From 941e961d84f0c1610134b367364a0f66b82cc9f9 Mon Sep 17 00:00:00 2001 From: qsw333 Date: Thu, 16 Nov 2023 13:50:38 +0800 Subject: [PATCH] second --- .../base/service_haveged_enabled/rule.yml | 31 +++++++ .../service_dhcpd_disabled/rule.yml | 2 +- .../service_named_disabled/rule.yml | 2 +- .../package_httpd_removed/rule.yml | 2 +- .../package_openldap-clients_removed/rule.yml | 23 +++++ .../service_rpcbind_disabled/rule.yml | 2 +- .../service_nfs-server_disabled/rule.yml | 33 +++++++ linux_os/guide/services/rsync/group.yml | 9 ++ .../rsync/service_rsyncd_disabled/rule.yml | 20 ++++ .../service_smb_disabled/rule.yml | 2 +- .../oval/shared.xml | 25 +++++ .../rule.yml | 16 ++++ .../oval/shared.xml | 25 +++++ .../rule.yml | 19 ++++ .../oval/shared.xml | 25 +++++ .../rule.yml | 18 ++++ .../oval/shared.xml | 25 +++++ .../sshd_configure_correct_interface/rule.yml | 18 ++++ .../oval/shared.xml | 25 +++++ .../sshd_disable_AllowTcpForwardindg/rule.yml | 18 ++++ .../oval/shared.xml | 25 +++++ .../sshd_disable_x11_forwarding/rule.yml | 16 ++++ .../oval/shared.xml | 25 +++++ .../rule.yml | 18 ++++ .../uninstall_software_service/group.yml | 5 + .../network_sniffing_tools/rule.yml | 24 +++++ .../rule.yml | 2 +- .../no_forward_files/oval/shared.xml | 20 ++++ .../no_forward_files/rule.yml | 17 ++++ .../rule.yml | 27 ++++++ .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 25 +++++ .../oval/shared.xml | 25 +++++ .../audit_rule_admin_privilege/rule.yml | 27 ++++++ .../oval/shared.xml | 25 +++++ .../rule.yml | 56 +++++++++++ .../auditd_data_retention_space_left/rule.yml | 2 +- .../auditing/grub2_audit_argument/rule.yml | 2 +- .../rule.yml | 2 +- .../oval/shared.xml | 25 +++++ .../configure_dump_journald_log/rule.yml | 22 +++++ .../rule.yml | 19 ++++ .../configure_rsyslog_log_rotate/rule.yml | 45 +++++++++ .../configure_service_logging/rule.yml | 21 +++++ .../diasable_root_accessing_system/rule.yml | 35 +++++++ .../rsyslog_files_permissions/oval/shared.xml | 1 + .../oval/shared.xml | 25 +++++ .../rule.yml | 24 +++++ .../rsyslog_remote_loghost/oval/shared.xml | 1 + .../rule.yml | 28 ++++++ .../rule.yml | 36 +++++++ .../rule.yml | 27 ++++++ .../rule.yml | 36 +++++++ .../rule.yml | 28 ++++++ .../wireless_disable_interfaces/rule.yml | 2 +- .../rule.yml | 26 ++++++ .../system/network/network_nftables/group.yml | 12 +++ .../rule.yml | 32 +++++++ .../rule.yml | 24 +++++ .../rule.yml | 21 +++++ .../rule.yml | 23 +++++ .../rule.yml | 22 +++++ .../service_nftables_enabled/rule.yml | 22 +++++ .../define_ld_lib_path_correctly/rule.yml | 25 +++++ .../files/define_path_strictly/rule.yml | 31 +++++++ .../no_files_globally_writable_files/rule.yml | 34 +++++++ .../rule.yml | 28 ++++++ .../partitions_mounted_nodev_mode/rule.yml | 48 ++++++++++ .../partitions_mounted_noexec_mode/rule.yml | 19 ++++ .../partitions_mounted_nosuid_mode/rule.yml | 27 ++++++ .../rule.yml | 28 ++++++ .../read_only_partitions_no_modified/rule.yml | 19 ++++ .../rule.yml | 29 ++++++ .../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +- .../rule.yml | 28 ++++++ .../system/software/enabled_seccomp/rule.yml | 35 +++++++ .../crypto/configure_crypto_policy/rule.yml | 2 +- .../aide/aide_build_database/oval/shared.xml | 1 + .../aide/enable_aide_detection/rule.yml | 29 ++++++ .../ima_verification/rule.yml | 47 ++++++++++ .../rule.yml | 18 ++++ .../disabled_SysRq/oval/shared.xml | 25 +++++ .../system-tools/disabled_SysRq/rule.yml | 20 ++++ .../uninstall_debugging_tools/rule.yml | 23 +++++ .../rule.yml | 26 ++++++ openeuler2203/profiles/standard.profile | 93 +++++++++++++++++++ 89 files changed, 1869 insertions(+), 16 deletions(-) create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml create mode 100644 linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml create mode 100644 linux_os/guide/services/rsync/group.yml create mode 100644 linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml create mode 100644 linux_os/guide/services/uninstall_software_service/group.yml create mode 100644 linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/rule.yml create mode 100644 linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml create mode 100644 linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml create mode 100644 linux_os/guide/system/logging/configure_service_logging/rule.yml create mode 100644 linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml create mode 100644 linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml create mode 100644 linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_interface_binding_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/group.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml create mode 100644 linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml create mode 100644 linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml create mode 100644 linux_os/guide/system/permissions/files/define_path_strictly/rule.yml create mode 100644 linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml create mode 100644 linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml create mode 100644 linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml create mode 100644 linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml create mode 100644 linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml create mode 100644 linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml create mode 100644 linux_os/guide/system/software/enabled_seccomp/rule.yml create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml create mode 100644 linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml create mode 100644 linux_os/guide/system/software/uninstall_debugging_tools/rule.yml create mode 100644 linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml diff --git a/linux_os/guide/services/base/service_haveged_enabled/rule.yml b/linux_os/guide/services/base/service_haveged_enabled/rule.yml new file mode 100644 index 0000000..a2e373a --- /dev/null +++ b/linux_os/guide/services/base/service_haveged_enabled/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Enable haveged service' + +description: |- + The haveged service provides an easy-to-use, unpredictable random number + generator. The generated random numbers are used to supplement the system + entropy pool, which can solve the problem of low system entropy in some + cases. It is recommended to enable this service in scenarios where encryption, + decryption or key generation is required (such as using openssl and gnutls). + + If the haveged service is not turned on, when the process that needs to + generate strong pseudo-random numbers gets values from /dev/random, it will + be stuck in waiting because it cannot get enough values, and will not return + until new random bytes are obtained. + +severity: low + +rationale: |- + none. + +ocil: '{{{ ocil_service_disabled(service="haveged") }}}' + +platform: machine + +template: + name: service_enabled + vars: + servicename: haveged \ No newline at end of file diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml index efe3519..4d41613 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7,rhel8,openeuler2203 title: 'Disable DHCP Service' diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml index 62c1bf0..7add584 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7,rhel8,openeuler2203 title: 'Disable named Service' diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml index b9a6437..8156243 100644 --- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7,rhel8,openeuler2203 title: 'Uninstall httpd Package' diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml new file mode 100644 index 0000000..717c04b --- /dev/null +++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml @@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Remove LDAP Client' + +description: |- + LDAP (Lightweight Directory Access Protocol) is a lightweight directory + access protocol that provides access control and maintains distributed + directory information. + +rationale: |- + Providing an LDAP client (openldap-clients) in the system can cause + waste of system resources and expand the scope of attacks. If the business + scenario does not require the use of LDAP services, it is prohibited to + install the LDAP client. + +severity: high + +template: + name: package_removed + vars: + pkgname: openldap-clients \ No newline at end of file diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml index 902117f..9bd2182 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7,rhel8,openeuler2203 title: 'Disable rpcbind Service' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml new file mode 100644 index 0000000..32a4889 --- /dev/null +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: fedora,rhel6,rhel7,rhel8,openeuler2203 + +title: 'Disable Network File System (nfs) Service' + +description: |- + Network File System (NFS) is one of the oldest and most widely distributed + file systems in UNIX environments. It provides the system with the ability + to mount other servers' file systems over the network. If the system does + not export NFS shares, it is recommended to disable NFS to reduce the remote + attack surface.. + {{{ describe_service_disable(service="nfs-server") }}} + +rationale: |- + 'Disabling NFS affects services and applications on the system that rely on NFS, + as well as existing NFS mount points. Before disabling NFS, you should make sure + you understand the usage on your system and consider whether there are alternatives + to meet your file sharing and data access needs.' + +severity: low + +ocil_clause: 'it does not' + +ocil: '{{{ ocil_service_disabled(service="nfs") }}}' + +platform: machine + +template: + name: service_disabled + vars: + servicename: nfs-server + packagename: nfs-utils diff --git a/linux_os/guide/services/rsync/group.yml b/linux_os/guide/services/rsync/group.yml new file mode 100644 index 0000000..0482394 --- /dev/null +++ b/linux_os/guide/services/rsync/group.yml @@ -0,0 +1,9 @@ +documentation_complete: true + +title: 'Rsync Server' + +description: |- + The rsync service can be used to synchronize data between + servers or between different Disk partitioning on the server, + but because rsync uses an unencrypted transmission protocol, + there is a risk of information disclosure. \ No newline at end of file diff --git a/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml new file mode 100644 index 0000000..5afaa7c --- /dev/null +++ b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml @@ -0,0 +1,20 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Disable Rsync Server Software' + +description: '{{{ describe_service_disable(service="rsync-daemon") }}}' + +rationale: |- + If the rsync service is enabled and data is transmitted between + different servers through the network, attackers can steal data + by listening to server ports, routers, and switch data packets. + +severity: high + +template: + name: service_disabled + vars: + servicename: rsyncd + packagename: rsync \ No newline at end of file diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml index aec5800..c13311f 100644 --- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7,rhel8,openeuler2203 title: 'Disable Samba' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml new file mode 100644 index 0000000..e6c1a0e --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml @@ -0,0 +1,25 @@ + + + + SSH concurrent unauthenticated connections should be configured correctly + + multi_platform_openeuler + + Configure the specified IP address for SSH connection. + + + + + + + + + + /etc/ssh/sshd_config + ^maxstartups\s+\d+:\d+:\d+$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml new file mode 100644 index 0000000..60d2ccd --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml @@ -0,0 +1,16 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'SSH concurrent unauthenticated connections should be configured correctly' + +description: |- + Attackers can consume system resources by establishing a large number of + concurrent connections with incomplete authentication without knowing the + password. + +rationale: |- + The MaxStartups setting specifies the maximum number of concurrent unauthenticated + connections to the SSH daemon. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml new file mode 100644 index 0000000..d30df39 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml @@ -0,0 +1,25 @@ + + + + The allowed number of concurrent sessions for a single SSH connection should be configured correctly + + multi_platform_openeuler + + Configure the allowed number of concurrent sessions. + + + + + + + + + + /etc/ssh/sshd_config + ^MaxSessions\s+\d+$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml new file mode 100644 index 0000000..2517850 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml @@ -0,0 +1,19 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'The allowed number of concurrent sessions for a single SSH connection should be configured correctly' + +description: |- + SSH allows clients that support multiplexing to establish multiple sessions + based on a single network connection. MaxSessions limits the number of SSH + concurrent sessions allowed for each network connection, which can prevent + system resources from being unlimited occupied by a single or a few connections, + leading to denial of service attacks. + +rationale: |- + Setting MaxSessions to 1 will disable session multiplexing, meaning that only + one session is allowed for a connection, while setting it to 0 will block all + connected sessions. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml new file mode 100644 index 0000000..fb79aff --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml @@ -0,0 +1,25 @@ + + + + LoginGraceTime should be configured correctly + + multi_platform_openeuler + + Configure the LoginGraceTime for SSH connection. + + + + + + + + + + /etc/ssh/sshd_config + ^LoginGraceTime\s+\d+$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml new file mode 100644 index 0000000..2c97751 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml @@ -0,0 +1,18 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'LoginGraceTime should be configured correctly' + +description: |- + LoginGraceTime is used to limit the user's login time. If the user + fails to complete the login action within the time limit specified + by LoginGraceTime, the connection will be automatically disconnected. + +rationale: |- + It is recommended to set this value to less than or equal to 60 seconds. + If the value is set too high, attackers can utilize a large number of + incomplete login actions to consume server resources, resulting in normal + administrator login failures. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml new file mode 100644 index 0000000..47510c8 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml @@ -0,0 +1,25 @@ + + + + SSH service interface should be configured correctly + + multi_platform_openeuler + + Configure the specified IP address for SSH connection. + + + + + + + + + + /etc/ssh/sshd_config + ^ListenAddress\s+((?:\d{1,3}\.){3}\d{1,3})$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml new file mode 100644 index 0000000..0e1cb5c --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml @@ -0,0 +1,18 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'SSH service interface should be configured correctly' + +description: |- + Generally, the server has multiple network cards and multiple + IP addresses. IP addresses should be planned for business and + management. Therefore, not every IP address needs to listen for + SSH connections. You can configure to limit SSH connections to + only specified IP addresses to reduce the attack surface. + +rationale: |- + Unconfigured IP addresses cannot connect to the server through SSH. + It is recommended to plan and configure according to the actual situation. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml new file mode 100644 index 0000000..9146f4c --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Does not allow the use of AllowTcpForwarding + + multi_platform_openeuler + + Sshd does not allow the use of AllowTcpForwarding. + + + + + + + + + + /etc/ssh/sshd_config + ^AllowTcpForwarding\s+no$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml new file mode 100644 index 0000000..1cdfb4e --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml @@ -0,0 +1,18 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Does not allow the use of AllowTcpForwarding' + +description: |- + AllowTcpForwarding allows the SSH server to act as a proxy to forward TCP requests from + clients, similar to establishing an SSH tunnel between the server and the client. This + feature may cause the client to attack other servers from the external network through + the SSH channel. + +rationale: |- + If AllowTcpForwarding is configured as yes, attackers can bypass firewall monitoring on + the client through the SSH channel and send attack commands to the intranet server where + the SSH server is located, thereby attacking it. So AllowTcpForwarding must be closed. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml new file mode 100644 index 0000000..5f4d777 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Does not allow the use of X11 Forwarding + + multi_platform_openeuler + + Sshd does not allow the use of X11 Forwarding. + + + + + + + + + + /etc/ssh/sshd_config + ^X11Forwarding\s+no$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml new file mode 100644 index 0000000..bc5f1fe --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -0,0 +1,16 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Does not allow the use of X11 Forwarding' + +description: |- + The X11 Forwarding feature of SSH allows for the execution of GUI programs for remote + hosts on the local host. If not required in the business scenario, this feature must + be disabled. + +rationale: |- + Enabling the X11 Forwarding function expands the scope of attacks and poses a possibility + of being attacked by other users on the X11 server. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml new file mode 100644 index 0000000..3edae48 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Prohibit SSH service pre setting authorized_Keys + + multi_platform_openeuler + + SSH service prohibits preset authorized_Keys. + + + + + + + + + + /etc/ssh/sshd_config + ^LoginGraceTime\s+\d+$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml new file mode 100644 index 0000000..1c139fa --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml @@ -0,0 +1,18 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Prohibit SSH service pre setting authorized_Keys' + +description: |- + Authorized_ Keys is the public key of the remote host, which users can + store in their home directory $HOME/. ssh/authorized_ In the keys file, + for public key authentication, you can directly log in to the system. + +rationale: |- + If authorized is preset in the system_ Keys, and the server has enabled + the login method of public and private key authentication, allowing + attackers to bypass authentication and directly log in to the specified + system to attack it. So authorized cannot be preset in the system_ Keys. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/services/uninstall_software_service/group.yml b/linux_os/guide/services/uninstall_software_service/group.yml new file mode 100644 index 0000000..0a269ba --- /dev/null +++ b/linux_os/guide/services/uninstall_software_service/group.yml @@ -0,0 +1,5 @@ +documentation_complete: true + +title: 'Do not install some software packages.' + +description: |- \ No newline at end of file diff --git a/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml new file mode 100644 index 0000000..b41c210 --- /dev/null +++ b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Uninstall network sniffing Package' + +description: |- + If the production environment contains network sniffing tools, attackers + can easily use these tools to conduct network analysis and assist network + attacks. Therefore, installation of various network sniffing and packet + capture analysis tools, such as tcpdump, ethereal, wireshark, etc., should + be prohibited in the production environment. + +

It can not be scanned automatically,please check it manually.

+

check the network_sniffing_tools,such as wireshark,netcat,tcpdump,namp,ethereal:

+ + +rationale: |- + There is no need to install various network sniffing and packet capture + analysis tools in the production environment. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml index 84a64db..625f15d 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,rhel6,rhel7,rhel8,rhv4,openeuler2203 title: 'Remove the X Windows Package Group' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml new file mode 100644 index 0000000..eab54dd --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml @@ -0,0 +1,20 @@ + + + + Verify No forward Files Exist + {{{- oval_affected(products) }}} + If there are no related email forwarding scenarios, it is recommended to delete the .forward file. + + + + + + + + + + + /home + ^\.forward$ + + \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml new file mode 100644 index 0000000..318131a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml @@ -0,0 +1,17 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Verify No forward Files Exist' + +description: |- + The .forward file can be configured with an email address, which + will be automatically forwarded to when users receive emails. If there are + no related email forwarding scenarios, it is recommended to delete the + .forward file. + +rationale: |- + If there is a .forward file, it may cause user emails carrying + sensitive information to be automatically forwarded to high-risk mailboxes. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml new file mode 100644 index 0000000..b01dad4 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure the network interface is bound to the correct area' + +description: |- + File access permission control is the basic permission management in Linux. Different users + are authorized to access different files, preventing the leakage of sensitive information + between users or the tampering of file data. It can also prevent ordinary users from + unauthorized access to high-privilege files or configurations in the system. + + It is recommended to audit and monitor system calls that modify file permissions and file + owners in the operating system. If relevant auditing is not configured, if illegal + modification occurs, it will not be conducive to traceability. + + openEuler does not configure file access control permission audit rules by default. It is + recommended that users configure corresponding rules based on actual business scenarios. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + Configuring auditing, because audit logs need to be recorded when file permissions and owners + are modified, will have a slight impact on performance. However, since such operations should + not be performed frequently, it is actually not perceptible to users. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index ebd52e2..2e7f907 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 title: 'Record Unsuccessful Access Attempts to Files - creat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 3634935..cac6a0d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 title: 'Record Unsuccessful Access Attempts to Files - ftruncate' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 8d813fa..425ecb7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 title: 'Record Unsuccessful Access Attempts to Files - open' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index e8ec755..20b4d42 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 title: 'Record Unsuccessful Access Attempts to Files - openat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml new file mode 100644 index 0000000..6cebb2c --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure to remove unnecessary file system mount support' + +description: |- + Ordinary users can obtain super administrator privileges by calling privilege + escalation commands (with SUID/SGID set), so the use of privilege escalation + commands carries high risks and is often used by attackers to attack the system. + + It is recommended to audit and monitor privilege escalation commands to facilitate + traceability afterwards. + + openEuler does not configure audit rules for privilege escalation commands by + default. It is recommended that users configure corresponding rules based on actual + business scenarios. + +rationale: |- + Configuring auditing requires audit logging when using privilege escalation + commands, which has a slight impact on performance. If the user business has + a large number of scenarios where privilege escalation commands are frequently + called, there may be a cumulative effect. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml new file mode 100644 index 0000000..b70b4d9 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Audit rules for administrator privileged operations should be configured + + multi_platform_openeuler + + Configure audit rules for administrator privileged operations + + + + + + + + + + /etc/audit/audit.rules + ^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml new file mode 100644 index 0000000..8d548e5 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Audit rules for administrator privileged operations should be configured' + +description: |- + + The sudo extraction command operation log in the openEuler system is recorded + in the /var/log/secure log file by default. Other authentication-related security + logs are also recorded in this file. If the user wants to audit the sudo extraction + command, it is recommended that the sudo related logs be Record separately and + output to /var/log/sudo.log, and then audit and monitor the sudo log file. Sudo + privilege escalation is a high-risk operation and is relatively common in attacks. It + is recommended to configure audit rules for later tracing. + + openEuler does not configure audit rules for administrator privileged operations + by default. It is recommended that users configure corresponding rules based on + actual business scenarios. + +rationale: |- + Configure auditing. Since audit logging is required for any sudo privilege escalation + operation, it will have a slight impact on performance. If there are a large number + of frequent sudo operations in the user's business scenario, the impact on performance + will have a cumulative effect. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml new file mode 100644 index 0000000..bf0b651 --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml @@ -0,0 +1,25 @@ + + + + auditd data retention admin space left + + multi_platform_openeuler + + auditd data retention admin space left. + + + + + + + + + + /etc/audit/auditd.conf + ^[\s]*admin_space_left[\s]+=[\s]+(\d+)[\s]*$ + 1 + + \ No newline at end of file diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml new file mode 100644 index 0000000..2c9273d --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml @@ -0,0 +1,56 @@ +documentation_complete: true + +title: 'Configure auditd admin_space_left on Low Disk Space' + +description: |- + The auditd service can be configured to take an action + when disk space is running low but prior to running out of space completely. + Edit the file /etc/audit/auditd.conf. Add or modify the following line, + substituting ACTION appropriately: + 
admin_space_left_action = ACTION
+ Set this value to single to cause the system to switch to single user + mode for corrective action. Acceptable values also include suspend and + halt. For certain systems, the need for availability + outweighs the need to log all actions, and a different setting should be + determined. Details regarding all possible values for ACTION are described in the + auditd.conf man page. + +rationale: |- + Administrators should be made aware of an inability to record + audit records. If a separate partition or logical volume of adequate size + is used, running low on space for audit records should never occur. + +severity: medium + +identifiers: + cce@rhel6: 27239-3 + cce@rhel7: 27370-6 + cce@rhel8: 80679-4 + cce@ocp4: 82677-6 + +references: + stigid@rhel6: "000163" + srg@rhel6: SRG-OS-999999 + cis: 5.2.1.2 + cjis: 5.4.1.1 + cui: 3.3.1 + disa: 140,1343 + hipaa: 164.312(a)(2)(ii) + iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 + nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) + nist-csf: DE.AE-3,DE.AE-5,PR.DS-4,PR.PT-1,RS.AN-1,RS.AN-4 + pcidss: Req-10.7 + stigid@rhel7: "030340" + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 7.1,SR 7.2' + isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 + +ocil_clause: 'the system is not configured to switch to single user mode for corrective action' + +ocil: |- + Inspect /etc/audit/auditd.conf and locate the following line to + determine if the system is configured to either suspend, switch to single user mode, + or halt when disk space has run low: + 
admin_space_left_action single
+ diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index cb1ff1d..080e1ee 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 title: 'Configure auditd space_left on Low Disk Space' diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml index 2c17ee1..0f4cdf0 100644 --- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,openeuler2203 title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml index 36f3200..34ca8aa 100644 --- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8 +prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,openeuler2203 title: 'Extend Audit Backlog Limit for the Audit Daemon' diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml new file mode 100644 index 0000000..1e95b34 --- /dev/null +++ b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Make sure rsyslog dump journald log is configured + + multi_platform_openeuler + + Configure rsyslog dump journald log. + + + + + + + + + + /etc/rsyslog.conf + ^[^#]*imjournal + 1 + + \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml new file mode 100644 index 0000000..7247e27 --- /dev/null +++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml @@ -0,0 +1,22 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure rsyslog dump journald log is configured' + +description: |- + + The system uses journald to collect logs. The logs may be stored on + volatile storage devices or on persistent storage devices. If there + are problems such as log loss or logs filling up the disk, the logs + must be dumped in a timely manner to ensure that the logs are more + consistent with the system. Safety. + +rationale: |- + If there is a volatile storage device for the log, failure to dump + the log in time may result in log loss. If there is a persistent + storage device, the amount of logs may be very large. If the logs + are not dumped in time, the logs may fill up the current partition, + causing the risk of other processes or system failures. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml new file mode 100644 index 0000000..16c62e7 --- /dev/null +++ b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml @@ -0,0 +1,19 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the account is forced to change the password when logging in for the first time' + +description: |- + Passwords that are not set by users themselves, such as passwords reset by + administrators, if not modified in a timely manner in the business environment, + can easily cause low-cost attacks. Therefore, users are required to forcibly change + their passwords when logging in to their accounts for the first time. Except for + the root password. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml new file mode 100644 index 0000000..4257677 --- /dev/null +++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml @@ -0,0 +1,45 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the iptables input and output association policies configuration is correct' + +description: |- + rsyslog is responsible for collecting log records from the system into files, and logrotate + is responsible for regularly or quantitatively copying and compressing log files to ensure + that excessive hard disk resources are not occupied due to excessive log file size, or that + the log files are even unmaintainable. + + If the rotate policy is not configured, the log file will continue to grow, which may + eventually lead to the exhaustion of space on the hard disk partition where the log is + located, which may affect log recording at best, or may cause the system and business to be + unable to continue to execute normally. + + By default, openEuler has configured the rsyslog rotate policy in the /etc/logrotate.d/rsyslog + file as follows:. + + rotate log file: + /var/log/cron + + /var/log/maillog + + /var/log/messages + + /var/log/secure + + /var/log/spooler + + The maximum retention period of log files is 365 days; + + A maximum of 30 log files can be retained; + + Log files are retained in a compressed manner; + + The log file reaches 4MB, perform rotate operation. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: high diff --git a/linux_os/guide/system/logging/configure_service_logging/rule.yml b/linux_os/guide/system/logging/configure_service_logging/rule.yml new file mode 100644 index 0000000..c15d25b --- /dev/null +++ b/linux_os/guide/system/logging/configure_service_logging/rule.yml @@ -0,0 +1,21 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Each service logging should be configured correctly' + +description: |- + Configure logging so that important system behaviors and security-related information will + be recorded using rsyslog. The configuration files /etc/rsyslog.conf and /etc/rsyslog.d/*.conf + can specify logging rules and which files will be used to record specific types of logs. + + If logging is not configured, system behavior cannot be recorded, and problem location and + auditing cannot be performed when problems occur. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + After logging is configured, if the logs are not cleared in time, the logs may fill up the current partition, causing the + risk of other processes or system failures. + +severity: low diff --git a/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml new file mode 100644 index 0000000..b235f0e --- /dev/null +++ b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Prevent root users from accessing the system locally' + +description: |- + Root is a super-privileged user in a Linux system and has access to all + Linux system resources. If you are allowed to directly use the root account + to log in to the Linux system to operate the system, it will bring many + potential security risks. In order to avoid the risks caused by this, it + should be prohibited to directly use the root account to log in to the + operating system, and only use other technologies when necessary. Methods + (such as: sudo or su) indirectly use the root account. + + Since the root account has the highest authority, logging in directly with + root has the following risks: + + High-risk misoperations may directly cause server paralysis, such as accidentally + deleting or modifying key system files; + + If multiple people need root privileges to operate, the root password will be + kept by multiple people, which can easily lead to password leakage and increase + password maintenance costs. + + openEuler is not configured by default. If there is no need to log in locally using + the root account in actual scenarios, it is recommended to disable local login + with the root account. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + The root account cannot access the system locally. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml index a78cd69..3bd9887 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml @@ -9,6 +9,7 @@ multi_platform_ol multi_platform_rhel multi_platform_ubuntu + multi_platform_openeuler File permissions for all syslog log files should be set correctly. diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml new file mode 100644 index 0000000..63bce75 --- /dev/null +++ b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Ensure that system authentication related event logs are recorded + + multi_platform_openeuler + + Configure the System to Record Authentication-related Event. + + + + + + + + + + /etc/rsyslog.conf + ^[^#]*auth + 1 + + \ No newline at end of file diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml new file mode 100644 index 0000000..1a52982 --- /dev/null +++ b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that system authentication related event logs are recorded' + +description: |- + + Events related to system authentication must be recorded to help + analyze user logins, use of root privileges, and monitor suspicious + system actions. + Failure to record system authentication-related event logs will + result in the inability to analyze suspicious attack actions from + the logs, such as login actions performed by attackers trying to + guess administrator passwords. + +rationale: |- + If there is a volatile storage device for the log, failure to + dump the log in time may result in log loss. If there is a persistent + storage device, the amount of logs may be very large. If the logs + are not dumped in time, the logs may fill up the current partition, + causing the risk of other processes or system failures. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml index 22307d4..c3e2752 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml @@ -10,6 +10,7 @@ multi_platform_rhel multi_platform_ubuntu multi_platform_wrlinux + multi_platform_openeuler Syslog logs should be sent to a remote loghost diff --git a/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml new file mode 100644 index 0000000..d5d2335 --- /dev/null +++ b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure Warning Banners contain reasonable information' + +description: |- + Warning Banners include warning information added to the system login + interface, which identifies the system's security warnings for all + users who log in to the system. Security warnings can include the + organization to which the system belongs, monitoring or recording of + login behaviors, and unauthorized logins based on business scenarios. Or + the legal sanctions that will be imposed upon intrusion. Inappropriate + security warning information may increase the risk of system attacks + or violate local laws and regulations. + + Warning Banners should not expose the system version, application server + type, functions, etc. to users to prevent attackers from obtaining system + information and carrying out attacks. In addition to this, file ownership + needs to be configured correctly, otherwise unauthorized users may modify + files with incorrect or misleading information. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..278556e --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml @@ -0,0 +1,36 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the iptables input and output association policies configuration is correct' + +description: |- + Although it is possible to configure packet policies for incoming and outgoing servers to the + Input and OUTPUT chains by configuring protocols, IP, and ports, in some cases it may be more + complex. For example, if the client accesses the server through a certain port, the server may + not necessarily return the response packet from the original port, and may use a random source + port. In this case, it is difficult to configure accurate policies through the sport parameter. + + At this point, it is necessary to consider using association links to configure the strategy. + If an outgoing message belongs to an existing network link, it will be directly released; If a + received message belongs to an existing network link, it is also directly released. Because + these existing links must have been filtered and checked by other policies, otherwise they cannot + be established. + +

It can not be scanned automatically, please check it manually.

+

Check if the input and output chains are configured with associated policies.

+ + +rationale: |- + If the policy is not configured through associated links, it is necessary to analyze all possible + link situations and configure corresponding policies. If the configuration is too loose, it may + cause security risks, and if the configuration is too strict, it may cause business interruption. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..0f7e91a --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the iptables input policy configuration is correct' + +description: |- + The function of the Input chain is to filter packets received from external sources. Any + externally provided service requires configuring the corresponding Input policy and opening + the relevant port, so that external clients can access the service through that port. + +

It can not be scanned automatically, please check it manually.

+

Check if the policy configured for the input chain meets business needs.

+ + +rationale: |- + If not configured, all external attempts to access related services will be discarded due to + the default policy configuration being DROP. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..9d8bafe --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml @@ -0,0 +1,36 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the iptables loopback policy configuration is correct' + +description: |- + The loopback address is a special address on the server, represented by 127.0.0.0/8,which is + not related to the network card and is mainly used for communication between local processes. + Messages with a source address of 127.0.0.0/8 should not be received from the network card, + and such messages should be discarded. + +

It can not be scanned automatically, please check it manually.

+

Check if the loopback address policy has been correctly configured.

+ + +rationale: |- + If the loopback address policy is not set correctly, it may cause communication failure between + local processes or receive spoofing messages from the network card. The server needs to set + policies that allow receiving and processing loopback address messages from the lo interface, + but reject messages received from the network card. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..c10cd44 --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure that the iptables output policy configuration is correct' + +description: |- + There are two main situations for server outgoing messages: one is when the host process + actively connects to an external server, such as HTTP access, or sends data to a log server, + etc.; the other is when the host process accesses the local service externally and the local + machine responds to the message. + +

It can not be scanned automatically, please check it manually.

+

Check if the policy configured for the output chain meets business needs.

+ + +rationale: |- + If the OUTPUT policy is not configured, all outgoing messages from the server will be discarded + due to the default policy being DROP. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index bbea345..19cc6f5 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4,openeuler2203 title: 'Deactivate Wireless Network Interfaces' diff --git a/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml new file mode 100644 index 0000000..ee66dd7 --- /dev/null +++ b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure the network interface is bound to the correct area' + +description: |- + Different firewall regions can develop different filtering strategies. If the server network + is complex and has multiple interfaces, and different interfaces undertake different business + functions, it is recommended to configure the interfaces to different regions and develop + different firewall strategies. For example, the external network business interface does not + allow SSH access, while the internal network management interface can open SSH access. + +

It can not be scanned automatically, please check it manually.

+

Check the interface configuration of each region:

+ + +rationale: |- + If all interfaces are configured in one area, firewall policies are not conducive to configuring + different interfaces differently, increasing management complexity, and reducing the filtering + efficiency of firewall security protection. Due to configuration issues, messages that should + not be received may not be rejected or discarded. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/group.yml b/linux_os/guide/system/network/network_nftables/group.yml new file mode 100644 index 0000000..68ecddd --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/group.yml @@ -0,0 +1,12 @@ +documentation_complete: true + +title: 'nftables' + +description: |- + nftables is a subsystem of the Linux kernel that provides filtering + and classification of network packets. nftables replaces the iptables + part of Netfilter. Compared with iptables, nftable is easier to extend + to new protocols, and nftables will replace iptables in the future. + In addition, nftables is different from firewalld and iptables. The + operating system does not configure any policies by default and + requires manual configuration by the administrator. \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..73b0e5e --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml @@ -0,0 +1,32 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Configure nftables input strategy' + +description: |- + Although you can configure the policy of packets in and out of the server to + the input and output chains by configuring the protocol, IP and port, etc, + it is more complicated in some cases. For example, the client accesses the + server through a certain port, but when the server returns a response message + It does not necessarily return from the original port, but may use a random + source port. In this case, it is difficult to configure an accurate policy + through the sport parameter. + + At this time, you need to consider using the associated link method to configure + the policy. If an outgoing packet belongs to an existing network link, it is + directly allowed; if a received packet belongs to an existing network link, it + is also directly allowed. Because these existing links must have been filtered + and checked by other policies, otherwise they cannot be established. + + If you do not configure policies through associated links, you need to analyze + all possible link situations and configure corresponding policies. If the + configuration is too loose, it may lead to security risks. If the configuration + is too strict, it may cause business interruption.lll + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml new file mode 100644 index 0000000..9a95f50 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Configure nftables default deny policy' + +description: |- + From a security perspective, the nftables basic chain is similar to + iptables. (Input, output, forward) you need to configure the rejection + policy for all packets, and then add the allow policy to the basic + chain to open related services and ports. + + If the basic chain is not configured, or the hook rules of the basic + chain are not specified, the packet will not be captured by nftables, + and filtering will not be possible. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + If the basic chain is not configured with a DROP or REJECT policy, the + packets will be ACCEPT by default, which may easily lead to security + risks due to omission of the rejection policy. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..a1fb377 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml @@ -0,0 +1,21 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Configure nftables input strategy' + +description: |- + The function of the input chain is to filter messages received from the + outside. Any externally provided service needs to configure the + corresponding input policy and open the relevant port so that external + clients can access the service through the port. + + If not configured, since the default policy is configured as DROP, all + external packets trying to access related services will be dropped. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..c71aabe --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml @@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Configure nftables loopback policy' + +description: |- + The loopback address is a special address on the server, represented by 127.0.0.0/8. It + has nothing to do with the network card. It is mainly used for inter-process communication + on this machine. Packets with the source address 127.0.0.0/8 should not be received from + the network card. Such messages should be discarded. If the loopback address policy is + set incorrectly, inter-process communication on the local machine may fail, or spoofed + packets may be received from the network card. + + The server needs to set a policy to allow receiving and processing the loopback address + packets of the lo interface, but reject the packets received from the network card. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml new file mode 100644 index 0000000..b3a795f --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml @@ -0,0 +1,22 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Configure nftables input strategy' + +description: |- + There are two main situations when the server sends outbound messages. One + is when the host process actively connects to an external server, such as + http access, or sends outgoing data to a log server, etc. The other is when + the host process externally accesses local services and the local machine + responds arts. + + If no output policy is configured, all outgoing packets from the server will + be discarded because the default policy is DROP. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml new file mode 100644 index 0000000..ddc0939 --- /dev/null +++ b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml @@ -0,0 +1,22 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Verify nftables Enabled' + +description: '{{{ describe_service_enable(service="docker") }}}' + +rationale: |- + If multiple firewall services are enabled, business + interruption may occur due to inconsistent policy configurations. + +severity: low + +ocil: '{{{ ocil_service_enabled(service="nftables") }}}' + +platform: machine + +template: + name: service_enabled + vars: + servicename: nftables \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml new file mode 100644 index 0000000..b5a1142 --- /dev/null +++ b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly' + +description: |- + LD_LIBRARY_PATH is a Linux environment variable. When a program loads a + dynamic link library, it will first obtain it from the path specified by + this environment variable. Normally, this environment variable should + not be set. If it is maliciously set to an incorrect value, the program + may be linked to an incorrect dynamic library when running, resulting in + security risks. Note: The configuration in /etc/ld.so.conf.d will also + affect dynamic library loading, so you need to ensure correct configuration. + + openEuler does not set this variable by default. According to the actual + scenario, if LD_LIBRARY_PATH must be set, you need to ensure that the + value is correct in all user contexts. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml new file mode 100644 index 0000000..68adae3 --- /dev/null +++ b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly' + +description: |- + The PATH variable under Linux defines the search path for executable files + in the current user context. For example, if the user uses the ls command + in any directory, the system will search for the ls command in the directory + specified by the PATH variable and execute it after finding it. The PATH + variable in all user contexts cannot contain the current directory "." .The + directory must be a path that actually exists in the file system and meets + the design expectations of the system. The correct PATH value can effectively + prevent system commands from being replaced by malicious instructions and + ensure that system commands can be executed safely. + + So the PATH variable should be defined to the correct value, and the openEuler + system default setting is: + + /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin + + PATH can be modified according to the actual scenario, but be sure to make sure + it is correct. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml new file mode 100644 index 0000000..e4fa75f --- /dev/null +++ b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml @@ -0,0 +1,34 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Disallow globally writable files' + +description: |- + Globally writable means that all users can write to the file, but usually this + permission is not necessary. If a file is unreasonably set with globally writable + permissions, it can easily be tampered with by attackers, leading to security risks. + Therefore, if the file must have globally writable permissions, the security risks + need to be analyzed based on actual scenarios to ensure that attackers cannot use + this file to carry out attacks. + + You can search for globally writable files in the root directory. The exceptions + are: There are a large number of globally writable files in the two system directories + "/sys" and "/proc" when Linux is running, so these two should be excluded when checking + directory to avoid confusion. + +

It can not be scanned automatically, please check it manually.

+

Check globally writable files(directories "/sys" and "/proc" have been excluded).

+ + +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml new file mode 100644 index 0000000..a80fe6a --- /dev/null +++ b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Hard drive data should be managed in partitions' + +description: |- + When installing the operating system, the operating system data and business data + partitions should be managed according to the characteristics of the actual scenario + to avoid placing all data on one hard disk or partition. Proper planning of hard disk + partitions can avoid or reduce the following risks: + + The log file is too large, causing the business or system data disk to become full; + The home directory of ordinary accounts is too large, causing the system or business disk to become full; + The system partition is not independent, causing the basic service of the operating system to fail when the disk is full, causing a full-scale DOS attack; + It is not conducive to minimizing permissions and encrypting data disks; + It is not conducive to system or data recovery after the disk is damaged. + + As a general operating system, openEuler installs separate partitions "/boot, /tmp, + /home, /" by default. It is recommended to determine the partition mounting and size + of other directories based on the actual scenario. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml new file mode 100644 index 0000000..86766f1 --- /dev/null +++ b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml @@ -0,0 +1,48 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Partitions that do not need to be mounted are mounted in nodev mode' + +description: |- + nodev means that device files are not allowed to be mounted, which is used + to reduce the attack surface and increase security. When the directory is + mounted, if the nodev option is set, all block devices, character devices + and other device files in the directory will be parsed into ordinary files + and cannot be operated on device files. If nodev is not set when mounting, + it will lead to security risks. For example, an attacker creates a file system + on the USB flash drive and creates a block device file in it (his own USB flash + drive, with corresponding permissions), and this block The device actually + points to the server hard disk or partition such as /dev/sda. If an attacker + has the opportunity to insert a USB flash drive into the server and the server + loads the USB flash drive, the attacker can access the corresponding file through + this block device file. Hard drive data. If the U disk in the above case is changed + to another hard disk or partition, a similar problem will exist. As long as there + is a maliciously constructed device file on the hard disk or partition, an attack + can be formed. + + The following directories are mounted by nodev by default in the openEuler system: + + /sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、 + /sys/fs/pstore、/sys/fs/bpf、/sys/fs/cgroup/files、/sys/fs/cgroup/net_cls,net_prio、 + /sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/cpu,cpuacct、/sys/fs/cgroup/perf_event、 + /sys/fs/cgroup/pids、/sys/fs/cgroup/hugetlb、/sys/fs/cgroup/memory、/sys/fs/cgroup/blkio、 + /sys/fs/cgroup/cpuset、/sys/fs/cgroup/rdma、/sys/kernel/config、/sys/kernel/debug、/dev/mqueue、 + /tmp、/run/user/0 + + openEuler has the following directories (some directories vary depending on hard disk partitions + and deployment platforms). These directories are not mounted by nodev by default: + + /dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、 + /var/lib/nfs/rpc_pipefs、/boot/efi、/home + + In actual scenarios, based on business needs, the nodev method is used to mount partitions + that do not require device mounting. + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml new file mode 100644 index 0000000..21a7390 --- /dev/null +++ b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml @@ -0,0 +1,19 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure to remove unnecessary file system mount support' + +description: |- + The data disk is only used to save data during system operation. There + is no need to execute relevant commands on the data disk. In this case, + the hard disk or partition must be mounted in noexec mode to improve security + and reduce the attack surface. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + If the hard disk or partition is mounted in noexec mode, the executable + file in the mount point directory cannot be run directly. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml new file mode 100644 index 0000000..ddbe5c6 --- /dev/null +++ b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure partitions that do not require SUID/SGID are mounted in nosuid mode' + +description: |- + After the SUID bit is set on an executable file, even if the user executing the file + is not the owner of the file, the process will be temporarily granted the permissions + of the file owner during execution. For example, the ordinary user test executes a + program with permissions 755 and owner root. If the program does not set the SUID bit, + the process only has the permissions of the test user; if the SUID is set, the process + has root permissions during execution. . SGID has a similar function, but it only has + the permissions of the group to which the file belongs. For partitions that do not + need SUID/SGID, use the nosuid method to mount them. This can invalidate the S bit of + files with SUID/SGID in the partition, prevent privilege escalation through the + executable files of the partition, and strengthen the security of the partition. + + Users need to plan each mounted hard drive and partition and set nosuid mounting items + based on actual scenarios. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml new file mode 100644 index 0000000..512d8c1 --- /dev/null +++ b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure to remove unnecessary file system mount support' + +description: |- + Removable devices themselves are uncertain, and their origin, past usage, + and transportation processes cannot guarantee absolute safety. Therefore, + removable devices are often the main host devices for virus transmission. + Therefore, for removable devices, it is required to mount them in noexec + or nodev mode to improve security and reduce the attack surface. + + noexec can prevent files on removable devices from being directly executed, + such as virus files, attack scripts, etc.; + + nodev prevents incorrect device files on removable devices from being linked + to real devices on the server, leading to attacks; + + Common removable devices such as: CD/DVD/USB, etc. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + If a removable device is mounted in noexec mode, the executable file + in the mount point directory cannot be run directly. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml new file mode 100644 index 0000000..b54202f --- /dev/null +++ b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml @@ -0,0 +1,19 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Partitions that do not need to be modified are mounted read-only.' + +description: |- + Mounting file systems that do not require data modification in read-only mode can + avoid unintentional or malicious data tampering and reduce the attack surface. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + Once the file system is mounted in read-only mode, files and directories cannot + be created, modified, or deleted. Users need to configure it according to the actual + scenario. This requirement can be ignored for file mounting necessary for the + operation of the operating system. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml new file mode 100644 index 0000000..8c4eff8 --- /dev/null +++ b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml @@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure to remove unnecessary file system mount support' + +description: |- + The Linux system supports a variety of file systems, which are + loaded into the kernel through ko mode. As a general operating + system platform, openEuler will provide various file systems ko, + which are stored in the /lib/modules/(kernel version)/kernel/fs/ + directory and can be loaded through the insmod/modprobe command. + Disabling mount support for unnecessary file systems can reduce + the attack surface and prevent attackers from attacking the system + by exploiting vulnerabilities in some uncommon file systems. + + Users should determine which file systems do not need to be supported + based on actual scenarios, and prohibit these file systems from being + mounted through configuration. These file systems usually include: + + cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs + +

It can not be scanned automatically, please check it manually.

+ + +rationale: |- + The removed file system is no longer supported. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml index cd07fd0..ce86997 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8 +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,openeuler2203 title: 'Restrict usage of ptrace to descendant processes' diff --git a/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml new file mode 100644 index 0000000..cb8f534 --- /dev/null +++ b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Avoid using programms labeled unconfined_service_t' + +description: |- + The purpose of SELinux setting the unconfined_service_t label + is to enable some third-party service processes that are not + configured with SELinux policies to run unfettered. By default, + when systemd runs a third-party application with the label bin_t + or usr_t (generally located in /usr/bin, /opt, etc. directories), + the generated process label is unconfined_service_t. + + The difference from other high-privilege labels (such as unconfined_t, + initrc_t, etc.) is that unconfined_service_t has very few domain + conversion rules, which means that even if the process runs applications + that have been configured with SELinux policies, the label of the + new process will still be unconfined_service_t. The SELinux policy + configured for the process will not take effect. If it is attacked, + it will have a greater impact on the system. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + Programs labeled unconfined_service_t are restricted from running. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/software/enabled_seccomp/rule.yml b/linux_os/guide/system/software/enabled_seccomp/rule.yml new file mode 100644 index 0000000..3e68100 --- /dev/null +++ b/linux_os/guide/system/software/enabled_seccomp/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'seccomp should be enabled' + +description: |- + seccomp (full name: secure computing mode), when it was first introduced into the + Linux kernel, limited the system calls available to the process to four types: read, + write, _exit, sigreturn. In the original whitelisting method, in addition to the + four system calls allowed by the open file descriptor, if other system calls are + attempted, the kernel will use SIGKILL or SIGSYS to terminate the process. + + The whitelist method is too restrictive and has little practical effect. In practical + applications, more precise restrictions are needed. In order to solve this problem, + BPF was introduced. The combination of seccomp and BPF rules allows users to filter + system calls using configurable policies. The policy is implemented using Berkeley + Packet Filter rules, which can filter any system calls and their parameters. + + The openEuler kernel already provides seccomp function support by default, and also + provides the libseccomp peripheral package to help user-mode programs conveniently + set seccomp rules. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + seccomp cannot set the opening, closing or rules globally, but is specific to each + process. That is, the process can set and enable seccomp by itself, which affects + itself and all child threads, but does not affect other processes. + + If seccomp is enabled in a process, there will be a performance loss when making + system calls. Users need to determine whether the performance loss is acceptable + based on actual business scenarios. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml index 787d897..6d9c09d 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol8,rhel8 +prodtype: fedora,ocp4,ol8,rhel8,openeuler2203 title: 'Configure System Cryptography Policy' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml index f9835af..4fb6a78 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml @@ -7,6 +7,7 @@ multi_platform_fedora multi_platform_ol multi_platform_rhel + multi_platform_openeuler The aide database must be initialized. diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml new file mode 100644 index 0000000..d2e80fa --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml @@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'aide intrusion detection should be enabled' + +description: |- + aide (advanced intrusion detection environment) is an intrusion detection tool that + can be used to check the integrity of files and directories in the system and identify + files or directories that have been maliciously tampered with. The principle of the + integrity check is to first construct a baseline database, which contains some attributes + of the file or directory such as permissions, users, etc. When performing the integrity + check, the current system status is compared with the baseline database to obtain the + check results. Finally, the file or directory changes of the current system are reported, + that is, the inspection report. + + Enabling aide intrusion detection can effectively identify malicious tampering with files + or directories, thereby improving system integrity and security. The files or directories + that need to be checked can be configured as needed, which is highly flexible. Users only + need to query the check report to determine whether there is malicious tampering. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + The more files that need to be checked, the longer the checking process will take. If users + enable aide, they should configure the inspection strategy appropriately based on their own + business scenarios. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml new file mode 100644 index 0000000..426be91 --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml @@ -0,0 +1,47 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'IMA metrics should be enabled' + +description: |- + IMA (Integrity Measurement Architecture) is an integrity protection function provided + by the kernel. When IMA is turned on, it can provide integrity measurements for + important files in the system based on user-defined policies. The measurement results + can be used locally and remotely. Proof of integrity. + + When the IMA measurement function is not enabled in the system, summary information + of key files cannot be recorded in real time, and tampering with file contents or + attributes cannot be identified. Functions such as local attestation and remote + attestation that protect system integrity rely on the summary value provided by IMA + metrics, so they cannot be used, or the integrity protection is incomplete. + + IMA global policy configuration is related to the specific environment. Normally, + integrity protection is only targeted at immutable files (such as executable files, + dynamic libraries, etc.). If the policy is improperly configured, it may lead to + excessive performance and memory overhead. It is recommended that users use their + own The situation determines whether to enable IMA and configure the correct policy. + + Note: Since IMA is only the measurement part of the global integrity protection + mechanism, complete use requires TPM 2.0 and remote attestation services. This + specification only explains and recommends the measurement part of IMA. If the + system does not integrate TPM 2.0 and remote attestation services, the IMA measurement + function should not be enabled. + + IMA measurement does not support container environments and virtual machine + environments, requires UEFI startup, and does not support Legacy mode. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + Turning on IMA metrics will cause a slight increase in system startup time and file + access time. + If the policy is improperly configured (such as measuring real-time changing log files, + temporary files, etc.), the measurement log may grow too fast and occupy too much system + memory, and the memory occupied by the measurement log will not be released before the + next restart of the system. , thus affecting the normal operation of the business. In + addition, because the measured files are constantly changing, the measurement value changes, + and the remote certification baseline value cannot be updated synchronously, causing the + remote certification to fail and losing the meaning of integrity protection. + +severity: low \ No newline at end of file diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml new file mode 100644 index 0000000..788eab7 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml @@ -0,0 +1,18 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure sudoers cannot configure scripts writable by low-privileged users' + +description: |- + sudo can enable the set ordinary user to execute certain specific programs with root privileges, + and the corresponding configuration file is /etc/sudoers. Administrator users can configure + corresponding rules to make certain scripts or binary files run with root permissions. Therefore, + the scripts configured by sudo should only be writable by root. Scripts that can be written by + low-privilege users cannot be configured. If low-privilege users are configured, they can be written + by root. script, the user can perform privilege escalation operations by modifying the script. + +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml new file mode 100644 index 0000000..ea4e9cf --- /dev/null +++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml @@ -0,0 +1,25 @@ + + + + Disable use of SysRq key + + multi_platform_openeuler + + Disable SysRq. + + + + + + + + + + /proc/sys/kernel/sysrq + 0 + 1 + + \ No newline at end of file diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml new file mode 100644 index 0000000..ce7e977 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml @@ -0,0 +1,20 @@ + +prodtype: openeuler2203 + +title: 'Disable use of SysRq key' + +description: |- + + SysRq allows users with physical access to access dangerous system-level commands + in the computer, and the use of SysRq functions needs to be restricted. + + If the SysRq key is not disabled, the SysRq call can be triggered through the + keyboard, which may cause commands to be sent directly to the kernel, affecting + the system. + + openEuler prohibits the use of SysRq keys by default. + +rationale: |- + SysRq related commands cannot be used in the system. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml new file mode 100644 index 0000000..c537c20 --- /dev/null +++ b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml @@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure to remove unnecessary file system mount support' + +description: |- + If the business environment contains debugging scripts and tools, they can + easily be exploited and attacked by attackers. Therefore, it is strictly + prohibited to install various debugging tools and files in the production + environment, including but not limited to: code debugging tools, privilege + escalation commands, scripts, and tools used for debugging functions, certificates, + and keys used in the debugging phase. Perf tools, point management and piling + tools for performance testing, attack scripts and tool scripts for verifying + security issues such as CVE, etc. Common open source third-party debugging tools + include: strace, gdb, readelf, perf, etc. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml new file mode 100644 index 0000000..f3bfd27 --- /dev/null +++ b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Make sure to remove unnecessary file system mount support' + +description: |- + If the business environment contains compilation tools, they can + easily be used by attackers to edit, tamper with, and reverse analyze + key files in the environment to carry out attacks. Therefore, it is + strictly prohibited to install various compilation, decompilation, + and binary analysis tools in the production environment, including + but not limited to: compilation tools, decompilation tools, compilation + environments, etc. Common third-party development and compilation tools + include: gcc, cpp, mcpp, flex, cmake, make, rpm-build, ld, ar, etc. + + If the business environment relies on interpreters such as python, lua, + and perl during deployment or operation, the interpreter running + environment can be retained. + +

It can not be scanned automatically, please check it manually.

+ +rationale: |- + none. + +severity: high \ No newline at end of file diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile index de6890c..543712a 100644 --- a/openeuler2203/profiles/standard.profile +++ b/openeuler2203/profiles/standard.profile @@ -164,3 +164,96 @@ selections: - file_permissions_unauthorized_world_writable - file_permissions_unauthorized_suid - file_permissions_unauthorized_sgid + - network_sniffing_tools + - service_rsyncd_disabled + - package_openldap-clients_removed + - no_forward_files + - sshd_configure_correct_interface + - sshd_concurrent_unauthenticated_connections + - sshd_configure_concurrent_sessions + - sshd_disable_x11_forwarding + - sshd_configure_correct_LoginGraceTime + - sshd_disable_AllowTcpForwardindg + - sshd_prohibit_preset_authorized_keys + - network_interface_binding_corrently + - iptables_loopback_policy_configured_corrently + - iptables_input_policy_configured_corrently + - iptables_output_policy_configured_corrently + - iptables_association_policy_configured_corrently + - service_nftables_enabled + - nftables_configure_default_deny_policy + - nftables_loopback_policy_configured_corrently + - nftables_input_policy_configured_corrently + - nftables_output_policy_configured_corrently + - nftables_association_policy_configured_corrently + - sudoers_disable_low_privileged_configure + - no_files_globally_writable_files + - removed_unnecessary_file_mount_support + - read_only_partitions_no_modified + - partitions_mounted_nodev_mode + - partitions_mounted_noexec_mode + - partitoin_mounted_noexec_or_nodev + - partitions_mounted_nosuid_mode + - audit_privilege_escalation_command + - audit_rule_admin_privilege + - recorded_authentication_related_event + - rsyslog_files_permissions + - uninstall_debugging_tools + - uninstall_development_and_compliation_tools + - package_xorg-x11-server-common_removed + - package_httpd_removed + - service_smb_disabled + - service_named_disabled + - service_nfs-server_disabled + - service_rpcbind_disabled + - service_dhcpd_disabled + - configure_first_logging_change_password + - sshd_disable_root_login + - diasable_root_accessing_system + - wireless_disable_interfaces + - sshd_enable_warning_banner + - disabled_SysRq + - sysctl_kernel_yama_ptrace_scope + - disabled_unconfined_service_t_programs + - enabled_seccomp + - define_ld_lib_path_correctly + - define_path_strictly + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - audit_rules_immutable + - auditd_data_retention_max_log_file + - auditd_data_retention_max_log_file_action + - auditd_data_retention_space_left + - auditd_data_retention_space_left_action + - auditd_data_retention_admin_space_left + - auditd_data_retention_admin_space_left_action + - auditd_data_disk_error_action + - auditd_data_disk_full_action + - audit_rules_sysadmin_actions + - audit_rules_session_events + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - audit_rules_mac_modification + - audit_rules_networkconfig_modification + - audit_rules_successful_file_modification + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_media_export + - configure_service_logging + - configure_dump_journald_log + - configure_rsyslog_log_rotate + - rsyslog_remote_loghost + - rsyslog_accept_remote_messages_tcp + - rsyslog_accept_remote_messages_udp + - enable_aide_detection + - service_haveged_enabled + - configure_crypto_policy -- 2.42.0.windows.2