systemd runs a third-party application with the label bin_t + or usr_t (generally located in /usr/bin, /opt, etc. directories), + the generated process label is unconfined_service_t. + + The difference from other high-privilege labels (such as unconfined_t, + initrc_t, etc.) is that unconfined_service_t has very few domain + conversion rules, which means that even if the process runs applications + that have been configured with SELinux policies, the label of the + new process will still be unconfined_service_t. The SELinux policy + configured for the process will not take effect. If it is attacked, + it will have a greater impact on the system. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + Programs labeled unconfined_service_t are restricted from running. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/software/enabled_seccomp/rule.yml b/linux_os/guide/system/software/enabled_seccomp/rule.yml new file mode 100644 index 0000000..82d0734 --- /dev/null +++ b/linux_os/guide/system/software/enabled_seccomp/rule.yml @@ -0,0 +1,47 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'seccomp should be enabled' + +description: |- + seccomp (full name: secure computing mode), when it was first introduced into the + Linux kernel, limited the system calls available to the process to four types: read, + write, _exit, sigreturn. In the original whitelisting method, in addition to the + four system calls allowed by the open file descriptor, if other system calls are + attempted, the kernel will use SIGKILL or SIGSYS to terminate the process. + + The whitelist method is too restrictive and has little practical effect. In practical + applications, more precise restrictions are needed. In order to solve this problem, + BPF was introduced. The combination of seccomp and BPF rules allows users to filter + system calls using configurable policies. The policy is implemented using Berkeley + Packet Filter rules, which can filter any system calls and their parameters. + + The openEuler kernel already provides seccomp function support by default, and also + provides the libseccomp peripheral package to help user-mode programs conveniently + set seccomp rules. + +

It can not be scanned automatically, please check it manually.

+

Check whether the target process has seccomp mode enabled. Here we take checking the test_seccomp process as an example.

+ +rationale: |- + seccomp cannot set the opening, closing or rules globally, but is specific to each + process. That is, the process can set and enable seccomp by itself, which affects + itself and all child threads, but does not affect other processes. + + If seccomp is enabled in a process, there will be a performance loss when making + system calls. Users need to determine whether the performance loss is acceptable + based on actual business scenarios. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml index 787d897..6d9c09d 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol8,rhel8 +prodtype: fedora,ocp4,ol8,rhel8,openeuler2203 title: 'Configure System Cryptography Policy' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml index f9835af..4fb6a78 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml @@ -7,6 +7,7 @@ multi_platform_fedora multi_platform_ol multi_platform_rhel + multi_platform_openeuler The aide database must be initialized. diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml new file mode 100644 index 0000000..bd51174 --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml @@ -0,0 +1,40 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'aide intrusion detection should be enabled' + +description: |- + aide (advanced intrusion detection environment) is an intrusion detection tool that + can be used to check the integrity of files and directories in the system and identify + files or directories that have been maliciously tampered with. The principle of the + integrity check is to first construct a baseline database, which contains some attributes + of the file or directory such as permissions, users, etc. When performing the integrity + check, the current system status is compared with the baseline database to obtain the + check results. Finally, the file or directory changes of the current system are reported, + that is, the inspection report. + + Enabling aide intrusion detection can effectively identify malicious tampering with files + or directories, thereby improving system integrity and security. The files or directories + that need to be checked can be configured as needed, which is highly flexible. Users only + need to query the check report to determine whether there is malicious tampering. + +

It can not be scanned automatically, please check it manually.

+

Check if the loopback address policy has been correctly configured.

+ +rationale: |- + The more files that need to be checked, the longer the checking process will take. If users + enable aide, they should configure the inspection strategy appropriately based on their own + business scenarios. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml new file mode 100644 index 0000000..8437388 --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml @@ -0,0 +1,55 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'IMA metrics should be enabled' + +description: |- + IMA (Integrity Measurement Architecture) is an integrity protection function provided + by the kernel. When IMA is turned on, it can provide integrity measurements for + important files in the system based on user-defined policies. The measurement results + can be used locally and remotely. Proof of integrity. + + When the IMA measurement function is not enabled in the system, summary information + of key files cannot be recorded in real time, and tampering with file contents or + attributes cannot be identified. Functions such as local attestation and remote + attestation that protect system integrity rely on the summary value provided by IMA + metrics, so they cannot be used, or the integrity protection is incomplete. + + IMA global policy configuration is related to the specific environment. Normally, + integrity protection is only targeted at immutable files (such as executable files, + dynamic libraries, etc.). If the policy is improperly configured, it may lead to + excessive performance and memory overhead. It is recommended that users use their + own The situation determines whether to enable IMA and configure the correct policy. + + Note: Since IMA is only the measurement part of the global integrity protection + mechanism, complete use requires TPM 2.0 and remote attestation services. This + specification only explains and recommends the measurement part of IMA. If the + system does not integrate TPM 2.0 and remote attestation services, the IMA measurement + function should not be enabled. + + IMA measurement does not support container environments and virtual machine + environments, requires UEFI startup, and does not support Legacy mode. + +

Use the following command to check whether the current system has IMA measurement enabled.

+ + +rationale: |- + Turning on IMA metrics will cause a slight increase in system startup time and file + access time. + If the policy is improperly configured (such as measuring real-time changing log files, + temporary files, etc.), the measurement log may grow too fast and occupy too much system + memory, and the memory occupied by the measurement log will not be released before the + next restart of the system. , thus affecting the normal operation of the business. In + addition, because the measured files are constantly changing, the measurement value changes, + and the remote certification baseline value cannot be updated synchronously, causing the + remote certification to fail and losing the meaning of integrity protection. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml new file mode 100644 index 0000000..cd59e60 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure sudoers cannot configure scripts writable by low-privileged users' + +description: |- + sudo can enable the set ordinary user to execute certain specific programs with root privileges, + and the corresponding configuration file is /etc/sudoers. Administrator users can configure + corresponding rules to make certain scripts or binary files run with root permissions. Therefore, + the scripts configured by sudo should only be writable by root. Scripts that can be written by + low-privilege users cannot be configured. If low-privilege users are configured, they can be written + by root. script, the user can perform privilege escalation operations by modifying the script. + +

It can not be scanned automatically, please check it manually.

+

Check related configuration.

+ + +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml new file mode 100644 index 0000000..ea4e9cf --- /dev/null +++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Disable use of SysRq key + + multi_platform_openeuler + + Disable SysRq. + + + + + + + + + + /proc/sys/kernel/sysrq + 0 + 1 + + \ No newline at end of file diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml new file mode 100644 index 0000000..75f55a9 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml @@ -0,0 +1,30 @@ + +prodtype: openeuler2203 + +title: 'Disable use of SysRq key' + +description: |- + + SysRq allows users with physical access to access dangerous system-level commands + in the computer, and the use of SysRq functions needs to be restricted. + + If the SysRq key is not disabled, the SysRq call can be triggered through the + keyboard, which may cause commands to be sent directly to the kernel, affecting + the system. + + openEuler prohibits the use of SysRq keys by default. + +

Check whether the system prohibits the use of the SysRq key:

+ + +rationale: |- + SysRq related commands cannot be used in the system. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml new file mode 100644 index 0000000..1b92235 --- /dev/null +++ b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'uninstall debugging tools' + +description: |- + If the business environment contains debugging scripts and tools, they can + easily be exploited and attacked by attackers. Therefore, it is strictly + prohibited to install various debugging tools and files in the production + environment, including but not limited to: code debugging tools, privilege + escalation commands, scripts, and tools used for debugging functions, certificates, + and keys used in the debugging phase. Perf tools, point management and piling + tools for performance testing, attack scripts and tool scripts for verifying + security issues such as CVE, etc. Common open source third-party debugging tools + include: strace, gdb, readelf, perf, etc. + +

It can not be scanned automatically, please check it manually.

+

Use keyword scanning to determine whether debugging tools exist in the business environment or mirror environment.

+ +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml new file mode 100644 index 0000000..69b0c59 --- /dev/null +++ b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml @@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Uninstall development and compilation tools' + +description: |- + If the business environment contains compilation tools, they can + easily be used by attackers to edit, tamper with, and reverse analyze + key files in the environment to carry out attacks. Therefore, it is + strictly prohibited to install various compilation, decompilation, + and binary analysis tools in the production environment, including + but not limited to: compilation tools, decompilation tools, compilation + environments, etc. Common third-party development and compilation tools + include: gcc, cpp, mcpp, flex, cmake, make, rpm-build, ld, ar, etc. + + If the business environment relies on interpreters such as python, lua, + and perl during deployment or operation, the interpreter running + environment can be retained. + +

It can not be scanned automatically, please check it manually.

+

Use keyword scanning to determine whether debugging tools exist in the business environment or mirror environment.

+ + +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile index de6890c..1f4de10 100644 --- a/openeuler2203/profiles/standard.profile +++ b/openeuler2203/profiles/standard.profile @@ -9,158 +9,496 @@ description: |- selections: - package_telnet_removed + - package_telnet_removed.severity=high - package_tftp-server_removed + - package_tftp-server_removed.severity=high - package_tftp_removed + - package_tftp_removed.severity=high - package_net-snmp_removed + - package_net-snmp_removed.severity=high - accounts_no_uid_except_zero + - accounts_no_uid_except_zero.severity=high - file_owner_etc_passwd + - file_owner_etc_passwd.severity=high - file_groupowner_etc_passwd + - file_groupowner_etc_passwd.severity=high - file_permissions_etc_passwd + - file_permissions_etc_passwd.severity=high - file_owner_etc_shadow + - file_owner_etc_shadow.severity=high - file_groupowner_etc_shadow + - file_groupowner_etc_shadow.severity=high - file_permissions_etc_shadow + - file_permissions_etc_shadow.severity=high - file_owner_etc_group + - file_owner_etc_group.severity=high - file_groupowner_etc_group + - file_groupowner_etc_group.severity=high - file_permissions_etc_group + - file_permissions_etc_group.severity=high - file_owner_etc_gshadow + - file_owner_etc_gshadow.severity=high - file_groupowner_etc_gshadow + - file_groupowner_etc_gshadow.severity=high - file_permissions_etc_gshadow + - file_permissions_etc_gshadow.severity=high - accounts_user_interactive_home_directory_exists + - accounts_user_interactive_home_directory_exists.severity=high - gid_passwd_group_same + - gid_passwd_group_same.severity=high - var_password_pam_minlen=8 - accounts_password_pam_minlen + - accounts_password_pam_minlen.severity=high - accounts_password_pam_minclass + - accounts_password_pam_minclass.severity=high - var_password_pam_ucredit=0 - accounts_password_pam_ucredit + - accounts_password_pam_ucredit.severity=high - var_password_pam_lcredit=0 - accounts_password_pam_lcredit + - accounts_password_pam_lcredit.severity=high - var_password_pam_dcredit=0 - accounts_password_pam_dcredit + - accounts_password_pam_dcredit.severity=high - var_password_pam_ocredit=0 - accounts_password_pam_ocredit + - accounts_password_pam_ocredit.severity=high - accounts_password_pam_retry + - accounts_password_pam_retry.severity=high - accounts_password_pam_unix_remember + - accounts_password_pam_unix_remember.severity=high - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_systemauth.severity=high - accounts_maximum_age_login_defs - - var_accounts_minimum_age_login_defs=0 + - accounts_maximum_age_login_defs.severity=high + - var_accounts_maximum_age_login_defs=90 - accounts_minimum_age_login_defs + - accounts_minimum_age_login_defs.severity=high + - var_accounts_minimum_age_login_defs=0 - accounts_password_warn_age_login_defs + - accounts_password_warn_age_login_defs.severity=high - sshd_disable_empty_passwords + - sshd_disable_empty_passwords.severity=high - grub2_uefi_password + - grub2_uefi_password.severity=high - require_singleuser_auth + - require_singleuser_auth.severity=high - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny.severity=high - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_deny_root.severity=high - var_accounts_passwords_pam_faillock_unlock_time=300 - accounts_passwords_pam_faillock_unlock_time + - accounts_passwords_pam_faillock_unlock_time.severity=high - var_accounts_tmout=5_min - accounts_tmout + - accounts_tmout.severity=high - sshd_allow_only_protocol2 + - sshd_allow_only_protocol2.severity=high - sshd_disable_rhosts + - sshd_disable_rhosts.severity=high - disable_host_auth + - disable_host_auth.severity=high - configure_ssh_crypto_policy + - configure_ssh_crypto_policy.severity=high - sysctl_kernel_randomize_va_space + - sysctl_kernel_randomize_va_space.severity=high - sysctl_kernel_dmesg_restrict + - sysctl_kernel_dmesg_restrict.severity=high - sysctl_kernel_kptr_restrict + - sysctl_kernel_kptr_restrict.severity=high - no_files_unowned_by_user + - no_files_unowned_by_user.severity=high - file_permissions_ungroupowned + - file_permissions_ungroupowned.severity=high - dir_perms_world_writable_sticky_bits + - dir_perms_world_writable_sticky_bits.severity=high - var_accounts_user_umask=077 - accounts_umask_etc_bashrc + - accounts_umask_etc_bashrc.severity=high - service_auditd_enabled + - service_auditd_enabled.severity=high - auditd_data_retention_max_log_file_action + - auditd_data_retention_max_log_file_action.severity=high - auditd_data_retention_num_logs + - auditd_data_retention_num_logs.severity=high - service_rsyslog_enabled + - service_rsyslog_enabled.severity=high - package_python2_removed + - package_python2_removed.severity=high - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_never_disabled.severity=high - login_accounts_are_necessary + - login_accounts_are_necessary.severity=high - accounts_are_necessary + - accounts_are_necessary.severity=high - group_unique_id + - group_unique_id.severity=high - account_unique_id + - account_unique_id.severity=high - account_unique_group_id + - account_unique_group_id.severity=high - account_unique_name + - account_unique_name.severity=high - group_unique_name + - group_unique_name.severity=high - accounts_password_pam_dictcheck + - accounts_password_pam_dictcheck.severity=high - verify_owner_password + - verify_owner_password.severity=high - no_name_contained_in_password + - no_name_contained_in_password.severity=high - sshd_strong_kex=standard_openeuler2203 - sshd_use_strong_kex + - sshd_use_strong_kex.severity=high - sshd_use_strong_pubkey + - sshd_use_strong_pubkey.severity=high - sshd_enable_pam + - sshd_enable_pam.severity=high - sshd_use_strong_macs + - sshd_use_strong_macs.severity=high - sshd_use_strong_ciphers + - sshd_use_strong_ciphers.severity=high - grub2_nosmap_argument_absent + - grub2_nosmap_argument_absent.severity=high - grub2_nosmep_argument_absent + - grub2_nosmep_argument_absent.severity=high - package_ftp_removed + - package_ftp_removed.severity=high - no_empty_symlink_files + - no_empty_symlink_files.severity=high - no_hide_exec_files + - no_hide_exec_files.severity=high - no_lowprivilege_users_writeable_cmds_in_crontab_file + - no_lowprivilege_users_writeable_cmds_in_crontab_file.severity=high - service_debug-shell_disabled + - service_debug-shell_disabled.severity=high - service_avahi-daemon_disabled + - service_avahi-daemon_disabled.severity=high - package_openldap-servers_removed + - package_openldap-servers_removed.severity=high - service_cups_disabled + - service_cups_disabled.severity=high - package_ypserv_removed + - package_ypserv_removed.severity=high - package_ypbind_removed + - package_ypbind_removed.severity=high - account_temp_expire_date + - account_temp_expire_date.severity=low - no_netrc_files + - no_netrc_files.severity=low - service_chronyd_or_ntpd_enabled + - service_chronyd_or_ntpd_enabled.severity=low - chronyd_or_ntpd_specify_remote_server + - chronyd_or_ntpd_specify_remote_server.severity=low - kernel_module_sctp_disabled + - kernel_module_sctp_disabled.severity=low - kernel_module_tipc_disabled + - kernel_module_tipc_disabled.severity=low - sshd_set_loglevel_verbose + - sshd_set_loglevel_verbose.severity=low - sshd_set_max_auth_tries + - sshd_set_max_auth_tries.severity=low - sshd_max_auth_tries_value=3 - sshd_do_not_permit_user_env + - sshd_do_not_permit_user_env.severity=high - sshd_disable_user_known_hosts_ex + - sshd_disable_user_known_hosts_ex.severity=high - sshd_disable_rhosts_rsa + - sshd_disable_rhosts_rsa.severity=high - service_firewalld_enabled + - service_firewalld_enabled.severity=low - set_firewalld_default_zone + - set_firewalld_default_zone.severity=low - disable_unnecessary_service_and_ports + - disable_unnecessary_service_and_ports.severity=low - service_iptables_enabled + - service_iptables_enabled.severity=low - service_ip6tables_enabled + - service_ip6tables_enabled.severity=low - set_iptables_default_rule + - set_iptables_default_rule.severity=low - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_redirects.severity=high - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects.severity=high - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_all_secure_redirects.severity=high - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects.severity=high - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_all_send_redirects.severity=high - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects.severity=high - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_rp_filter.severity=high - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv4_ip_forward.severity=high - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv6_conf_all_forwarding.severity=high - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_accept_source_route.severity=high - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route.severity=high - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_tcp_syncookies.severity=high - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_log_martians.severity=low - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians.severity=low - sysctl_fs_suid_dumpable + - sysctl_fs_suid_dumpable.severity=high - selinux_state + - selinux_state.severity=low - selinux_policytype + - selinux_policytype.severity=low - sysctl_fs_protected_symlinks + - sysctl_fs_protected_symlinks.severity=high - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_hardlinks.severity=high - kernel_module_usb-storage_disabled + - kernel_module_usb-storage_disabled.severity=low - service_crond_enabled + - service_crond_enabled.severity=high - cron_and_at_config + - cron_and_at_config.severity=high - audit_rules_login_events + - audit_rules_login_events.severity=low - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_group.severity=low - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_gshadow.severity=low - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_opasswd.severity=low - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_passwd.severity=low - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_shadow.severity=low - audit_rules_kernel_module_install_and_remove + - audit_rules_kernel_module_install_and_remove.severity=low - rsyslog_cron_logging + - rsyslog_cron_logging.severity=high - ensure_minimum_permission + - ensure_minimum_permission.severity=high - opened_files_count_limited + - opened_files_count_limited.severity=high - sysctl_net_ipv4_tcp_timestamps + - sysctl_net_ipv4_tcp_timestamps.severity=low - sysctl_net_ipv4_tcp_fin_timeout + - sysctl_net_ipv4_tcp_fin_timeout.severity=high - sysctl_net_ipv4_tcp_max_syn_backlog + - sysctl_net_ipv4_tcp_max_syn_backlog.severity=low - sysctl_net_ipv4_disable_arp_proxy + - sysctl_net_ipv4_disable_arp_proxy.severity=high - sysctl_net_ipv4_icmp_echo_ignore_all + - sysctl_net_ipv4_icmp_echo_ignore_all.severity=low - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high - su_only_for_wheel + - su_only_for_wheel.severity=high - sudo_not_for_all_users + - sudo_not_for_all_users.severity=high - only_root_can_run_pkexec + - only_root_can_run_pkexec.severity=high - su_always_set_path + - su_always_set_path.severity=high - file_permissions_unauthorized_world_writable + - file_permissions_unauthorized_world_writable.severity=low - file_permissions_unauthorized_suid + - file_permissions_unauthorized_suid.severity=high - file_permissions_unauthorized_sgid + - file_permissions_unauthorized_sgid.severity=high + - network_sniffing_tools + - network_sniffing_tools.severity=high + - service_rsyncd_disabled + - service_rsyncd_disabled.severity=high + - package_openldap-clients_removed + - package_openldap-clients_removed.severity=high + - no_forward_files + - no_forward_files.severity=low + - sshd_configure_correct_interface + - sshd_configure_correct_interface.severity=low + - sshd_concurrent_unauthenticated_connections + - sshd_concurrent_unauthenticated_connections.severity=low + - sshd_configure_concurrent_sessions + - sshd_configure_concurrent_sessions.severity=low + - sshd_disable_x11_forwarding + - sshd_disable_x11_forwarding.severity=high + - sshd_configure_correct_LoginGraceTime + - sshd_configure_correct_LoginGraceTime.severity=low + - sshd_disable_AllowTcpForwardindg + - sshd_disable_AllowTcpForwardindg.severity=high + - sshd_prohibit_preset_authorized_keys + - sshd_prohibit_preset_authorized_keys.severity=high + - network_interface_binding_corrently + - network_interface_binding_corrently.severity=low + - iptables_loopback_policy_configured_corrently + - iptables_loopback_policy_configured_corrently.severity=low + - iptables_input_policy_configured_corrently + - iptables_input_policy_configured_corrently.severity=low + - iptables_output_policy_configured_corrently + - iptables_output_policy_configured_corrently.severity=low + - iptables_association_policy_configured_corrently + - iptables_association_policy_configured_corrently.severity=low + - service_nftables_enabled + - service_nftables_enabled.severity=low + - nftables_configure_default_deny_policy + - nftables_configure_default_deny_policy.severity=low + - nftables_loopback_policy_configured_corrently + - nftables_loopback_policy_configured_corrently.severity=low + - nftables_input_policy_configured_corrently + - nftables_input_policy_configured_corrently.severity=low + - nftables_output_policy_configured_corrently + - nftables_output_policy_configured_corrently.severity=low + - nftables_association_policy_configured_corrently + - nftables_association_policy_configured_corrently.severity=low + - sudoers_disable_low_privileged_configure + - sudoers_disable_low_privileged_configure.severity=high + - no_files_globally_writable_files + - no_files_globally_writable_files.severity=high + - removed_unnecessary_file_mount_support + - removed_unnecessary_file_mount_support.severity=high + - read_only_partitions_no_modified + - read_only_partitions_no_modified.severity=high + - partitions_mounted_nodev_mode + - partitions_mounted_nodev_mode.severity=high + - partitions_mounted_noexec_mode + - partitions_mounted_noexec_mode.severity=high + - partitoin_mounted_noexec_or_nodev + - partitoin_mounted_noexec_or_nodev.severity=high + - partitions_mounted_nosuid_mode + - partitions_mounted_nosuid_mode.severity=high + - audit_privilege_escalation_command + - audit_privilege_escalation_command.severity=low + - audit_rules_admin_privilege + - audit_rules_admin_privilege.severity=low + - recorded_authentication_related_event + - recorded_authentication_related_event.severity=high + - rsyslog_files_permissions + - rsyslog_files_permissions.severity=low + - partitions_manage_hard_drive_data + - partitions_manage_hard_drive_data.severity=low + - uninstall_debugging_tools + - uninstall_debugging_tools.severity=high + - uninstall_development_and_compliation_tools + - uninstall_development_and_compliation_tools.severity=high + - package_xorg-x11-server-common_removed + - package_xorg-x11-server-common_removed.severity=high + - package_httpd_removed + - package_httpd_removed.severity=low + - service_smb_disabled + - service_smb_disabled.severity=low + - service_named_disabled + - service_named_disabled.severity=high + - service_nfs-server_disabled + - service_nfs-server_disabled.severity=low + - service_rpcbind_disabled + - service_rpcbind_disabled.severity=low + - service_dhcpd_disabled + - service_dhcpd_disabled.severity=low + - configure_first_logging_change_password + - configure_first_logging_change_password.severity=high + - sshd_disable_root_login + - sshd_disable_root_login.severity=high + - warning_banners_contain_reasonable_information + - warning_banners_contain_reasonable_information.severity=high + - diasable_root_accessing_system + - diasable_root_accessing_system.severity=low + - wireless_disable_interfaces + - wireless_disable_interfaces.severity=low + - sshd_enable_warning_banner + - sshd_enable_warning_banner.severity=low + - disabled_SysRq + - disabled_SysRq.severity=high + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_yama_ptrace_scope.severity=low + - disabled_unconfined_service_t_programs + - disabled_unconfined_service_t_programs.severity=low + - enabled_seccomp + - enabled_seccomp.severity=low + - define_ld_lib_path_correctly + - define_ld_lib_path_correctly.severity=high + - define_path_strictly + - define_path_strictly.severity=low + - grub2_audit_argument + - grub2_audit_argument.severity=low + - grub2_audit_backlog_limit_argument + - grub2_audit_backlog_limit_argument.severity=low + - audit_rules_immutable + - audit_rules_immutable.severity=low + - auditd_data_retention_max_log_file + - auditd_data_retention_max_log_file.severity=high + - auditd_data_retention_max_log_file_action + - auditd_data_retention_max_log_file_action.severity=high + - auditd_data_retention_space_left + - auditd_data_retention_space_left.severity=low + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_action.severity=low + - auditd_data_retention_admin_space_left + - auditd_data_retention_admin_space_left.severity=low + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_admin_space_left_action.severity=low + - auditd_data_disk_error_action + - auditd_data_disk_error_action.severity=low + - auditd_data_disk_full_action + - auditd_data_disk_full_action.severity=low + - audit_rules_sysadmin_actions + - audit_rules_sysadmin_actions.severity=low + - audit_rules_session_events + - audit_rules_session_events.severity=low + - audit_rules_time_adjtimex + - audit_rules_time_adjtimex.severity=low + - audit_rules_time_clock_settime + - audit_rules_time_clock_settime.severity=low + - audit_rules_time_settimeofday + - audit_rules_time_settimeofday.severity=low + - audit_rules_time_stime + - audit_rules_time_stime.severity=low + - audit_rules_time_watch_localtime + - audit_rules_time_watch_localtime.severity=low + - audit_rules_mac_modification + - audit_rules_mac_modification.severity=low + - audit_rules_networkconfig_modification + - audit_rules_networkconfig_modification.severity=low + - audit_rules_successful_file_modification + - audit_rules_successful_file_modification.severity=low + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open.severity=low + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_ftruncate.severity=low + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_creat.severity=low + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_openat.severity=low + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_rename.severity=low + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat.severity=low + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlink.severity=low + - audit_rules_file_deletion_events_unlinkat + - audit_rules_file_deletion_events_unlinkat.severity=low + - audit_rules_media_export + - audit_rules_media_export.severity=low + - configure_service_logging + - configure_service_logging.severity=low + - configure_dump_journald_log + - configure_dump_journald_log.severity=high + - configure_rsyslog_log_rotate + - configure_rsyslog_log_rotate.severity=high + - rsyslog_remote_loghost + - rsyslog_remote_loghost.severity=low + - rsyslog_accept_remote_messages_tcp + - rsyslog_accept_remote_messages_tcp.severity=low + - rsyslog_accept_remote_messages_udp + - rsyslog_accept_remote_messages_udp.severity=low + - ima_verification + - ima_verification.severity=low + - enable_aide_detection + - enable_aide_detection.severity=low + - service_haveged_enabled + - service_haveged_enabled.severity=low + - configure_crypto_policy + - configure_crypto_policy.severity=low -- 2.42.0.windows.2