packages/scap-security-guide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
scap-security-guide/add-80-rules-for-openeuler.patch
qsw33 b8c79f7915 enable 80 rules for openEuler
2023-11-17 17:29:27 +08:00

2735 lines
128 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 941e961d84f0c1610134b367364a0f66b82cc9f9 Mon Sep 17 00:00:00 2001
From: qsw333 <wangqingsan@huawei.com>
Date: Thu, 16 Nov 2023 13:50:38 +0800
Subject: [PATCH] second
---
.../base/service_haveged_enabled/rule.yml | 31 +++++++
.../service_dhcpd_disabled/rule.yml | 2 +-
.../service_named_disabled/rule.yml | 2 +-
.../package_httpd_removed/rule.yml | 2 +-
.../package_openldap-clients_removed/rule.yml | 23 +++++
.../service_rpcbind_disabled/rule.yml | 2 +-
.../service_nfs-server_disabled/rule.yml | 33 +++++++
linux_os/guide/services/rsync/group.yml | 9 ++
.../rsync/service_rsyncd_disabled/rule.yml | 20 ++++
.../service_smb_disabled/rule.yml | 2 +-
.../oval/shared.xml | 25 +++++
.../rule.yml | 16 ++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 19 ++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 18 ++++
.../oval/shared.xml | 25 +++++
.../sshd_configure_correct_interface/rule.yml | 18 ++++
.../oval/shared.xml | 25 +++++
.../sshd_disable_AllowTcpForwardindg/rule.yml | 18 ++++
.../oval/shared.xml | 25 +++++
.../sshd_disable_x11_forwarding/rule.yml | 16 ++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 18 ++++
.../uninstall_software_service/group.yml | 5 +
.../network_sniffing_tools/rule.yml | 24 +++++
.../rule.yml | 2 +-
.../no_forward_files/oval/shared.xml | 20 ++++
.../no_forward_files/rule.yml | 17 ++++
.../rule.yml | 27 ++++++
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 25 +++++
.../oval/shared.xml | 25 +++++
.../audit_rule_admin_privilege/rule.yml | 27 ++++++
.../oval/shared.xml | 25 +++++
.../rule.yml | 56 +++++++++++
.../auditd_data_retention_space_left/rule.yml | 2 +-
.../auditing/grub2_audit_argument/rule.yml | 2 +-
.../rule.yml | 2 +-
.../oval/shared.xml | 25 +++++
.../configure_dump_journald_log/rule.yml | 22 +++++
.../rule.yml | 19 ++++
.../configure_rsyslog_log_rotate/rule.yml | 45 +++++++++
.../configure_service_logging/rule.yml | 21 +++++
.../diasable_root_accessing_system/rule.yml | 35 +++++++
.../rsyslog_files_permissions/oval/shared.xml | 1 +
.../oval/shared.xml | 25 +++++
.../rule.yml | 24 +++++
.../rsyslog_remote_loghost/oval/shared.xml | 1 +
.../rule.yml | 28 ++++++
.../rule.yml | 36 +++++++
.../rule.yml | 27 ++++++
.../rule.yml | 36 +++++++
.../rule.yml | 28 ++++++
.../wireless_disable_interfaces/rule.yml | 2 +-
.../rule.yml | 26 ++++++
.../system/network/network_nftables/group.yml | 12 +++
.../rule.yml | 32 +++++++
.../rule.yml | 24 +++++
.../rule.yml | 21 +++++
.../rule.yml | 23 +++++
.../rule.yml | 22 +++++
.../service_nftables_enabled/rule.yml | 22 +++++
.../define_ld_lib_path_correctly/rule.yml | 25 +++++
.../files/define_path_strictly/rule.yml | 31 +++++++
.../no_files_globally_writable_files/rule.yml | 34 +++++++
.../rule.yml | 28 ++++++
.../partitions_mounted_nodev_mode/rule.yml | 48 ++++++++++
.../partitions_mounted_noexec_mode/rule.yml | 19 ++++
.../partitions_mounted_nosuid_mode/rule.yml | 27 ++++++
.../rule.yml | 28 ++++++
.../read_only_partitions_no_modified/rule.yml | 19 ++++
.../rule.yml | 29 ++++++
.../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +-
.../rule.yml | 28 ++++++
.../system/software/enabled_seccomp/rule.yml | 35 +++++++
.../crypto/configure_crypto_policy/rule.yml | 2 +-
.../aide/aide_build_database/oval/shared.xml | 1 +
.../aide/enable_aide_detection/rule.yml | 29 ++++++
.../ima_verification/rule.yml | 47 ++++++++++
.../rule.yml | 18 ++++
.../disabled_SysRq/oval/shared.xml | 25 +++++
.../system-tools/disabled_SysRq/rule.yml | 20 ++++
.../uninstall_debugging_tools/rule.yml | 23 +++++
.../rule.yml | 26 ++++++
openeuler2203/profiles/standard.profile | 93 +++++++++++++++++++
89 files changed, 1869 insertions(+), 16 deletions(-)
create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml
create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
create mode 100644 linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml
create mode 100644 linux_os/guide/services/rsync/group.yml
create mode 100644 linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml
create mode 100644 linux_os/guide/services/uninstall_software_service/group.yml
create mode 100644 linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml
create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml
create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
create mode 100644 linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml
create mode 100644 linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml
create mode 100644 linux_os/guide/system/logging/configure_service_logging/rule.yml
create mode 100644 linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml
create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml
create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml
create mode 100644 linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml
create mode 100644 linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_interface_binding_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/group.yml
create mode 100644 linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml
create mode 100644 linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/define_path_strictly/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml
create mode 100644 linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml
create mode 100644 linux_os/guide/system/software/enabled_seccomp/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml
create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml
create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml
create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml
create mode 100644 linux_os/guide/system/software/uninstall_debugging_tools/rule.yml
create mode 100644 linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml
diff --git a/linux_os/guide/services/base/service_haveged_enabled/rule.yml b/linux_os/guide/services/base/service_haveged_enabled/rule.yml
new file mode 100644
index 0000000..a2e373a
--- /dev/null
+++ b/linux_os/guide/services/base/service_haveged_enabled/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Enable haveged service'
+
+description: |-
+ The haveged service provides an easy-to-use, unpredictable random number
+ generator. The generated random numbers are used to supplement the system
+ entropy pool, which can solve the problem of low system entropy in some
+ cases. It is recommended to enable this service in scenarios where encryption,
+ decryption or key generation is required (such as using openssl and gnutls).
+
+ If the haveged service is not turned on, when the process that needs to
+ generate strong pseudo-random numbers gets values from /dev/random, it will
+ be stuck in waiting because it cannot get enough values, and will not return
+ until new random bytes are obtained.
+
+severity: low
+
+rationale: |-
+ none.
+
+ocil: '{{{ ocil_service_disabled(service="haveged") }}}'
+
+platform: machine
+
+template:
+ name: service_enabled
+ vars:
+ servicename: haveged
\ No newline at end of file
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
index efe3519..4d41613 100644
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: rhel6,rhel7,rhel8,openeuler2203
title: 'Disable DHCP Service'
diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
index 62c1bf0..7add584 100644
--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: rhel6,rhel7,rhel8,openeuler2203
title: 'Disable named Service'
diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
index b9a6437..8156243 100644
--- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
+++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: rhel6,rhel7,rhel8,openeuler2203
title: 'Uninstall httpd Package'
diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
new file mode 100644
index 0000000..717c04b
--- /dev/null
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Remove LDAP Client'
+
+description: |-
+ LDAP (Lightweight Directory Access Protocol) is a lightweight directory
+ access protocol that provides access control and maintains distributed
+ directory information.
+
+rationale: |-
+ Providing an LDAP client (<tt>openldap-clients</tt>) in the system can cause
+ waste of system resources and expand the scope of attacks. If the business
+ scenario does not require the use of LDAP services, it is prohibited to
+ install the LDAP client.
+
+severity: high
+
+template:
+ name: package_removed
+ vars:
+ pkgname: openldap-clients
\ No newline at end of file
diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
index 902117f..9bd2182 100644
--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: rhel6,rhel7,rhel8,openeuler2203
title: 'Disable rpcbind Service'
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml
new file mode 100644
index 0000000..32a4889
--- /dev/null
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+prodtype: fedora,rhel6,rhel7,rhel8,openeuler2203
+
+title: 'Disable Network File System (nfs) Service'
+
+description: |-
+ Network File System (NFS) is one of the oldest and most widely distributed
+ file systems in UNIX environments. It provides the system with the ability
+ to mount other servers' file systems over the network. If the system does
+ not export NFS shares, it is recommended to disable NFS to reduce the remote
+ attack surface..
+ {{{ describe_service_disable(service="nfs-server") }}}
+
+rationale: |-
+ 'Disabling NFS affects services and applications on the system that rely on NFS,
+ as well as existing NFS mount points. Before disabling NFS, you should make sure
+ you understand the usage on your system and consider whether there are alternatives
+ to meet your file sharing and data access needs.'
+
+severity: low
+
+ocil_clause: 'it does not'
+
+ocil: '{{{ ocil_service_disabled(service="nfs") }}}'
+
+platform: machine
+
+template:
+ name: service_disabled
+ vars:
+ servicename: nfs-server
+ packagename: nfs-utils
diff --git a/linux_os/guide/services/rsync/group.yml b/linux_os/guide/services/rsync/group.yml
new file mode 100644
index 0000000..0482394
--- /dev/null
+++ b/linux_os/guide/services/rsync/group.yml
@@ -0,0 +1,9 @@
+documentation_complete: true
+
+title: 'Rsync Server'
+
+description: |-
+ The rsync service can be used to synchronize data between
+ servers or between different Disk partitioning on the server,
+ but because rsync uses an unencrypted transmission protocol,
+ there is a risk of information disclosure.
\ No newline at end of file
diff --git a/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml
new file mode 100644
index 0000000..5afaa7c
--- /dev/null
+++ b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Disable Rsync Server Software'
+
+description: '{{{ describe_service_disable(service="rsync-daemon") }}}'
+
+rationale: |-
+ If the rsync service is enabled and data is transmitted between
+ different servers through the network, attackers can steal data
+ by listening to server ports, routers, and switch data packets.
+
+severity: high
+
+template:
+ name: service_disabled
+ vars:
+ servicename: rsyncd
+ packagename: rsync
\ No newline at end of file
diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
index aec5800..c13311f 100644
--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
+++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: rhel6,rhel7,rhel8,openeuler2203
title: 'Disable Samba'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
new file mode 100644
index 0000000..e6c1a0e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_concurrent_unauthenticated_connections" version="1">
+ <metadata>
+ <title>SSH concurrent unauthenticated connections should be configured correctly</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure the specified IP address for SSH connection.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH configure correctly concurrent unauthenticated connections"
+ test_ref="test_sshd_configure_concurrent_unauthenticated_connections" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH configure correctly concurrent unauthenticated connections"
+ id="test_sshd_configure_concurrent_unauthenticated_connections" version="1">
+ <ind:object object_ref="obj_test_sshd_configure_concurrent_unauthenticated_connections" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_configure_concurrent_unauthenticated_connections" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^maxstartups\s+\d+:\d+:\d+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml
new file mode 100644
index 0000000..60d2ccd
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'SSH concurrent unauthenticated connections should be configured correctly'
+
+description: |-
+ Attackers can consume system resources by establishing a large number of
+ concurrent connections with incomplete authentication without knowing the
+ password.
+
+rationale: |-
+ The MaxStartups setting specifies the maximum number of concurrent unauthenticated
+ connections to the SSH daemon.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml
new file mode 100644
index 0000000..d30df39
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_configure_correct_sessions" version="1">
+ <metadata>
+ <title>The allowed number of concurrent sessions for a single SSH connection should be configured correctly</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure the allowed number of concurrent sessions.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH configure the allowed number of concurrent sessions"
+ test_ref="test_sshd_configure_concurrent_sessions" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH configure the allowed number of concurrent sessions"
+ id="test_sshd_configure_concurrent_sessions" version="1">
+ <ind:object object_ref="obj_test_sshd_configure_concurrent_sessions" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_configure_concurrent_sessions" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^MaxSessions\s+\d+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml
new file mode 100644
index 0000000..2517850
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'The allowed number of concurrent sessions for a single SSH connection should be configured correctly'
+
+description: |-
+ SSH allows clients that support multiplexing to establish multiple sessions
+ based on a single network connection. MaxSessions limits the number of SSH
+ concurrent sessions allowed for each network connection, which can prevent
+ system resources from being unlimited occupied by a single or a few connections,
+ leading to denial of service attacks.
+
+rationale: |-
+ Setting MaxSessions to 1 will disable session multiplexing, meaning that only
+ one session is allowed for a connection, while setting it to 0 will block all
+ connected sessions.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
new file mode 100644
index 0000000..fb79aff
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_configure_correct_LoginGraceTime" version="1">
+ <metadata>
+ <title>LoginGraceTime should be configured correctly</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure the LoginGraceTime for SSH connection.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH configure correctly LoginGraceTime"
+ test_ref="test_sshd_configure_correct_LoginGraceTime" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH configure correctly LoginGraceTime"
+ id="test_sshd_configure_correct_LoginGraceTime" version="1">
+ <ind:object object_ref="obj_test_sshd_configure_correct_LoginGraceTime" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_configure_correct_LoginGraceTime" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^LoginGraceTime\s+\d+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml
new file mode 100644
index 0000000..2c97751
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'LoginGraceTime should be configured correctly'
+
+description: |-
+ LoginGraceTime is used to limit the user's login time. If the user
+ fails to complete the login action within the time limit specified
+ by LoginGraceTime, the connection will be automatically disconnected.
+
+rationale: |-
+ It is recommended to set this value to less than or equal to 60 seconds.
+ If the value is set too high, attackers can utilize a large number of
+ incomplete login actions to consume server resources, resulting in normal
+ administrator login failures.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml
new file mode 100644
index 0000000..47510c8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_configure_correct_interface" version="1">
+ <metadata>
+ <title>SSH service interface should be configured correctly</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure the specified IP address for SSH connection.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH configure correctly interface"
+ test_ref="test_sshd_configure_interface" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH configure correctly interface"
+ id="test_sshd_configure_interface" version="1">
+ <ind:object object_ref="obj_test_sshd_configure_interface" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_configure_interface" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^ListenAddress\s+((?:\d{1,3}\.){3}\d{1,3})$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml
new file mode 100644
index 0000000..0e1cb5c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'SSH service interface should be configured correctly'
+
+description: |-
+ Generally, the server has multiple network cards and multiple
+ IP addresses. IP addresses should be planned for business and
+ management. Therefore, not every IP address needs to listen for
+ SSH connections. You can configure to limit SSH connections to
+ only specified IP addresses to reduce the attack surface.
+
+rationale: |-
+ Unconfigured IP addresses cannot connect to the server through SSH.
+ It is recommended to plan and configure according to the actual situation.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml
new file mode 100644
index 0000000..9146f4c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_disable_AllowTcpForwardindg" version="1">
+ <metadata>
+ <title>Does not allow the use of AllowTcpForwarding</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Sshd does not allow the use of AllowTcpForwarding.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH prohibits the use of AllowTcpForwarding"
+ test_ref="test_sshd_disable_AllowTcpForwarding" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH prohibits the use of AllowTcpForwarding"
+ id="test_sshd_disable_AllowTcpForwarding" version="1">
+ <ind:object object_ref="obj_test_sshd_disable_AllowTcpForwarding" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_disable_AllowTcpForwarding" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^AllowTcpForwarding\s+no$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml
new file mode 100644
index 0000000..1cdfb4e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Does not allow the use of AllowTcpForwarding'
+
+description: |-
+ AllowTcpForwarding allows the SSH server to act as a proxy to forward TCP requests from
+ clients, similar to establishing an SSH tunnel between the server and the client. This
+ feature may cause the client to attack other servers from the external network through
+ the SSH channel.
+
+rationale: |-
+ If AllowTcpForwarding is configured as yes, attackers can bypass firewall monitoring on
+ the client through the SSH channel and send attack commands to the intranet server where
+ the SSH server is located, thereby attacking it. So AllowTcpForwarding must be closed.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
new file mode 100644
index 0000000..5f4d777
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_disable_x11_forwarding" version="1">
+ <metadata>
+ <title>Does not allow the use of X11 Forwarding</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Sshd does not allow the use of X11 Forwarding.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH prohibits the use of X11 Forwarding"
+ test_ref="test_sshd_disable_X11_forwarding" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH prohibits the use of X11 Forwarding"
+ id="test_sshd_disable_X11_forwarding" version="1">
+ <ind:object object_ref="obj_test_sshd_disable_X11_forwarding" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_disable_X11_forwarding" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^X11Forwarding\s+no$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
new file mode 100644
index 0000000..bc5f1fe
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Does not allow the use of X11 Forwarding'
+
+description: |-
+ The X11 Forwarding feature of SSH allows for the execution of GUI programs for remote
+ hosts on the local host. If not required in the business scenario, this feature must
+ be disabled.
+
+rationale: |-
+ Enabling the X11 Forwarding function expands the scope of attacks and poses a possibility
+ of being attacked by other users on the X11 server.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml
new file mode 100644
index 0000000..3edae48
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="sshd_prohibit_preset_authorized_keys" version="1">
+ <metadata>
+ <title>Prohibit SSH service pre setting authorized_Keys</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>SSH service prohibits preset authorized_Keys.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SSH service prohibits preset authorized_Keys"
+ test_ref="test_sshd_prohibit_preset_authorized_keys" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSH service prohibits preset authorized_Keys"
+ id="test_sshd_prohibit_preset_authorized_keys" version="1">
+ <ind:object object_ref="obj_test_sshd_prohibit_preset_authorized_keys" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_sshd_prohibit_preset_authorized_keys" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^LoginGraceTime\s+\d+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml
new file mode 100644
index 0000000..1c139fa
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Prohibit SSH service pre setting authorized_Keys'
+
+description: |-
+ Authorized_ Keys is the public key of the remote host, which users can
+ store in their home directory $HOME/. ssh/authorized_ In the keys file,
+ for public key authentication, you can directly log in to the system.
+
+rationale: |-
+ If authorized is preset in the system_ Keys, and the server has enabled
+ the login method of public and private key authentication, allowing
+ attackers to bypass authentication and directly log in to the specified
+ system to attack it. So authorized cannot be preset in the system_ Keys.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/services/uninstall_software_service/group.yml b/linux_os/guide/services/uninstall_software_service/group.yml
new file mode 100644
index 0000000..0a269ba
--- /dev/null
+++ b/linux_os/guide/services/uninstall_software_service/group.yml
@@ -0,0 +1,5 @@
+documentation_complete: true
+
+title: 'Do not install some software packages.'
+
+description: |-
\ No newline at end of file
diff --git a/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml
new file mode 100644
index 0000000..b41c210
--- /dev/null
+++ b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Uninstall network sniffing Package'
+
+description: |-
+ If the production environment contains network sniffing tools, attackers
+ can easily use these tools to conduct network analysis and assist network
+ attacks. Therefore, installation of various network sniffing and packet
+ capture analysis tools, such as tcpdump, ethereal, wireshark, etc., should
+ be prohibited in the production environment.
+
+ <p><tt>It can not be scanned automatically,please check it manually.</tt></p>
+ <p>check the network_sniffing_tools,such as wireshark,netcat,tcpdump,namp,ethereal:</p>
+ <ul>
+ <pre> rpm -qa | grep -iE "^(wireshark-|netcat-|tcpdump-|nmap-|ethereal-)"</pre>
+ </ul>
+
+rationale: |-
+ There is no need to install various network sniffing and packet capture
+ analysis tools in the production environment.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
index 84a64db..625f15d 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhel6,rhel7,rhel8,rhv4
+prodtype: fedora,rhel6,rhel7,rhel8,rhv4,openeuler2203
title: 'Remove the X Windows Package Group'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml
new file mode 100644
index 0000000..eab54dd
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml
@@ -0,0 +1,20 @@
+<def-group>
+ <definition class="compliance" id="no_forward_files" version="1">
+ <metadata>
+ <title>Verify No forward Files Exist</title>
+ {{{- oval_affected(products) }}}
+ <description>If there are no related email forwarding scenarios, it is recommended to delete the .forward file.</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="test_no_forward_files_home" negate="true" />
+ </criteria>
+ </definition>
+ <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .forward in /home" id="test_no_forward_files_home" version="1">
+ <unix:object object_ref="object_no_forward_files_home" />
+ </unix:file_test>
+ <unix:file_object comment="look for .forward in /home" id="object_no_forward_files_home" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all" />
+ <unix:path operation="equals">/home</unix:path>
+ <unix:filename operation="pattern match">^\.forward$</unix:filename>
+ </unix:file_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
new file mode 100644
index 0000000..318131a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Verify No forward Files Exist'
+
+description: |-
+ The <tt>.forward</tt> file can be configured with an email address, which
+ will be automatically forwarded to when users receive emails. If there are
+ no related email forwarding scenarios, it is recommended to delete the
+ <tt>.forward</tt> file.
+
+rationale: |-
+ If there is a <tt>.forward</tt> file, it may cause user emails carrying
+ sensitive information to be automatically forwarded to high-risk mailboxes.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml
new file mode 100644
index 0000000..b01dad4
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure the network interface is bound to the correct area'
+
+description: |-
+ File access permission control is the basic permission management in Linux. Different users
+ are authorized to access different files, preventing the leakage of sensitive information
+ between users or the tampering of file data. It can also prevent ordinary users from
+ unauthorized access to high-privilege files or configurations in the system.
+
+ It is recommended to audit and monitor system calls that modify file permissions and file
+ owners in the operating system. If relevant auditing is not configured, if illegal
+ modification occurs, it will not be conducive to traceability.
+
+ openEuler does not configure file access control permission audit rules by default. It is
+ recommended that users configure corresponding rules based on actual business scenarios.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ Configuring auditing, because audit logs need to be recorded when file permissions and owners
+ are modified, will have a slight impact on performance. However, since such operations should
+ not be performed frequently, it is actually not perceptible to users.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
index ebd52e2..2e7f907 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203
title: 'Record Unsuccessful Access Attempts to Files - creat'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
index 3634935..cac6a0d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203
title: 'Record Unsuccessful Access Attempts to Files - ftruncate'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
index 8d813fa..425ecb7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203
title: 'Record Unsuccessful Access Attempts to Files - open'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
index e8ec755..20b4d42 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203
title: 'Record Unsuccessful Access Attempts to Files - openat'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml
new file mode 100644
index 0000000..6cebb2c
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ Ordinary users can obtain super administrator privileges by calling privilege
+ escalation commands (with SUID/SGID set), so the use of privilege escalation
+ commands carries high risks and is often used by attackers to attack the system.
+
+ It is recommended to audit and monitor privilege escalation commands to facilitate
+ traceability afterwards.
+
+ openEuler does not configure audit rules for privilege escalation commands by
+ default. It is recommended that users configure corresponding rules based on actual
+ business scenarios.
+
+rationale: |-
+ Configuring auditing requires audit logging when using privilege escalation
+ commands, which has a slight impact on performance. If the user business has
+ a large number of scenarios where privilege escalation commands are frequently
+ called, there may be a cumulative effect.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml
new file mode 100644
index 0000000..b70b4d9
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="audit_rule_admin_privilege" version="1">
+ <metadata>
+ <title>Audit rules for administrator privileged operations should be configured</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure audit rules for administrator privileged operations</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Configure audit rules for administrator privileged operations"
+ test_ref="test_audit_rule_admin_privilege" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="recorded authentication-related event"
+ id="test_audit_rule_admin_privilege" version="1">
+ <ind:object object_ref="obj_test_audit_rule_admin_privilege" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_audit_rule_admin_privilege" version="1">
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml
new file mode 100644
index 0000000..8d548e5
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rule_admin_privilege/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Audit rules for administrator privileged operations should be configured'
+
+description: |-
+
+ The sudo extraction command operation log in the openEuler system is recorded
+ in the /var/log/secure log file by default. Other authentication-related security
+ logs are also recorded in this file. If the user wants to audit the sudo extraction
+ command, it is recommended that the sudo related logs be Record separately and
+ output to /var/log/sudo.log, and then audit and monitor the sudo log file. Sudo
+ privilege escalation is a high-risk operation and is relatively common in attacks. It
+ is recommended to configure audit rules for later tracing.
+
+ openEuler does not configure audit rules for administrator privileged operations
+ by default. It is recommended that users configure corresponding rules based on
+ actual business scenarios.
+
+rationale: |-
+ Configure auditing. Since audit logging is required for any sudo privilege escalation
+ operation, it will have a slight impact on performance. If there are a large number
+ of frequent sudo operations in the user's business scenario, the impact on performance
+ will have a cumulative effect.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml
new file mode 100644
index 0000000..bf0b651
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="auditd_data_retention_admin_space_left" version="1">
+ <metadata>
+ <title>auditd data retention admin space left</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>auditd data retention admin space left.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="auditd data retention admin space left"
+ test_ref="test_auditd_data_retention_admin_space_left" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="auditd data retention admin space left"
+ id="test_auditd_data_retention_admin_space_left" version="1">
+ <ind:object object_ref="obj_test_auditd_data_retention_admin_space_left" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_auditd_data_retention_admin_space_left" version="1">
+ <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*admin_space_left[\s]+=[\s]+(\d+)[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml
new file mode 100644
index 0000000..2c9273d
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml
@@ -0,0 +1,56 @@
+documentation_complete: true
+
+title: 'Configure auditd admin_space_left on Low Disk Space'
+
+description: |-
+ The <tt>auditd</tt> service can be configured to take an action
+ when disk space is running low but prior to running out of space completely.
+ Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line,
+ substituting <i>ACTION</i> appropriately:
+ <pre>admin_space_left_action = <i>ACTION</i></pre>
+ Set this value to <tt>single</tt> to cause the system to switch to single user
+ mode for corrective action. Acceptable values also include <tt>suspend</tt> and
+ <tt>halt</tt>. For certain systems, the need for availability
+ outweighs the need to log all actions, and a different setting should be
+ determined. Details regarding all possible values for <i>ACTION</i> are described in the
+ <tt>auditd.conf</tt> man page.
+
+rationale: |-
+ Administrators should be made aware of an inability to record
+ audit records. If a separate partition or logical volume of adequate size
+ is used, running low on space for audit records should never occur.
+
+severity: medium
+
+identifiers:
+ cce@rhel6: 27239-3
+ cce@rhel7: 27370-6
+ cce@rhel8: 80679-4
+ cce@ocp4: 82677-6
+
+references:
+ stigid@rhel6: "000163"
+ srg@rhel6: SRG-OS-999999
+ cis: 5.2.1.2
+ cjis: 5.4.1.1
+ cui: 3.3.1
+ disa: 140,1343
+ hipaa: 164.312(a)(2)(ii)
+ iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1
+ nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a)
+ nist-csf: DE.AE-3,DE.AE-5,PR.DS-4,PR.PT-1,RS.AN-1,RS.AN-4
+ pcidss: Req-10.7
+ stigid@rhel7: "030340"
+ isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 7.1,SR 7.2'
+ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
+ cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01
+ cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
+
+ocil_clause: 'the system is not configured to switch to single user mode for corrective action'
+
+ocil: |-
+ Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to
+ determine if the system is configured to either suspend, switch to single user mode,
+ or halt when disk space has run low:
+ <pre>admin_space_left_action single</pre>
+
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
index cb1ff1d..080e1ee 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203
title: 'Configure auditd space_left on Low Disk Space'
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
index 2c17ee1..0f4cdf0 100644
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,openeuler2203
title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
index 36f3200..34ca8aa 100644
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,openeuler2203
title: 'Extend Audit Backlog Limit for the Audit Daemon'
diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml
new file mode 100644
index 0000000..1e95b34
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="configure_dump_journald_log" version="1">
+ <metadata>
+ <title>Make sure rsyslog dump journald log is configured</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure rsyslog dump journald log.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="configure dump journald log"
+ test_ref="test_configure_dump_journald_log" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="configure dump journald log"
+ id="test_configure_dump_journald_log" version="1">
+ <ind:object object_ref="obj_test_configure_dump_journald_log" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_configure_dump_journald_log" version="1">
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[^#]*imjournal</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
new file mode 100644
index 0000000..7247e27
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure rsyslog dump journald log is configured'
+
+description: |-
+
+ The system uses journald to collect logs. The logs may be stored on
+ volatile storage devices or on persistent storage devices. If there
+ are problems such as log loss or logs filling up the disk, the logs
+ must be dumped in a timely manner to ensure that the logs are more
+ consistent with the system. Safety.
+
+rationale: |-
+ If there is a volatile storage device for the log, failure to dump
+ the log in time may result in log loss. If there is a persistent
+ storage device, the amount of logs may be very large. If the logs
+ are not dumped in time, the logs may fill up the current partition,
+ causing the risk of other processes or system failures.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml
new file mode 100644
index 0000000..16c62e7
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the account is forced to change the password when logging in for the first time'
+
+description: |-
+ Passwords that are not set by users themselves, such as passwords reset by
+ administrators, if not modified in a timely manner in the business environment,
+ can easily cause low-cost attacks. Therefore, users are required to forcibly change
+ their passwords when logging in to their accounts for the first time. Except for
+ the root password.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml
new file mode 100644
index 0000000..4257677
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml
@@ -0,0 +1,45 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the iptables input and output association policies configuration is correct'
+
+description: |-
+ rsyslog is responsible for collecting log records from the system into files, and logrotate
+ is responsible for regularly or quantitatively copying and compressing log files to ensure
+ that excessive hard disk resources are not occupied due to excessive log file size, or that
+ the log files are even unmaintainable.
+
+ If the rotate policy is not configured, the log file will continue to grow, which may
+ eventually lead to the exhaustion of space on the hard disk partition where the log is
+ located, which may affect log recording at best, or may cause the system and business to be
+ unable to continue to execute normally.
+
+ By default, openEuler has configured the rsyslog rotate policy in the /etc/logrotate.d/rsyslog
+ file as follows:.
+
+ rotate log file:
+ /var/log/cron
+
+ /var/log/maillog
+
+ /var/log/messages
+
+ /var/log/secure
+
+ /var/log/spooler
+
+ The maximum retention period of log files is 365 days;
+
+ A maximum of 30 log files can be retained;
+
+ Log files are retained in a compressed manner;
+
+ The log file reaches 4MB, perform rotate operation.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
diff --git a/linux_os/guide/system/logging/configure_service_logging/rule.yml b/linux_os/guide/system/logging/configure_service_logging/rule.yml
new file mode 100644
index 0000000..c15d25b
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_service_logging/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Each service logging should be configured correctly'
+
+description: |-
+ Configure logging so that important system behaviors and security-related information will
+ be recorded using rsyslog. The configuration files /etc/rsyslog.conf and /etc/rsyslog.d/*.conf
+ can specify logging rules and which files will be used to record specific types of logs.
+
+ If logging is not configured, system behavior cannot be recorded, and problem location and
+ auditing cannot be performed when problems occur.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ After logging is configured, if the logs are not cleared in time, the logs may fill up the current partition, causing the
+ risk of other processes or system failures.
+
+severity: low
diff --git a/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml
new file mode 100644
index 0000000..b235f0e
--- /dev/null
+++ b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Prevent root users from accessing the system locally'
+
+description: |-
+ Root is a super-privileged user in a Linux system and has access to all
+ Linux system resources. If you are allowed to directly use the root account
+ to log in to the Linux system to operate the system, it will bring many
+ potential security risks. In order to avoid the risks caused by this, it
+ should be prohibited to directly use the root account to log in to the
+ operating system, and only use other technologies when necessary. Methods
+ (such as: sudo or su) indirectly use the root account.
+
+ Since the root account has the highest authority, logging in directly with
+ root has the following risks:
+
+ High-risk misoperations may directly cause server paralysis, such as accidentally
+ deleting or modifying key system files;
+
+ If multiple people need root privileges to operate, the root password will be
+ kept by multiple people, which can easily lead to password leakage and increase
+ password maintenance costs.
+
+ openEuler is not configured by default. If there is no need to log in locally using
+ the root account in actual scenarios, it is recommended to disable local login
+ with the root account.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ The root account cannot access the system locally.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index a78cd69..3bd9887 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -9,6 +9,7 @@
<platform>multi_platform_ol</platform>
<platform>multi_platform_rhel</platform>
<platform>multi_platform_ubuntu</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>File permissions for all syslog log files should be set correctly.</description>
</metadata>
diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml
new file mode 100644
index 0000000..63bce75
--- /dev/null
+++ b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="recorded_authentication_related_event" version="1">
+ <metadata>
+ <title>Ensure that system authentication related event logs are recorded</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Configure the System to Record Authentication-related Event.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="recorded authentication-related event"
+ test_ref="test_recorded_authentication_related_event" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="recorded authentication-related event"
+ id="test_recorded_authentication_related_event" version="1">
+ <ind:object object_ref="obj_test_recorded_authentication_related_event" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_recorded_authentication_related_event" version="1">
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[^#]*auth</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml
new file mode 100644
index 0000000..1a52982
--- /dev/null
+++ b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that system authentication related event logs are recorded'
+
+description: |-
+
+ Events related to system authentication must be recorded to help
+ analyze user logins, use of root privileges, and monitor suspicious
+ system actions.
+ Failure to record system authentication-related event logs will
+ result in the inability to analyze suspicious attack actions from
+ the logs, such as login actions performed by attackers trying to
+ guess administrator passwords.
+
+rationale: |-
+ If there is a volatile storage device for the log, failure to
+ dump the log in time may result in log loss. If there is a persistent
+ storage device, the amount of logs may be very large. If the logs
+ are not dumped in time, the logs may fill up the current partition,
+ causing the risk of other processes or system failures.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
index 22307d4..c3e2752 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
@@ -10,6 +10,7 @@
<platform>multi_platform_rhel</platform>
<platform>multi_platform_ubuntu</platform>
<platform>multi_platform_wrlinux</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>Syslog logs should be sent to a remote loghost</description>
</metadata>
diff --git a/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml
new file mode 100644
index 0000000..d5d2335
--- /dev/null
+++ b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure Warning Banners contain reasonable information'
+
+description: |-
+ Warning Banners include warning information added to the system login
+ interface, which identifies the system's security warnings for all
+ users who log in to the system. Security warnings can include the
+ organization to which the system belongs, monitoring or recording of
+ login behaviors, and unauthorized logins based on business scenarios. Or
+ the legal sanctions that will be imposed upon intrusion. Inappropriate
+ security warning information may increase the risk of system attacks
+ or violate local laws and regulations.
+
+ Warning Banners should not expose the system version, application server
+ type, functions, etc. to users to prevent attackers from obtaining system
+ information and carrying out attacks. In addition to this, file ownership
+ needs to be configured correctly, otherwise unauthorized users may modify
+ files with incorrect or misleading information.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..278556e
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the iptables input and output association policies configuration is correct'
+
+description: |-
+ Although it is possible to configure packet policies for incoming and outgoing servers to the
+ Input and OUTPUT chains by configuring protocols, IP, and ports, in some cases it may be more
+ complex. For example, if the client accesses the server through a certain port, the server may
+ not necessarily return the response packet from the original port, and may use a random source
+ port. In this case, it is difficult to configure accurate policies through the sport parameter.
+
+ At this point, it is necessary to consider using association links to configure the strategy.
+ If an outgoing message belongs to an existing network link, it will be directly released; If a
+ received message belongs to an existing network link, it is also directly released. Because
+ these existing links must have been filtered and checked by other policies, otherwise they cannot
+ be established.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check if the input and output chains are configured with associated policies.</p>
+ <ul>
+ <li>You can use below cli command to check if the input and output chains of IPv4 are configured with associated policies:
+ <pre># iptables -L</pre>
+ </li>
+ <li>You can use below cli command to check if the input and output chains of IPv6 are configured with associated policies:
+ <pre># ip6tables -L</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ If the policy is not configured through associated links, it is necessary to analyze all possible
+ link situations and configure corresponding policies. If the configuration is too loose, it may
+ cause security risks, and if the configuration is too strict, it may cause business interruption.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..0f7e91a
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the iptables input policy configuration is correct'
+
+description: |-
+ The function of the Input chain is to filter packets received from external sources. Any
+ externally provided service requires configuring the corresponding Input policy and opening
+ the relevant port, so that external clients can access the service through that port.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check if the policy configured for the input chain meets business needs.</p>
+ <ul>
+ <li>You can use below cli command to check the input chain of IPv4:
+ <pre># iptables -L INPUT -v -n</pre>
+ </li>
+ <li>Or check the input chain of IPv6:
+ <pre># ip6tables -L INPUT -v -n</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ If not configured, all external attempts to access related services will be discarded due to
+ the default policy configuration being DROP.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..9d8bafe
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the iptables loopback policy configuration is correct'
+
+description: |-
+ The loopback address is a special address on the server, represented by 127.0.0.0/8,which is
+ not related to the network card and is mainly used for communication between local processes.
+ Messages with a source address of 127.0.0.0/8 should not be received from the network card,
+ and such messages should be discarded.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check if the loopback address policy has been correctly configured.</p>
+ <ul>
+ <li>You can use below cli command to check the input chain of IPv4:
+ <pre># iptables -L INPUT -v -n</pre>
+ </li>
+ <li>Or check the output chain of IPv4:
+ <pre># iptables -L OUTPUT -v -n</pre>
+ </li>
+ <li>Or check the input chain of IPv6:
+ <pre># ip6tables -L INPUT -v -n</pre>
+ </li>
+ <li>Or check the output chain of IPv6:
+ <pre># ip6tables -L OUTPUT -v -n</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ If the loopback address policy is not set correctly, it may cause communication failure between
+ local processes or receive spoofing messages from the network card. The server needs to set
+ policies that allow receiving and processing loopback address messages from the lo interface,
+ but reject messages received from the network card.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..c10cd44
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure that the iptables output policy configuration is correct'
+
+description: |-
+ There are two main situations for server outgoing messages: one is when the host process
+ actively connects to an external server, such as HTTP access, or sends data to a log server,
+ etc.; the other is when the host process accesses the local service externally and the local
+ machine responds to the message.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check if the policy configured for the output chain meets business needs.</p>
+ <ul>
+ <li>You can use below cli command to check the output chain of IPv4:
+ <pre># iptables -L OUTPUT -v -n</pre>
+ </li>
+ <li>Or check the input chain of IPv6:
+ <pre># ip6tables -L OUTPUT -v -n</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ If the OUTPUT policy is not configured, all outgoing messages from the server will be discarded
+ due to the default policy being DROP.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
index bbea345..19cc6f5 100644
--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4
+prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4,openeuler2203
title: 'Deactivate Wireless Network Interfaces'
diff --git a/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml
new file mode 100644
index 0000000..ee66dd7
--- /dev/null
+++ b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure the network interface is bound to the correct area'
+
+description: |-
+ Different firewall regions can develop different filtering strategies. If the server network
+ is complex and has multiple interfaces, and different interfaces undertake different business
+ functions, it is recommended to configure the interfaces to different regions and develop
+ different firewall strategies. For example, the external network business interface does not
+ allow SSH access, while the internal network management interface can open SSH access.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check the interface configuration of each region:</p>
+ <ul>
+ <pre># find ./ -type l -follow</pre>
+ </ul>
+
+rationale: |-
+ If all interfaces are configured in one area, firewall policies are not conducive to configuring
+ different interfaces differently, increasing management complexity, and reducing the filtering
+ efficiency of firewall security protection. Due to configuration issues, messages that should
+ not be received may not be rejected or discarded.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/group.yml b/linux_os/guide/system/network/network_nftables/group.yml
new file mode 100644
index 0000000..68ecddd
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/group.yml
@@ -0,0 +1,12 @@
+documentation_complete: true
+
+title: 'nftables'
+
+description: |-
+ nftables is a subsystem of the Linux kernel that provides filtering
+ and classification of network packets. nftables replaces the iptables
+ part of Netfilter. Compared with iptables, nftable is easier to extend
+ to new protocols, and nftables will replace iptables in the future.
+ In addition, nftables is different from firewalld and iptables. The
+ operating system does not configure any policies by default and
+ requires manual configuration by the administrator.
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..73b0e5e
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Configure nftables input strategy'
+
+description: |-
+ Although you can configure the policy of packets in and out of the server to
+ the input and output chains by configuring the protocol, IP and port, etc,
+ it is more complicated in some cases. For example, the client accesses the
+ server through a certain port, but when the server returns a response message
+ It does not necessarily return from the original port, but may use a random
+ source port. In this case, it is difficult to configure an accurate policy
+ through the sport parameter.
+
+ At this time, you need to consider using the associated link method to configure
+ the policy. If an outgoing packet belongs to an existing network link, it is
+ directly allowed; if a received packet belongs to an existing network link, it
+ is also directly allowed. Because these existing links must have been filtered
+ and checked by other policies, otherwise they cannot be established.
+
+ If you do not configure policies through associated links, you need to analyze
+ all possible link situations and configure corresponding policies. If the
+ configuration is too loose, it may lead to security risks. If the configuration
+ is too strict, it may cause business interruption.lll
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml
new file mode 100644
index 0000000..9a95f50
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Configure nftables default deny policy'
+
+description: |-
+ From a security perspective, the nftables basic chain is similar to
+ iptables. (Input, output, forward) you need to configure the rejection
+ policy for all packets, and then add the allow policy to the basic
+ chain to open related services and ports.
+
+ If the basic chain is not configured, or the hook rules of the basic
+ chain are not specified, the packet will not be captured by nftables,
+ and filtering will not be possible.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ If the basic chain is not configured with a DROP or REJECT policy, the
+ packets will be ACCEPT by default, which may easily lead to security
+ risks due to omission of the rejection policy.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..a1fb377
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Configure nftables input strategy'
+
+description: |-
+ The function of the input chain is to filter messages received from the
+ outside. Any externally provided service needs to configure the
+ corresponding input policy and open the relevant port so that external
+ clients can access the service through the port.
+
+ If not configured, since the default policy is configured as DROP, all
+ external packets trying to access related services will be dropped.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..c71aabe
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Configure nftables loopback policy'
+
+description: |-
+ The loopback address is a special address on the server, represented by 127.0.0.0/8. It
+ has nothing to do with the network card. It is mainly used for inter-process communication
+ on this machine. Packets with the source address 127.0.0.0/8 should not be received from
+ the network card. Such messages should be discarded. If the loopback address policy is
+ set incorrectly, inter-process communication on the local machine may fail, or spoofed
+ packets may be received from the network card.
+
+ The server needs to set a policy to allow receiving and processing the loopback address
+ packets of the lo interface, but reject the packets received from the network card.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml
new file mode 100644
index 0000000..b3a795f
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Configure nftables input strategy'
+
+description: |-
+ There are two main situations when the server sends outbound messages. One
+ is when the host process actively connects to an external server, such as
+ http access, or sends outgoing data to a log server, etc. The other is when
+ the host process externally accesses local services and the local machine
+ responds arts.
+
+ If no output policy is configured, all outgoing packets from the server will
+ be discarded because the default policy is DROP.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml
new file mode 100644
index 0000000..ddc0939
--- /dev/null
+++ b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Verify nftables Enabled'
+
+description: '{{{ describe_service_enable(service="docker") }}}'
+
+rationale: |-
+ If multiple firewall services are enabled, business
+ interruption may occur due to inconsistent policy configurations.
+
+severity: low
+
+ocil: '{{{ ocil_service_enabled(service="nftables") }}}'
+
+platform: machine
+
+template:
+ name: service_enabled
+ vars:
+ servicename: nftables
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml
new file mode 100644
index 0000000..b5a1142
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly'
+
+description: |-
+ LD_LIBRARY_PATH is a Linux environment variable. When a program loads a
+ dynamic link library, it will first obtain it from the path specified by
+ this environment variable. Normally, this environment variable should
+ not be set. If it is maliciously set to an incorrect value, the program
+ may be linked to an incorrect dynamic library when running, resulting in
+ security risks. Note: The configuration in /etc/ld.so.conf.d will also
+ affect dynamic library loading, so you need to ensure correct configuration.
+
+ openEuler does not set this variable by default. According to the actual
+ scenario, if LD_LIBRARY_PATH must be set, you need to ensure that the
+ value is correct in all user contexts.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml
new file mode 100644
index 0000000..68adae3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly'
+
+description: |-
+ The PATH variable under Linux defines the search path for executable files
+ in the current user context. For example, if the user uses the ls command
+ in any directory, the system will search for the ls command in the directory
+ specified by the PATH variable and execute it after finding it. The PATH
+ variable in all user contexts cannot contain the current directory "." .The
+ directory must be a path that actually exists in the file system and meets
+ the design expectations of the system. The correct PATH value can effectively
+ prevent system commands from being replaced by malicious instructions and
+ ensure that system commands can be executed safely.
+
+ So the PATH variable should be defined to the correct value, and the openEuler
+ system default setting is:
+
+ /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
+
+ PATH can be modified according to the actual scenario, but be sure to make sure
+ it is correct.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml
new file mode 100644
index 0000000..e4fa75f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Disallow globally writable files'
+
+description: |-
+ Globally writable means that all users can write to the file, but usually this
+ permission is not necessary. If a file is unreasonably set with globally writable
+ permissions, it can easily be tampered with by attackers, leading to security risks.
+ Therefore, if the file must have globally writable permissions, the security risks
+ need to be analyzed based on actual scenarios to ensure that attackers cannot use
+ this file to carry out attacks.
+
+ You can search for globally writable files in the root directory. The exceptions
+ are: There are a large number of globally writable files in the two system directories
+ "/sys" and "/proc" when Linux is running, so these two should be excluded when checking
+ directory to avoid confusion.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Check globally writable filesdirectories "/sys" and "/proc" have been excluded.</p>
+ <ul>
+ <li>You can use below command to check :
+ <pre>find / -path /proc -prune -o -path /sys -prune -o -type f -perm -0002 -exec ls -lg {} \;</pre>
+ </li>
+ <li>or:
+ <pre>find / -xdev -type f -perm -0002 -exec ls -lg {} \</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml
new file mode 100644
index 0000000..a80fe6a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/partitions_manage_hard_drive_data/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Hard drive data should be managed in partitions'
+
+description: |-
+ When installing the operating system, the operating system data and business data
+ partitions should be managed according to the characteristics of the actual scenario
+ to avoid placing all data on one hard disk or partition. Proper planning of hard disk
+ partitions can avoid or reduce the following risks:
+
+ The log file is too large, causing the business or system data disk to become full;
+ The home directory of ordinary accounts is too large, causing the system or business disk to become full;
+ The system partition is not independent, causing the basic service of the operating system to fail when the disk is full, causing a full-scale DOS attack;
+ It is not conducive to minimizing permissions and encrypting data disks;
+ It is not conducive to system or data recovery after the disk is damaged.
+
+ As a general operating system, openEuler installs separate partitions "/boot, /tmp,
+ /home, /" by default. It is recommended to determine the partition mounting and size
+ of other directories based on the actual scenario.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml
new file mode 100644
index 0000000..86766f1
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/partitions_mounted_nodev_mode/rule.yml
@@ -0,0 +1,48 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Partitions that do not need to be mounted are mounted in nodev mode'
+
+description: |-
+ nodev means that device files are not allowed to be mounted, which is used
+ to reduce the attack surface and increase security. When the directory is
+ mounted, if the nodev option is set, all block devices, character devices
+ and other device files in the directory will be parsed into ordinary files
+ and cannot be operated on device files. If nodev is not set when mounting,
+ it will lead to security risks. For example, an attacker creates a file system
+ on the USB flash drive and creates a block device file in it (his own USB flash
+ drive, with corresponding permissions), and this block The device actually
+ points to the server hard disk or partition such as /dev/sda. If an attacker
+ has the opportunity to insert a USB flash drive into the server and the server
+ loads the USB flash drive, the attacker can access the corresponding file through
+ this block device file. Hard drive data. If the U disk in the above case is changed
+ to another hard disk or partition, a similar problem will exist. As long as there
+ is a maliciously constructed device file on the hard disk or partition, an attack
+ can be formed.
+
+ The following directories are mounted by nodev by default in the openEuler system:
+
+ /sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、
+ /sys/fs/pstore、/sys/fs/bpf、/sys/fs/cgroup/files、/sys/fs/cgroup/net_cls,net_prio、
+ /sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/cpu,cpuacct、/sys/fs/cgroup/perf_event、
+ /sys/fs/cgroup/pids、/sys/fs/cgroup/hugetlb、/sys/fs/cgroup/memory、/sys/fs/cgroup/blkio、
+ /sys/fs/cgroup/cpuset、/sys/fs/cgroup/rdma、/sys/kernel/config、/sys/kernel/debug、/dev/mqueue、
+ /tmp、/run/user/0
+
+ openEuler has the following directories (some directories vary depending on hard disk partitions
+ and deployment platforms). These directories are not mounted by nodev by default:
+
+ /dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、
+ /var/lib/nfs/rpc_pipefs、/boot/efi、/home
+
+ In actual scenarios, based on business needs, the nodev method is used to mount partitions
+ that do not require device mounting.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml
new file mode 100644
index 0000000..21a7390
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/partitions_mounted_noexec_mode/rule.yml
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ The data disk is only used to save data during system operation. There
+ is no need to execute relevant commands on the data disk. In this case,
+ the hard disk or partition must be mounted in noexec mode to improve security
+ and reduce the attack surface.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ If the hard disk or partition is mounted in noexec mode, the executable
+ file in the mount point directory cannot be run directly.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml
new file mode 100644
index 0000000..ddbe5c6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/partitions_mounted_nosuid_mode/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure partitions that do not require SUID/SGID are mounted in nosuid mode'
+
+description: |-
+ After the SUID bit is set on an executable file, even if the user executing the file
+ is not the owner of the file, the process will be temporarily granted the permissions
+ of the file owner during execution. For example, the ordinary user test executes a
+ program with permissions 755 and owner root. If the program does not set the SUID bit,
+ the process only has the permissions of the test user; if the SUID is set, the process
+ has root permissions during execution. . SGID has a similar function, but it only has
+ the permissions of the group to which the file belongs. For partitions that do not
+ need SUID/SGID, use the nosuid method to mount them. This can invalidate the S bit of
+ files with SUID/SGID in the partition, prevent privilege escalation through the
+ executable files of the partition, and strengthen the security of the partition.
+
+ Users need to plan each mounted hard drive and partition and set nosuid mounting items
+ based on actual scenarios.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml
new file mode 100644
index 0000000..512d8c1
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/partitoin_mounted_noexec_or_nodev/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ Removable devices themselves are uncertain, and their origin, past usage,
+ and transportation processes cannot guarantee absolute safety. Therefore,
+ removable devices are often the main host devices for virus transmission.
+ Therefore, for removable devices, it is required to mount them in noexec
+ or nodev mode to improve security and reduce the attack surface.
+
+ noexec can prevent files on removable devices from being directly executed,
+ such as virus files, attack scripts, etc.;
+
+ nodev prevents incorrect device files on removable devices from being linked
+ to real devices on the server, leading to attacks;
+
+ Common removable devices such as: CD/DVD/USB, etc.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ If a removable device is mounted in noexec mode, the executable file
+ in the mount point directory cannot be run directly.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml
new file mode 100644
index 0000000..b54202f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/read_only_partitions_no_modified/rule.yml
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Partitions that do not need to be modified are mounted read-only.'
+
+description: |-
+ Mounting file systems that do not require data modification in read-only mode can
+ avoid unintentional or malicious data tampering and reduce the attack surface.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ Once the file system is mounted in read-only mode, files and directories cannot
+ be created, modified, or deleted. Users need to configure it according to the actual
+ scenario. This requirement can be ignored for file mounting necessary for the
+ operation of the operating system.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml
new file mode 100644
index 0000000..8c4eff8
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/removed_unnecessary_file_mount_support/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ The Linux system supports a variety of file systems, which are
+ loaded into the kernel through ko mode. As a general operating
+ system platform, openEuler will provide various file systems ko,
+ which are stored in the /lib/modules/(kernel version)/kernel/fs/
+ directory and can be loaded through the insmod/modprobe command.
+ Disabling mount support for unnecessary file systems can reduce
+ the attack surface and prevent attackers from attacking the system
+ by exploiting vulnerabilities in some uncommon file systems.
+
+ Users should determine which file systems do not need to be supported
+ based on actual scenarios, and prohibit these file systems from being
+ mounted through configuration. These file systems usually include:
+
+ cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+
+rationale: |-
+ The removed file system is no longer supported.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
index cd07fd0..ce86997 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,openeuler2203
title: 'Restrict usage of ptrace to descendant processes'
diff --git a/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml
new file mode 100644
index 0000000..cb8f534
--- /dev/null
+++ b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Avoid using programms labeled unconfined_service_t'
+
+description: |-
+ The purpose of SELinux setting the unconfined_service_t label
+ is to enable some third-party service processes that are not
+ configured with SELinux policies to run unfettered. By default,
+ when systemd runs a third-party application with the label bin_t
+ or usr_t (generally located in /usr/bin, /opt, etc. directories),
+ the generated process label is unconfined_service_t.
+
+ The difference from other high-privilege labels (such as unconfined_t,
+ initrc_t, etc.) is that unconfined_service_t has very few domain
+ conversion rules, which means that even if the process runs applications
+ that have been configured with SELinux policies, the label of the
+ new process will still be unconfined_service_t. The SELinux policy
+ configured for the process will not take effect. If it is attacked,
+ it will have a greater impact on the system.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ Programs labeled unconfined_service_t are restricted from running.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/software/enabled_seccomp/rule.yml b/linux_os/guide/system/software/enabled_seccomp/rule.yml
new file mode 100644
index 0000000..3e68100
--- /dev/null
+++ b/linux_os/guide/system/software/enabled_seccomp/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'seccomp should be enabled'
+
+description: |-
+ seccomp (full name: secure computing mode), when it was first introduced into the
+ Linux kernel, limited the system calls available to the process to four types: read,
+ write, _exit, sigreturn. In the original whitelisting method, in addition to the
+ four system calls allowed by the open file descriptor, if other system calls are
+ attempted, the kernel will use SIGKILL or SIGSYS to terminate the process.
+
+ The whitelist method is too restrictive and has little practical effect. In practical
+ applications, more precise restrictions are needed. In order to solve this problem,
+ BPF was introduced. The combination of seccomp and BPF rules allows users to filter
+ system calls using configurable policies. The policy is implemented using Berkeley
+ Packet Filter rules, which can filter any system calls and their parameters.
+
+ The openEuler kernel already provides seccomp function support by default, and also
+ provides the libseccomp peripheral package to help user-mode programs conveniently
+ set seccomp rules.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ seccomp cannot set the opening, closing or rules globally, but is specific to each
+ process. That is, the process can set and enable seccomp by itself, which affects
+ itself and all child threads, but does not affect other processes.
+
+ If seccomp is enabled in a process, there will be a performance loss when making
+ system calls. Users need to determine whether the performance loss is acceptable
+ based on actual business scenarios.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
index 787d897..6d9c09d 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,openeuler2203
title: 'Configure System Cryptography Policy'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
index f9835af..4fb6a78 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
@@ -7,6 +7,7 @@
<platform>multi_platform_fedora</platform>
<platform>multi_platform_ol</platform>
<platform>multi_platform_rhel</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>The aide database must be initialized.</description>
</metadata>
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml
new file mode 100644
index 0000000..d2e80fa
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'aide intrusion detection should be enabled'
+
+description: |-
+ aide (advanced intrusion detection environment) is an intrusion detection tool that
+ can be used to check the integrity of files and directories in the system and identify
+ files or directories that have been maliciously tampered with. The principle of the
+ integrity check is to first construct a baseline database, which contains some attributes
+ of the file or directory such as permissions, users, etc. When performing the integrity
+ check, the current system status is compared with the baseline database to obtain the
+ check results. Finally, the file or directory changes of the current system are reported,
+ that is, the inspection report.
+
+ Enabling aide intrusion detection can effectively identify malicious tampering with files
+ or directories, thereby improving system integrity and security. The files or directories
+ that need to be checked can be configured as needed, which is highly flexible. Users only
+ need to query the check report to determine whether there is malicious tampering.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ The more files that need to be checked, the longer the checking process will take. If users
+ enable aide, they should configure the inspection strategy appropriately based on their own
+ business scenarios.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml
new file mode 100644
index 0000000..426be91
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml
@@ -0,0 +1,47 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'IMA metrics should be enabled'
+
+description: |-
+ IMA (Integrity Measurement Architecture) is an integrity protection function provided
+ by the kernel. When IMA is turned on, it can provide integrity measurements for
+ important files in the system based on user-defined policies. The measurement results
+ can be used locally and remotely. Proof of integrity.
+
+ When the IMA measurement function is not enabled in the system, summary information
+ of key files cannot be recorded in real time, and tampering with file contents or
+ attributes cannot be identified. Functions such as local attestation and remote
+ attestation that protect system integrity rely on the summary value provided by IMA
+ metrics, so they cannot be used, or the integrity protection is incomplete.
+
+ IMA global policy configuration is related to the specific environment. Normally,
+ integrity protection is only targeted at immutable files (such as executable files,
+ dynamic libraries, etc.). If the policy is improperly configured, it may lead to
+ excessive performance and memory overhead. It is recommended that users use their
+ own The situation determines whether to enable IMA and configure the correct policy.
+
+ Note: Since IMA is only the measurement part of the global integrity protection
+ mechanism, complete use requires TPM 2.0 and remote attestation services. This
+ specification only explains and recommends the measurement part of IMA. If the
+ system does not integrate TPM 2.0 and remote attestation services, the IMA measurement
+ function should not be enabled.
+
+ IMA measurement does not support container environments and virtual machine
+ environments, requires UEFI startup, and does not support Legacy mode.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ Turning on IMA metrics will cause a slight increase in system startup time and file
+ access time.
+ If the policy is improperly configured (such as measuring real-time changing log files,
+ temporary files, etc.), the measurement log may grow too fast and occupy too much system
+ memory, and the memory occupied by the measurement log will not be released before the
+ next restart of the system. , thus affecting the normal operation of the business. In
+ addition, because the measured files are constantly changing, the measurement value changes,
+ and the remote certification baseline value cannot be updated synchronously, causing the
+ remote certification to fail and losing the meaning of integrity protection.
+
+severity: low
\ No newline at end of file
diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml
new file mode 100644
index 0000000..788eab7
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure sudoers cannot configure scripts writable by low-privileged users'
+
+description: |-
+ sudo can enable the set ordinary user to execute certain specific programs with root privileges,
+ and the corresponding configuration file is /etc/sudoers. Administrator users can configure
+ corresponding rules to make certain scripts or binary files run with root permissions. Therefore,
+ the scripts configured by sudo should only be writable by root. Scripts that can be written by
+ low-privilege users cannot be configured. If low-privilege users are configured, they can be written
+ by root. script, the user can perform privilege escalation operations by modifying the script.
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml
new file mode 100644
index 0000000..ea4e9cf
--- /dev/null
+++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="disabled_SysRq" version="1">
+ <metadata>
+ <title>Disable use of SysRq key</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Disable SysRq.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="disable sysrq"
+ test_ref="test_disabled_SysRq" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="disable sysrq"
+ id="test_disabled_SysRq" version="1">
+ <ind:object object_ref="obj_test_disabled_SysRq" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_test_disabled_SysRq" version="1">
+ <ind:filepath>/proc/sys/kernel/sysrq</ind:filepath>
+ <ind:pattern operation="pattern match">0</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml
new file mode 100644
index 0000000..ce7e977
--- /dev/null
+++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml
@@ -0,0 +1,20 @@
+
+prodtype: openeuler2203
+
+title: 'Disable use of SysRq key'
+
+description: |-
+
+ SysRq allows users with physical access to access dangerous system-level commands
+ in the computer, and the use of SysRq functions needs to be restricted.
+
+ If the SysRq key is not disabled, the SysRq call can be triggered through the
+ keyboard, which may cause commands to be sent directly to the kernel, affecting
+ the system.
+
+ openEuler prohibits the use of SysRq keys by default.
+
+rationale: |-
+ SysRq related commands cannot be used in the system.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml
new file mode 100644
index 0000000..c537c20
--- /dev/null
+++ b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ If the business environment contains debugging scripts and tools, they can
+ easily be exploited and attacked by attackers. Therefore, it is strictly
+ prohibited to install various debugging tools and files in the production
+ environment, including but not limited to: code debugging tools, privilege
+ escalation commands, scripts, and tools used for debugging functions, certificates,
+ and keys used in the debugging phase. Perf tools, point management and piling
+ tools for performance testing, attack scripts and tool scripts for verifying
+ security issues such as CVE, etc. Common open source third-party debugging tools
+ include: strace, gdb, readelf, perf, etc.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml
new file mode 100644
index 0000000..f3bfd27
--- /dev/null
+++ b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Make sure to remove unnecessary file system mount support'
+
+description: |-
+ If the business environment contains compilation tools, they can
+ easily be used by attackers to edit, tamper with, and reverse analyze
+ key files in the environment to carry out attacks. Therefore, it is
+ strictly prohibited to install various compilation, decompilation,
+ and binary analysis tools in the production environment, including
+ but not limited to: compilation tools, decompilation tools, compilation
+ environments, etc. Common third-party development and compilation tools
+ include: gcc, cpp, mcpp, flex, cmake, make, rpm-build, ld, ar, etc.
+
+ If the business environment relies on interpreters such as python, lua,
+ and perl during deployment or operation, the interpreter running
+ environment can be retained.
+
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+rationale: |-
+ none.
+
+severity: high
\ No newline at end of file
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
index de6890c..543712a 100644
--- a/openeuler2203/profiles/standard.profile
+++ b/openeuler2203/profiles/standard.profile
@@ -164,3 +164,96 @@ selections:
- file_permissions_unauthorized_world_writable
- file_permissions_unauthorized_suid
- file_permissions_unauthorized_sgid
+ - network_sniffing_tools
+ - service_rsyncd_disabled
+ - package_openldap-clients_removed
+ - no_forward_files
+ - sshd_configure_correct_interface
+ - sshd_concurrent_unauthenticated_connections
+ - sshd_configure_concurrent_sessions
+ - sshd_disable_x11_forwarding
+ - sshd_configure_correct_LoginGraceTime
+ - sshd_disable_AllowTcpForwardindg
+ - sshd_prohibit_preset_authorized_keys
+ - network_interface_binding_corrently
+ - iptables_loopback_policy_configured_corrently
+ - iptables_input_policy_configured_corrently
+ - iptables_output_policy_configured_corrently
+ - iptables_association_policy_configured_corrently
+ - service_nftables_enabled
+ - nftables_configure_default_deny_policy
+ - nftables_loopback_policy_configured_corrently
+ - nftables_input_policy_configured_corrently
+ - nftables_output_policy_configured_corrently
+ - nftables_association_policy_configured_corrently
+ - sudoers_disable_low_privileged_configure
+ - no_files_globally_writable_files
+ - removed_unnecessary_file_mount_support
+ - read_only_partitions_no_modified
+ - partitions_mounted_nodev_mode
+ - partitions_mounted_noexec_mode
+ - partitoin_mounted_noexec_or_nodev
+ - partitions_mounted_nosuid_mode
+ - audit_privilege_escalation_command
+ - audit_rule_admin_privilege
+ - recorded_authentication_related_event
+ - rsyslog_files_permissions
+ - uninstall_debugging_tools
+ - uninstall_development_and_compliation_tools
+ - package_xorg-x11-server-common_removed
+ - package_httpd_removed
+ - service_smb_disabled
+ - service_named_disabled
+ - service_nfs-server_disabled
+ - service_rpcbind_disabled
+ - service_dhcpd_disabled
+ - configure_first_logging_change_password
+ - sshd_disable_root_login
+ - diasable_root_accessing_system
+ - wireless_disable_interfaces
+ - sshd_enable_warning_banner
+ - disabled_SysRq
+ - sysctl_kernel_yama_ptrace_scope
+ - disabled_unconfined_service_t_programs
+ - enabled_seccomp
+ - define_ld_lib_path_correctly
+ - define_path_strictly
+ - grub2_audit_argument
+ - grub2_audit_backlog_limit_argument
+ - audit_rules_immutable
+ - auditd_data_retention_max_log_file
+ - auditd_data_retention_max_log_file_action
+ - auditd_data_retention_space_left
+ - auditd_data_retention_space_left_action
+ - auditd_data_retention_admin_space_left
+ - auditd_data_retention_admin_space_left_action
+ - auditd_data_disk_error_action
+ - auditd_data_disk_full_action
+ - audit_rules_sysadmin_actions
+ - audit_rules_session_events
+ - audit_rules_time_adjtimex
+ - audit_rules_time_clock_settime
+ - audit_rules_time_settimeofday
+ - audit_rules_time_stime
+ - audit_rules_time_watch_localtime
+ - audit_rules_mac_modification
+ - audit_rules_networkconfig_modification
+ - audit_rules_successful_file_modification
+ - audit_rules_unsuccessful_file_modification_open
+ - audit_rules_unsuccessful_file_modification_ftruncate
+ - audit_rules_unsuccessful_file_modification_creat
+ - audit_rules_unsuccessful_file_modification_openat
+ - audit_rules_file_deletion_events_rename
+ - audit_rules_file_deletion_events_renameat
+ - audit_rules_file_deletion_events_unlink
+ - audit_rules_file_deletion_events_unlinkat
+ - audit_rules_media_export
+ - configure_service_logging
+ - configure_dump_journald_log
+ - configure_rsyslog_log_rotate
+ - rsyslog_remote_loghost
+ - rsyslog_accept_remote_messages_tcp
+ - rsyslog_accept_remote_messages_udp
+ - enable_aide_detection
+ - service_haveged_enabled
+ - configure_crypto_policy
--
2.42.0.windows.2
Reference in New Issue View Git Blame Copy Permalink