2024-02-19 19:22:35 +08:00
From 3fbea982617efca9b39a12724d7bad94ca8d849c Mon Sep 17 00:00:00 2001
2023-10-09 21:11:46 +08:00
From: "steven.y.gui" <steven_ygui@163.com>
2024-02-19 19:22:35 +08:00
Date: Mon, 19 Feb 2024 16:22:48 +0800
2023-10-09 21:11:46 +08:00
Subject: [PATCH] add openeuler control rules
---
controls/std_openeuler.yml | 1786 ++++++++++++++++-
.../service_avahi-daemon_disabled/rule.yml | 2 +-
.../file_groupowner_cron_d/rule.yml | 2 +-
.../file_groupowner_cron_daily/rule.yml | 2 +-
.../file_groupowner_cron_hourly/rule.yml | 2 +-
.../file_groupowner_cron_monthly/rule.yml | 2 +-
.../file_groupowner_cron_weekly/rule.yml | 2 +-
.../file_groupowner_crontab/rule.yml | 2 +-
.../cron_and_at/file_owner_cron_d/rule.yml | 2 +-
.../file_owner_cron_daily/rule.yml | 2 +-
.../file_owner_cron_hourly/rule.yml | 2 +-
.../file_owner_cron_monthly/rule.yml | 2 +-
.../file_owner_cron_weekly/rule.yml | 2 +-
.../cron_and_at/file_owner_crontab/rule.yml | 2 +-
.../file_permissions_cron_d/rule.yml | 2 +-
.../file_permissions_cron_daily/rule.yml | 2 +-
.../file_permissions_cron_hourly/rule.yml | 2 +-
.../file_permissions_cron_monthly/rule.yml | 2 +-
.../file_permissions_cron_weekly/rule.yml | 2 +-
.../file_permissions_crontab/rule.yml | 2 +-
.../file_at_deny_not_exist/rule.yml | 2 +-
.../file_cron_deny_not_exist/rule.yml | 2 +-
.../file_groupowner_at_allow/rule.yml | 2 +-
.../file_groupowner_cron_allow/rule.yml | 2 +-
.../file_owner_at_allow/rule.yml | 2 +-
.../file_owner_cron_allow/rule.yml | 2 +-
.../file_permissions_at_allow/rule.yml | 2 +-
.../file_permissions_cron_allow/rule.yml | 2 +-
.../service_crond_enabled/rule.yml | 2 +-
.../service_dhcpd_disabled/rule.yml | 2 +-
.../service_named_disabled/rule.yml | 2 +-
.../package_httpd_removed/rule.yml | 2 +-
.../package_openldap-clients_removed/rule.yml | 2 +-
.../package_openldap-servers_removed/rule.yml | 2 +-
.../service_rpcbind_disabled/rule.yml | 2 +-
.../service_nfs_disabled/rule.yml | 2 +-
.../rule.yml | 2 +-
.../ntp/ntpd_configure_restrictions/rule.yml | 2 +-
.../nis/package_ypbind_removed/rule.yml | 2 +-
.../nis/package_ypserv_removed/rule.yml | 2 +-
.../obsolete/service_rsyncd_disabled/rule.yml | 4 +-
.../printing/package_cups_removed/rule.yml | 2 +-
.../package_samba_removed/rule.yml | 2 +-
.../package_net-snmp_removed/rule.yml | 2 +-
.../sshd_use_strong_ciphers/rule.yml | 2 +-
.../ssh_server/sshd_use_strong_kex/rule.yml | 2 +-
.../ssh_server/sshd_use_strong_macs/rule.yml | 2 +-
.../guide/services/ssh/sshd_strong_kex.var | 1 +
.../rule.yml | 2 +-
.../xwindows_remove_packages/rule.yml | 2 +-
.../file_groupowner_etc_issue/rule.yml | 2 +-
.../file_groupowner_etc_issue_net/rule.yml | 2 +-
.../file_groupowner_etc_motd/rule.yml | 2 +-
.../file_owner_etc_issue/rule.yml | 2 +-
.../file_owner_etc_issue_net/rule.yml | 2 +-
.../file_owner_etc_motd/rule.yml | 2 +-
.../file_permissions_etc_issue/rule.yml | 2 +-
.../file_permissions_etc_issue_net/rule.yml | 2 +-
.../file_permissions_etc_motd/rule.yml | 2 +-
.../accounts-banners/warning_banners/rule.yml | 24 +
.../rule.yml | 2 +-
.../oval/openeuler.xml | 291 +++
.../rule.yml | 2 +-
.../oval/openeuler.xml | 285 +++
.../rule.yml | 2 +-
...nts_passwords_pam_faillock_unlock_time.var | 1 +
.../accounts_password_pam_dcredit/rule.yml | 2 +-
.../accounts_password_pam_dictcheck/rule.yml | 2 +-
.../rule.yml | 2 +-
.../accounts_password_pam_lcredit/rule.yml | 2 +-
.../accounts_password_pam_minclass/rule.yml | 2 +-
.../accounts_password_pam_minlen/rule.yml | 2 +-
.../accounts_password_pam_ocredit/rule.yml | 2 +-
.../accounts_password_pam_retry/rule.yml | 2 +-
.../accounts_password_pam_ucredit/rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../oval/shared.xml | 2 +-
.../require_emergency_target_auth/rule.yml | 4 +-
.../service_debug-shell_disabled/rule.yml | 2 +-
.../account_temp_expire_date/rule.yml | 2 +-
.../account_unique_id/rule.yml | 2 +-
.../group_unique_id/rule.yml | 2 +-
.../group_unique_name/rule.yml | 2 +-
.../accounts_maximum_age_login_defs/rule.yml | 1 -
.../accounts_minimum_age_login_defs/rule.yml | 1 -
.../no_forward_files/rule.yml | 2 +-
.../root_logins/use_pam_wheel_for_su/rule.yml | 2 +-
.../accounts-session/accounts_tmout/rule.yml | 2 +-
.../rule.yml | 2 +-
.../accounts_umask_etc_bashrc/rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../audit_rules_login_events_lastlog/rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../audit_rules_sudoers/rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../auditd_audispd_disk_full_action/rule.yml | 2 +-
.../rule.yml | 2 +-
.../auditd_data_retention_space_left/rule.yml | 2 +-
.../auditing/grub2_audit_argument/rule.yml | 2 +-
.../rule.yml | 2 +-
.../non-uefi/grub2_password/rule.yml | 2 +-
.../uefi/grub2_uefi_password/rule.yml | 2 +-
.../rsyslog_cron_logging/rule.yml | 2 +-
.../rsyslog_logging_configured/rule.yml | 2 +-
.../rsyslog_remote_access_monitoring/rule.yml | 2 +-
.../logging/rsyslog_filecreatemode/rule.yml | 2 +-
.../service_firewalld_enabled/rule.yml | 2 +-
.../set_firewalld_appropriate_zone/rule.yml | 2 +-
.../rule.yml | 2 +-
.../set_ipv6_loopback_traffic/rule.yml | 4 +
.../set_loopback_traffic/rule.yml | 4 +
.../set_iptables_default_rule/rule.yml | 4 +
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 5 +-
.../rule.yml | 5 +-
.../rule.yml | 5 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../sysctl_net_ipv4_tcp_syncookies/rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../sysctl_net_ipv4_ip_forward/rule.yml | 2 +-
.../rule.yml | 2 +-
.../service_nftables_enabled/rule.yml | 2 +-
.../set_nftables_loopback_traffic/rule.yml | 2 +-
.../set_nftables_new_connections/rule.yml | 2 +-
.../kernel_module_sctp_disabled/rule.yml | 2 +-
.../wireless_disable_interfaces/rule.yml | 6 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../file_permissions_ungroupowned/rule.yml | 2 +-
.../files/no_files_unowned_by_user/rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../sysctl_kernel_randomize_va_space/rule.yml | 3 +
.../sysctl_kernel_dmesg_restrict/rule.yml | 2 +-
.../restrictions/sysctl_kernel_sysrq/rule.yml | 2 +-
.../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +-
.../selinux_confinement_of_daemons/rule.yml | 2 +-
.../selinux/selinux_policytype/rule.yml | 2 +-
.../crypto/configure_crypto_policy/rule.yml | 2 +-
.../aide/aide_build_database/rule.yml | 2 +-
.../aide/package_aide_installed/rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../ensure_gpgcheck_never_disabled/rule.yml | 2 +-
products/openeuler2203/product.yml | 1 +
2024-02-19 19:22:35 +08:00
products/openeuler2403/product.yml | 1 +
2023-10-09 21:11:46 +08:00
shared/applicability/package.yml | 2 +-
195 files changed, 2599 insertions(+), 187 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml
diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml
index 5599b04..eb66293 100644
--- a/controls/std_openeuler.yml
+++ b/controls/std_openeuler.yml
@@ -7,28 +7,1808 @@ levels:
- id: base
controls:
+ - id: 1.1.1_no_unowner_ungroup_files
+ title: Ensure All Files Have Owner And Group
+ levels:
+ - base
+ status: automated
+ rules:
+ - no_files_unowned_by_user
+ - no_files_unowned_by_user.severity=high
+ - file_permissions_ungroupowned
+ - file_permissions_ungroupowned.severity=high
+
+ - id: 1.1.2_no_empty_symlink
+ title: Ensure No Empty Symlink
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.3_no_hidden_exec_files
+ title: Ensure No Hidden Executable Files
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.4_global_writable_dir_sticky_set
+ title: Ensure Sticky Set On Global Writable Folder
+ levels:
+ - base
+ status: automated
+ rules:
+ - dir_perms_world_writable_sticky_bits
+ - dir_perms_world_writable_sticky_bits.severity=high
+
+ - id: 1.1.5_umask_set_correct
+ title: Ensure UMASK Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - accounts_umask_etc_bashrc
+ - accounts_umask_etc_bashrc.severity=high
+ - var_accounts_user_umask=077
+
+ - id: 1.1.6_no_global_writable_file
+ title: Ensure No Global Writable File
+ levels:
+ - base
+ status: automated
+ rules:
+ - file_permissions_unauthorized_world_writable
+ - file_permissions_unauthorized_world_writable.severity=high
+
+ - id: 1.1.7_umount_unnecessary_file_system
+ title: Umount Unnecessary File System
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.8_mount_as_readonly
+ title: Ensure Mount As Readonly If No Need To Write
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.9_mount_as_nodev
+ title: Ensure Mount As Nodev
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.10_mount_as_noexec
+ title: Ensure Mount As Noexec
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.11_mount_as_noexec_nodev_for_removable
+ title: Ensure Mount As Noexec And Nodev For Removable Device
+ levels:
+ - base
+ status: automated
+ rules:
+ - mount_option_noexec_removable_partitions
+ - mount_option_noexec_removable_partitions.severity=high
+ - mount_option_nodev_removable_partitions
+ - mount_option_nodev_removable_partitions.severity=high
+
+ - id: 1.1.12_mount_as_nosuid
+ title: Ensure Mount As Nosuid
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.13_remove_unnecessary_suid_sgid
+ title: Ensure Remove Unnecessary SUID And SGID
+ levels:
+ - base
+ status: automated
+ rules:
+ - file_permissions_unauthorized_suid
+ - file_permissions_unauthorized_suid.severity=high
+ - file_permissions_unauthorized_sgid
+ - file_permissions_unauthorized_sgid.severity=high
+
+ - id: 1.1.14_file_permission_minimize
+ title: Ensure File Permission Minimize
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.15_ulimit_correctly
+ title: Ensure Ulinmit Correctly
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.16_symlinks_hardlinks_protected
+ title: Ensure Symlinks And Hardlinks Protected
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_fs_protected_symlinks
+ - sysctl_fs_protected_symlinks.severity=high
+ - sysctl_fs_protected_hardlinks
+ - sysctl_fs_protected_hardlinks.severity=high
+
+ - id: 1.1.17_usb_disabled
+ title: Ensure USB Disabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - kernel_module_usb-storage_disabled
+ - kernel_module_usb-storage_disabled.severity=low
+
+ - id: 1.1.18_partitions_management
+ title: Ensure Different Data Store In Different Partitions
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.19_library_path_correct
+ title: Ensure LD_LIBRARY_PATH Correct
+ levels:
+ - base
+ status: planned
+
+ - id: 1.1.20_user_path_correct
+ title: Ensure User PATH Correct
+ levels:
+ - base
+ status: planned
+
- id: 1.2.1_ftp_not_installed
- title: Ensure FTP is not installed
+ title: Ensure FTP Not Installed
levels:
- base
status: automated
rules:
- package_ftp_removed
+ - package_ftp_removed.severity=high
- id: 1.2.2_tftp_server_not_installed
- title: Ensure TFTP Server is not installed
+ title: Ensure TFTP Server Not Installed
levels:
- base
status: automated
rules:
- package_tftp_removed
+ - package_tftp_removed.severity=high
- package_tftp-server_removed
+ - package_tftp-server_removed.severity=high
- id: 1.2.3_telnet_server_not_installed
- title: Ensure Telnet Server is not installed
+ title: Ensure Telnet Server Not Installed
levels:
- base
status: automated
rules:
- package_telnet_removed
+ - package_telnet_removed.severity=high
- package_telnet-server_removed
+ - package_telnet-server_removed.severity=high
+
+ - id: 1.2.4_snmp_not_installed
+ title: Ensure SNMP Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_net-snmp_removed
+ - package_net-snmp_removed.severity=high
+
+ - id: 1.2.5_python2_not_installed
+ title: Ensure Python2 Not Installed
+ levels:
+ - base
+ status: planned
+
+ - id: 1.2.6_gpg_check_configured
+ title: Ensure GPG Check Configured
+ levels:
+ - base
+ status: automated
+ rules:
+ - ensure_gpgcheck_globally_activated
+ - ensure_gpgcheck_globally_activated.severity=high
+ - ensure_gpgcheck_never_disabled
+ - ensure_gpgcheck_never_disabled.severity=high
+
+ - id: 1.2.7_debug-shell_disabled
+ title: Ensure Debug-Shell Disabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_debug-shell_disabled
+ - service_debug-shell_disabled.severity=high
+
+ - id: 1.2.8_rsync_not_installed
+ title: Ensure Rsync Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_rsyncd_disabled
+ - service_rsyncd_disabled.severity=high
+
+ - id: 1.2.9_avahi_not_installed
+ title: Ensure Avahi Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_avahi-daemon_disabled
+ - service_avahi-daemon_disabled.severity=high
+
+ - id: 1.2.10_ldap_server_not_installed
+ title: Ensure LDAP Server Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_openldap-servers_removed
+ - package_openldap-servers_removed.severity=high
+
+ - id: 1.2.11_cups_not_installed
+ title: Ensure CUPS Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_cups_removed
+ - package_cups_removed.severity=high
+
+ - id: 1.2.12_nis_server_not_installed
+ title: Ensure NIS Server Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_ypserv_removed
+ - package_ypserv_removed.severity=high
+
+ - id: 1.2.13_nis_client_not_installed
+ title: Ensure NIS Client Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_ypbind_removed
+ - package_ypbind_removed.severity=high
+
+ - id: 1.2.14_ldap_client_not_installed
+ title: Ensure LDAP Client Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_openldap-clients_removed
+ - package_openldap-clients_removed.severity=high
+
+ - id: 1.2.15_no_network_sniffing_software
+ title: Ensure Network Sniffing Software Removed
+ levels:
+ - base
+ status: planned
+
+ - id: 1.2.16_no_debug_tools
+ title: Ensure Debug Tools Removed
+ levels:
+ - base
+ status: planned
+
+ - id: 1.2.17_no_compiler_tools
+ title: Ensure Compiler Tools Removed
+ levels:
+ - base
+ status: planned
+
+ - id: 1.2.18_xwindow_not_installed
+ title: Ensure X Window Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - xwindows_remove_packages
+ - xwindows_remove_packages.severity=low
+
+ - id: 1.2.19_http_not_installed
+ title: Ensure Http Service Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_httpd_removed
+ - package_httpd_removed.severity=low
+
+ - id: 1.2.20_samba_not_installed
+ title: Ensure Samba Service Not Installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_samba_removed
+ - package_samba_removed.severity=low
+
+ - id: 1.2.21_dns_disabled
+ title: Ensure DNS Service Disabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_named_disabled
+ - service_named_disabled.severity=low
+
+ - id: 1.2.22_nfs_disabled
+ title: Ensure NFS Service Disabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_nfs_disabled
+ - service_nfs_disabled.severity=low
+
+ - id: 1.2.23_rpc_disabled
+ title: Ensure RPC Service Disabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_rpcbind_disabled
+ - service_rpcbind_disabled.severity=low
+
+ - id: 1.2.24_DHCP_disabled
+ title: Ensure DHCP Service Disabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_dhcpd_disabled
+ - service_dhcpd_disabled.severity=low
+
+
+ - id: 2.1.1_login_accounts_are_necessary
+ title: Ensure All Login Accounts Are Necessary
+ levels:
+ - base
+ status: planned
+
+ - id: 2.1.2_no_unused_accounts
+ title: Ensure No Unused Accounts
+ levels:
+ - base
+ status: planned
+
+ - id: 2.1.3_different_accounts_have_different_groupid
+ title: Ensure Different Accounts Have Different GroupID
+ levels:
+ - base
+ status: planned
+
+ - id: 2.1.4_no_uid_0_except_root
+ title: Ensure Only Root's UID Is 0
+ levels:
+ - base
+ status: automated
+ rules:
+ - accounts_no_uid_except_zero
+ - accounts_no_uid_except_zero.severity=high
+
+ - id: 2.1.5_account_related_files_permission
+ title: Ensure Account Related Files Have Correct Permission
+ levels:
+ - base
+ status: automated
+ rules:
+ - file_owner_etc_passwd
+ - file_owner_etc_passwd.severity=high
+ - file_groupowner_etc_passwd
+ - file_groupowner_etc_passwd.severity=high
+ - file_owner_etc_shadow
+ - file_owner_etc_shadow.severity=high
+ - file_groupowner_etc_shadow
+ - file_groupowner_etc_shadow.severity=high
+ - file_owner_etc_group
+ - file_owner_etc_group.severity=high
+ - file_groupowner_etc_group
+ - file_groupowner_etc_group.severity=high
+ - file_owner_etc_gshadow
+ - file_owner_etc_gshadow.severity=high
+ - file_groupowner_etc_gshadow
+ - file_groupowner_etc_gshadow.severity=high
+ - file_owner_backup_etc_passwd
+ - file_owner_backup_etc_passwd.severity=high
+ - file_groupowner_backup_etc_passwd
+ - file_groupowner_backup_etc_passwd.severity=high
+ - file_owner_backup_etc_shadow
+ - file_owner_backup_etc_shadow.severity=high
+ - file_groupowner_backup_etc_shadow
+ - file_groupowner_backup_etc_shadow.severity=high
+ - file_owner_backup_etc_group
+ - file_owner_backup_etc_group.severity=high
+ - file_groupowner_backup_etc_group
+ - file_groupowner_backup_etc_group.severity=high
+ - file_owner_backup_etc_gshadow
+ - file_owner_backup_etc_gshadow.severity=high
+ - file_groupowner_backup_etc_gshadow
+ - file_groupowner_backup_etc_gshadow.severity=high
+ - file_permissions_etc_passwd
+ - file_permissions_etc_passwd.severity=high
+ - file_permissions_etc_shadow
+ - file_permissions_etc_shadow.severity=high
+ - file_permissions_etc_group
+ - file_permissions_etc_group.severity=high
+ - file_permissions_etc_gshadow
+ - file_permissions_etc_gshadow.severity=high
+ - file_permissions_backup_etc_passwd
+ - file_permissions_backup_etc_passwd.severity=high
+ - file_permissions_backup_etc_shadow
+ - file_permissions_backup_etc_shadow.severity=high
+ - file_permissions_backup_etc_group
+ - file_permissions_backup_etc_group.severity=high
+ - file_permissions_backup_etc_gshadow
+ - file_permissions_backup_etc_gshadow.severity=high
+
+ - id: 2.1.6_account_has_home_dir
+ title: Ensure All Accounts Have Own Home Folder
+ levels:
+ - base
+ status: automated
+ rules:
+ - accounts_user_interactive_home_directory_exists
+ - accounts_user_interactive_home_directory_exists.severity=high
+
+ - id: 2.1.7_all_groups_existed
+ title: Ensure All Groups Existed
+ levels:
+ - base
+ status: automated
+ rules:
+ - gid_passwd_group_same
+ - gid_passwd_group_same.severity=high
+
+ - id: 2.1.8_unique_uid
+ title: Ensure UID Unique
+ levels:
+ - base
+ status: automated
+ rules:
+ - account_unique_id
+ - account_unique_id.severity=high
+
+ - id: 2.1.9_account_unique_name
+ title: Ensure Account Name Unique
+ levels:
+ - base
+ status: automated
+ rules:
+ - account_unique_name
+ - account_unique_name.severity=high
+
+ - id: 2.1.10_group_unique_id
+ title: Ensure Group Unique ID
+ levels:
+ - base
+ status: automated
+ rules:
+ - group_unique_id
+ - group_unique_id.severity=high
+
+ - id: 2.1.11_group_unique_name
+ title: Ensure Group Unique Name
+ levels:
+ - base
+ status: automated
+ rules:
+ - group_unique_name
+ - group_unique_name.severity=high
+
+ - id: 2.1.12_account_expire
+ title: Ensure Account Expire Date Correct
+ levels:
+ - base
+ status: manual
+ rules:
+ - account_temp_expire_date
+ - account_temp_expire_date.severity=low
+
+ - id: 2.1.13_no_forward_in_home
+ title: Ensure No .forward Files In Home Folder
+ levels:
+ - base
+ status: automated
+ rules:
+ - no_forward_files
+ - no_forward_files.severity=low
+
+ - id: 2.1.14_no_netrc_in_home
+ title: Ensure No .netrc Files In Home Folder
+ levels:
+ - base
+ status: automated
+ rules:
+ - no_netrc_files
+ - no_netrc_files.severity=low
+
+ - id: 2.2.1_password_complexity_correct
+ title: Ensure Set Correct Password Complexity
+ levels:
+ - base
+ status: automated
+ rules:
+ - accounts_password_pam_minlen
+ - accounts_password_pam_minlen.severity=high
+ - var_password_pam_minlen=8
+ - accounts_password_pam_minclass
+ - accounts_password_pam_minclass.severity=high
+ - var_password_pam_minclass=3
+ - accounts_password_pam_retry
+ - accounts_password_pam_retry.severity=high
+ - var_password_pam_retry=3
+ - accounts_password_pam_dcredit
+ - accounts_password_pam_dcredit.severity=high
+ - var_password_pam_dcredit=0
+ - accounts_password_pam_ucredit
+ - accounts_password_pam_ucredit.severity=high
+ - var_password_pam_ucredit=0
+ - accounts_password_pam_lcredit
+ - accounts_password_pam_lcredit.severity=high
+ - var_password_pam_lcredit=0
+ - accounts_password_pam_ocredit
+ - accounts_password_pam_ocredit.severity=high
+ - var_password_pam_ocredit=0
+ - accounts_password_pam_enforce_root
+ - accounts_password_pam_enforce_root.severity=high
+
+ - id: 2.2.2_history_password_not_used
+ title: Ensure No History Password Used
+ levels:
+ - base
+ status: automated
+ rules:
+ - accounts_password_pam_unix_remember
+ - accounts_password_pam_unix_remember.severity=high
+ - var_password_pam_unix_remember=5
+
+ - id: 2.2.3_verify_old_password
+ title: Ensure Old Password Verified
+ levels:
+ - base
+ status: planned
+
+ - id: 2.2.4_no_username_in_password
+ title: Ensure Password Not Contain User Name
+ levels:
+ - base
+ status: planned
+
+ - id: 2.2.5_strong_hash_algorithm_for_password
+ title: Ensure Using Strong Hash Algorithm To Encipher Password
+ levels:
+ - base
+ status: automated
+ rules:
+ - set_password_hashing_algorithm_systemauth
+ - set_password_hashing_algorithm_systemauth.severity=high
+ - set_password_hashing_algorithm_passwordauth
+ - set_password_hashing_algorithm_passwordauth.severity=high
+
+ - id: 2.2.6_password_dictionary_correct
+ title: Ensure Password Dictionary Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - accounts_password_pam_dictcheck
+ - accounts_password_pam_dictcheck.severity=high
+
+ - id: 2.2.7_password_expire_correct
+ title: Ensure Password Expire Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - accounts_maximum_age_login_defs
+ - accounts_maximum_age_login_defs.severity=high
+ - var_accounts_maximum_age_login_defs=90
+ - accounts_password_warn_age_login_defs
+ - accounts_password_warn_age_login_defs.severity=high
+ - var_accounts_password_warn_age_login_defs=7
+ - accounts_minimum_age_login_defs
+ - accounts_minimum_age_login_defs.severity=high
+ - var_accounts_minimum_age_login_defs=0
+
+ - id: 2.2.8_forbid_empty_password
+ title: Ensure No Empty Password
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_disable_empty_passwords
+ - sshd_disable_empty_passwords.severity=high
+
+ - id: 2.2.9_grub_password_set
+ title: Ensure Grub Password Set
+ levels:
+ - base
+ status: automated
+ rules:
+ - grub2_password
+ - grub2_password.severity=high
+ - grub2_uefi_password
+ - grub2_uefi_password.severity=high
+
+ - id: 2.2.10_single_user_password_set
+ title: Ensure Password Set In Single User Mode
+ levels:
+ - base
+ status: automated
+ rules:
+ - require_emergency_target_auth
+ - require_emergency_target_auth.severity=high
+
+ - id: 2.2.11_chpwd_at_first_login
+ title: Ensure Password Changed At First Login
+ levels:
+ - base
+ status: planned
+
+ - id: 2.3.1_account_lock_after_accessing_fail
+ title: Ensure Account Locked After Accessing Fail
+ levels:
+ - base
+ status: automated
+ rules:
+ - accounts_passwords_pam_faillock_deny
+ - accounts_passwords_pam_faillock_deny.severity=high
+ - var_accounts_passwords_pam_faillock_deny=3
+ - accounts_passwords_pam_faillock_unlock_time
+ - accounts_passwords_pam_faillock_unlock_time.severity=high
+ - var_accounts_passwords_pam_faillock_unlock_time=300
+
+ - id: 2.3.2_session_timeout_set_correct
+ title: Ensure TIMOUT Set Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - accounts_tmout
+ - accounts_tmout.severity=high
+ - var_accounts_tmout=5_min
+
+ - id: 2.3.3_banners_correct
+ title: Ensure Warning Banners Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - warning_banners
+ - warning_banners.severity=high
+ - file_groupowner_etc_issue
+ - file_groupowner_etc_issue.severity=high
+ - file_groupowner_etc_issue_net
+ - file_groupowner_etc_issue_net.severity=high
+ - file_groupowner_etc_motd
+ - file_groupowner_etc_motd.severity=high
+ - file_owner_etc_issue
+ - file_owner_etc_issue.severity=high
+ - file_owner_etc_issue_net
+ - file_owner_etc_issue_net.severity=high
+ - file_owner_etc_motd
+ - file_owner_etc_motd.severity=high
+ - file_permissions_etc_issue
+ - file_permissions_etc_issue.severity=high
+ - file_permissions_etc_issue_net
+ - file_permissions_etc_issue_net.severity=high
+ - file_permissions_etc_motd
+ - file_permissions_etc_motd.severity=high
+
+ - id: 2.3.4_banners_path_correct
+ title: Ensure Warning Path Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_enable_warning_banner_net
+ - sshd_enable_warning_banner_net.severity=high
+
+ - id: 2.4.1_histsize_limited
+ title: Ensure HISTSIZE Limited
+ levels:
+ - base
+ status: planned
+
+ - id: 2.4.2_selinux_enforce
+ title: Ensure SELinux Enforce
+ levels:
+ - base
+ status: automated
+ rules:
+ - selinux_state
+ - selinux_state.severity=low
+
+ - id: 2.4.3_selinux_config
+ title: Ensure SELinux Configurate Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - selinux_policytype
+ - selinux_policytype.severity=low
+
+ - id: 2.4.4_su_usage_limited
+ title: Ensure SU Usage Limited
+ levels:
+ - base
+ status: automated
+ rules:
+ - use_pam_wheel_for_su
+ - use_pam_wheel_for_su.severity=high
+
+ - id: 2.4.5_use_sudo_to_run
+ title: Ensure Use Sudo To Run
+ levels:
+ - base
+ status: automated
+ rules:
+ - sudo_restrict_privilege_elevation_to_authorized
+ - sudo_restrict_privilege_elevation_to_authorized.severity=high
+
+ - id: 2.4.6_no_low-privilege_user_writable_files_with_sudo
+ title: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User
+ levels:
+ - base
+ status: planned
+
+ - id: 2.4.7_cannot_use_pkexec_escalate
+ title: Ensure Low-privilege User Cannot Escalate By Pkexec
+ levels:
+ - base
+ status: planned
+
+ - id: 2.4.8_always_set_path_config
+ title: Ensure ALWAYS_SET_PATH Configurated
+ levels:
+ - base
+ status: planned
+
+ - id: 2.4.9_root_can_not_login_local
+ title: Ensure Root Can Not Login Local
+ levels:
+ - base
+ status: planned
+
+ - id: 2.4.10_not_use_unconfined_service_t
+ title: Ensure Not Run Files wiht unconfined_service_t Flag
+ levels:
+ - base
+ status: automated
+ rules:
+ - selinux_confinement_of_daemons
+ - selinux_confinement_of_daemons.severity=low
+
+ - id: 2.4.11_all_daemons_run_with_mini_permission
+ title: Ensure All Daemons Run With Minimum Permission
+ levels:
+ - base
+ status: planned
+
+ - id: 2.5.1_ima_enabled
+ title: Ensure IMA Enabled
+ levels:
+ - base
+ status: planned
+
+ - id: 2.5.2_aide_enabled
+ title: Ensure AIDE Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_aide_installed
+ - package_aide_installed.severity=low
+ - aide_build_database
+ - aide_build_database.severity=low
+
+ - id: 2.6.1_haveged_enabled
+ title: Ensure Haveged Enabled
+ levels:
+ - base
+ status: planned
+
+ - id: 2.6.2_global_crypto_setting
+ title: Global Crypto Setting Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - configure_crypto_policy
+ - configure_crypto_policy.severity=low
+
+
+ - id: 3.1.1_unusual_network_service_not_used
+ title: Ensure No Unusual Network Service
+ levels:
+ - base
+ status: automated
+ rules:
+ - kernel_module_sctp_disabled
+ - kernel_module_sctp_disabled.severity=low
+ - kernel_module_tipc_disabled
+ - kernel_module_tipc_disabled.severity=low
+
+ - id: 3.1.2_wireless_disabled
+ title: Ensure No WIFI
+ levels:
+ - base
+ status: automated
+ rules:
+ - wireless_disable_interfaces
+ - wireless_disable_interfaces.severity=low
+
+ - id: 3.2.1_firewalld_enabled
+ title: Ensure Firewalld Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_firewalld_enabled
+ - service_firewalld_enabled.severity=low
+
+ - id: 3.2.2_firewalld_default_zone_correct
+ title: Ensure Firewalld Set Default Zone Correctly
+ levels:
+ - base
+ status: planned
+
+ - id: 3.2.3_firewalld_interface_set_to_correct_zone
+ title: Ensure Firewalld Set Correct Interface Zone
+ levels:
+ - base
+ status: manual
+ rules:
+ - set_firewalld_appropriate_zone
+ - set_firewalld_appropriate_zone.severity=low
+
+ - id: 3.2.4_firewalld_disable_unnecessary_service_and_port
+ title: Ensure Unnecessary Service And Port Disabled
+ levels:
+ - base
+ status: manual
+ rules:
+ - unnecessary_firewalld_services_ports_disabled
+ - unnecessary_firewalld_services_ports_disabled.severity=low
+
+ - id: 3.2.5_iptables_enabled
+ title: Ensure Iptables Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_iptables_enabled
+ - service_iptables_enabled.severity=low
+ - service_ip6tables_enabled
+ - service_ip6tables_enabled.severity=low
+
+ - id: 3.2.6_iptables_default_refuse_rules
+ title: Ensure Iptables Default Refuse Rules Set
+ levels:
+ - base
+ status: manual
+ rules:
+ - set_iptables_default_rule
+ - set_iptables_default_rule.severity=low
+
+ - id: 3.2.7_iptables_loopback_rules
+ title: Ensure Iptables Loopback Rules Set
+ levels:
+ - base
+ status: automated
+ rules:
+ - set_loopback_traffic
+ - set_loopback_traffic.severity=low
+ - set_ipv6_loopback_traffic
+ - set_ipv6_loopback_traffic.severity=low
+
+ - id: 3.2.8_iptables_input_rules
+ title: Ensure Iptables Input Rules Set
+ levels:
+ - base
+ status: planned
+
+ - id: 3.2.9_iptables_output_rules
+ title: Ensure Iptables Output Rules Set
+ levels:
+ - base
+ status: planned
+
+ - id: 3.2.10_iptables_input_output_connection_rules
+ title: Ensure Iptables Input Output Connection Rules Set
+ levels:
+ - base
+ status: manual
+ rules:
+ - set_iptables_outbound_n_established
+ - set_iptables_outbound_n_established.severity=low
+
+ - id: 3.2.11_nftables_enabled
+ title: Ensure Nftables Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_nftables_enabled
+ - service_nftables_enabled.severity=low
+
+ - id: 3.2.12_nftables_default_refuse_rules
+ title: Ensure Nftables Default Refuse Rules Set
+ levels:
+ - base
+ status: manual
+ rules:
+ - nftables_ensure_default_deny_policy
+ - nftables_ensure_default_deny_policy.severity=low
+
+ - id: 3.2.13_nftables_loopback_rules
+ title: Ensure Nftables Loopback Rules Set
+ levels:
+ - base
+ status: manual
+ rules:
+ - set_nftables_loopback_traffic
+ - set_nftables_loopback_traffic.severity=low
+
+ - id: 3.2.14_nftables_input_rules
+ title: Ensure Nftables Input Rules Set
+ levels:
+ - base
+ status: planned
+
+ - id: 3.2.15_nftables_output_rules
+ title: Ensure Nftables Output Rules Set
+ levels:
+ - base
+ status: planned
+
+ - id: 3.2.16_nftables_input_output_connection_rules
+ title: Ensure Nftables Input Output Connection Rules Set
+ levels:
+ - base
+ status: manual
+ rules:
+ - set_nftables_new_connections
+ - set_nftables_new_connections.severity=low
+
+ - id: 3.3.1_sshd_protocol_is_2
+ title: Ensure SSHd Protocol Version Is 2
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_allow_only_protocol2
+ - sshd_allow_only_protocol2.severity=high
+
+ - id: 3.3.2_sshd_authentication_setting_correct
+ title: Ensure SSHd Authentication Setting Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_disable_rhosts
+ - sshd_disable_rhosts.severity=high
+ - disable_host_auth
+ - disable_host_auth.severity=high
+
+ - id: 3.3.3_sshd_keyexchange_correct
+ title: Ensure SSHd Key Exchange Algorithm Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_use_strong_kex
+ - sshd_use_strong_kex.severity=high
+ - sshd_strong_kex=std_openeuler
+
+ - id: 3.3.4_sshd_pubkey_correct
+ title: Ensure SSHd Pubkey Algorithm Correct
+ levels:
+ - base
+ status: planned
+
+ - id: 3.3.5_sshd_pam_enabled
+ title: Ensure SSHd PAM Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_enable_pam
+ - sshd_enable_pam.severity=high
+
+ - id: 3.3.6_sshd_mac_correct
+ title: Ensure SSHd MACs Algorithm Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_use_strong_macs
+ - sshd_use_strong_macs.severity=high
+
+ - id: 3.3.7_sshd_ciphers_correct
+ title: Ensure SSHd Ciphers Algorithm Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_use_strong_ciphers
+ - sshd_use_strong_ciphers.severity=high
+
+ - id: 3.3.8_sshd_ciphers_not_overwritten
+ title: Ensure SSHd Ciphers Algorithm Not Overwritten
+ levels:
+ - base
+ status: planned
+
+ - id: 3.3.9_sshd_forbid_root_login
+ title: Ensure SSHd Forbid Root Login From Remote
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_disable_root_login
+ - sshd_disable_root_login.severity=low
+
+ - id: 3.3.10_sshd_log_level_correct
+ title: Ensure SSHd Log Level Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_set_loglevel_verbose
+ - sshd_set_loglevel_verbose.severity=low
+
+ - id: 3.3.11_sshd_listen_addr
+ title: Ensure SSHd Listen Address Set Correct
+ levels:
+ - base
+ status: planned
+
+ - id: 3.3.12_sshd_maxstartups_correct
+ title: Ensure SSHd MaxStartups Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_set_maxstartups
+ - sshd_set_maxstartups.severity=low
+ - var_sshd_set_maxstartups=10:30:60
+
+ - id: 3.3.13_sshd_maxsessions_correct
+ title: Ensure SSHd Maxsessions Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_set_max_sessions
+ - sshd_set_max_sessions.severity=low
+ - var_sshd_max_sessions=10
+
+ - id: 3.3.14_sshd_forbid_x11_forwarding
+ title: Ensure SSHd X11 Forwarding Forbidden
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_disable_x11_forwarding
+ - sshd_disable_x11_forwarding.severity=high
+
+ - id: 3.3.15_sshd_maxauthtries_correct
+ title: Ensure SSHd MaxAuthTries Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_set_max_auth_tries
+ - sshd_set_max_auth_tries.severity=low
+ - sshd_max_auth_tries_value=3
+
+ - id: 3.3.16_sshd_forbid_permituserenvironment
+ title: Ensure SSHd PermitUserEnvironment Forbidden
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_do_not_permit_user_env
+ - sshd_do_not_permit_user_env.severity=high
+
+ - id: 3.3.17_sshd_logingracetime_correct
+ title: Ensure SSHd LoginGraceTime Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_set_login_grace_time
+ - sshd_set_login_grace_time.severity=low
+ - var_sshd_set_login_grace_time=60
+
+ - id: 3.3.18_sshd_authorized_keys_forbidden
+ title: Ensure SSHd Authorized Keys Not Set
+ levels:
+ - base
+ status: planned
+
+ - id: 3.3.19_sshd_known_hosts_forbidden
+ title: Ensure SSHd Known Hosts Not Set
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_disable_user_known_hosts
+ - sshd_disable_user_known_hosts.severity=high
+
+ - id: 3.3.20_sshd_no_obsolete_config
+ title: Ensure SSHd Has No Obsolete Configurations
+ levels:
+ - base
+ status: planned
+
+ - id: 3.3.21_ssh_tcp_forward_disabled
+ title: Ensure SSHd TCP Forward Disabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - sshd_disable_tcp_forwarding
+ - sshd_disable_tcp_forwarding.severity=high
+
+ - id: 3.4.1_crontab_not_run_low_privilege_user_writable_bash
+ title: Ensure Cron Not Run Low Privilege User Writable Bash
+ levels:
+ - base
+ status: planned
+
+ - id: 3.4.2_cron_enabled
+ title: Ensure Cron Deamon Running
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_crond_enabled
+ - service_crond_enabled.severity=high
+
+ - id: 3.4.3_at_cron_set_correct
+ title: Ensure AT And Cron Set Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - file_groupowner_cron_d
+ - file_groupowner_cron_d.severity=high
+ - file_groupowner_cron_daily
+ - file_groupowner_cron_daily.severity=high
+ - file_groupowner_cron_hourly
+ - file_groupowner_cron_hourly.severity=high
+ - file_groupowner_cron_monthly
+ - file_groupowner_cron_monthly.severity=high
+ - file_groupowner_cron_weekly
+ - file_groupowner_cron_weekly.severity=high
+ - file_groupowner_crontab
+ - file_groupowner_crontab.severity=high
+ - file_owner_cron_d
+ - file_owner_cron_d.severity=high
+ - file_owner_cron_daily
+ - file_owner_cron_daily.severity=high
+ - file_owner_cron_hourly
+ - file_owner_cron_hourly.severity=high
+ - file_owner_cron_monthly
+ - file_owner_cron_monthly.severity=high
+ - file_owner_cron_weekly
+ - file_owner_cron_weekly.severity=high
+ - file_owner_crontab
+ - file_owner_crontab.severity=high
+ - file_permissions_cron_d
+ - file_permissions_cron_d.severity=high
+ - file_permissions_cron_daily
+ - file_permissions_cron_daily.severity=high
+ - file_permissions_cron_hourly
+ - file_permissions_cron_hourly.severity=high
+ - file_permissions_cron_monthly
+ - file_permissions_cron_monthly.severity=high
+ - file_permissions_cron_weekly
+ - file_permissions_cron_weekly.severity=high
+ - file_permissions_crontab
+ - file_permissions_crontab.severity=high
+ - file_at_deny_not_exist
+ - file_at_deny_not_exist.severity=high
+ - file_cron_deny_not_exist
+ - file_cron_deny_not_exist.severity=high
+ - file_groupowner_at_allow
+ - file_groupowner_at_allow.severity=high
+ - file_groupowner_cron_allow
+ - file_groupowner_cron_allow.severity=high
+ - file_owner_at_allow
+ - file_owner_at_allow.severity=high
+ - file_owner_cron_allow
+ - file_owner_cron_allow.severity=high
+ - file_permissions_at_allow
+ - file_permissions_at_allow.severity=high
+ - file_permissions_cron_allow
+ - file_permissions_cron_allow.severity=high
+
+ - id: 3.5.1_kaslr_enabled
+ title: Ensure KASLR Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_kernel_randomize_va_space
+ - sysctl_kernel_randomize_va_space.severity=high
+
+ - id: 3.5.2_dmesg_access_permission_correct
+ title: Ensure Dmesg Access Permission Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_kernel_dmesg_restrict
+ - sysctl_kernel_dmesg_restrict.severity=high
+
+ - id: 3.5.3_kptr_restrict_correct
+ title: Ensure Kptr_restrict Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_kernel_kptr_restrict
+ - sysctl_kernel_kptr_restrict.severity=high
+ - sysctl_kernel_kptr_restrict_value=1
+
+ - id: 3.5.4_smap_enabled
+ title: Ensure Kernel SMAP Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - grub2_nosmap_argument_absent
+ - grub2_nosmap_argument_absent.severity=high
+
+ - id: 3.5.5_smep_enabled
+ title: Ensure Kernel SMEP Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - grub2_nosmep_argument_absent
+ - grub2_nosmep_argument_absent.severity=high
+
+ - id: 3.5.6_not_response_icmp_broadcast
+ title: Ensure ICMP Broadcast Package Not Responsed
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high
+
+ - id: 3.5.7_not_receive_icmp_redirect
+ title: Ensure ICMP Redirect Package Not Received
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_accept_redirects
+ - sysctl_net_ipv4_conf_all_accept_redirects.severity=high
+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+ - sysctl_net_ipv4_conf_all_secure_redirects
+ - sysctl_net_ipv4_conf_all_secure_redirects.severity=high
+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
+ - sysctl_net_ipv4_conf_default_secure_redirects
+ - sysctl_net_ipv4_conf_default_secure_redirects.severity=high
+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
+ - sysctl_net_ipv6_conf_all_accept_redirects
+ - sysctl_net_ipv6_conf_all_accept_redirects.severity=high
+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+
+ - id: 3.5.8_forbid_forward_icmp_redirect_package
+ title: Ensure No ICMP Redirect Package Forwarded
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_send_redirects
+ - sysctl_net_ipv4_conf_all_send_redirects.severity=high
+ - sysctl_net_ipv4_conf_default_send_redirects
+ - sysctl_net_ipv4_conf_default_send_redirects.severity=high
+
+ - id: 3.5.9_ignore_all_icmp_request
+ title: Ensure Ignore All ICMP Request
+ levels:
+ - base
+ status: planned
+
+ - id: 3.5.10_ignore_bogus_error_icmp_package
+ title: Ensure Ignore Bogus Error ICMP Package
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
+
+ - id: 3.5.11_rp_filter_enabled
+ title: Ensure Reverse Proxy Filter Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_rp_filter
+ - sysctl_net_ipv4_conf_all_rp_filter.severity=high
+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
+ - sysctl_net_ipv4_conf_default_rp_filter
+ - sysctl_net_ipv4_conf_default_rp_filter.severity=high
+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
+
+ - id: 3.5.12_forbid_ip_forwarding
+ title: Ensure IP Forwarding Disabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_net_ipv4_ip_forward
+ - sysctl_net_ipv4_ip_forward.severity=high
+ - sysctl_net_ipv6_conf_all_forwarding
+ - sysctl_net_ipv6_conf_all_forwarding.severity=high
+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled
+
+ - id: 3.5.13_source_route_disabled
+ title: Ensure Source Route Disabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv4_conf_all_accept_source_route.severity=high
+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
+ - sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv4_conf_default_accept_source_route.severity=high
+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
+ - sysctl_net_ipv6_conf_all_accept_source_route
+ - sysctl_net_ipv6_conf_all_accept_source_route.severity=high
+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
+ - sysctl_net_ipv6_conf_default_accept_source_route
+ - sysctl_net_ipv6_conf_default_accept_source_route.severity=high
+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+
+ - id: 3.5.14_tcp-syn_cookie_enabled
+ title: Ensure TCP-SYN Cookie Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_net_ipv4_tcp_syncookies
+ - sysctl_net_ipv4_tcp_syncookies.severity=high
+
+ - id: 3.5.15_log_martians
+ title: Ensure Source Route And Redirectly Logged
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_net_ipv4_conf_all_log_martians
+ - sysctl_net_ipv4_conf_all_log_martians.severity=high
+ - sysctl_net_ipv4_conf_default_log_martians
+ - sysctl_net_ipv4_conf_default_log_martians.severity=high
+
+ - id: 3.5.16_tcp_timestamps_disabled
+ title: Ensure tcp_timestamps Disabled
+ levels:
+ - base
+ status: planned
+
+ - id: 3.5.17_tcp_time_wait_config
+ title: Ensure TCP Time Wait Correct
+ levels:
+ - base
+ status: planned
+
+ - id: 3.5.18_syn_recv_set_correct
+ title: Ensure SYN Recv Set Correct
+ levels:
+ - base
+ status: planned
+
+ - id: 3.5.19_arp_proxy_disabled
+ title: Ensure No ARP Proxy
+ levels:
+ - base
+ status: planned
+
+ - id: 3.5.20_core_dump_set_correct
+ title: Ensure Core Dump Set Correct
+ levels:
+ - base
+ status: planned
+
+ - id: 3.5.21_sysrq_disabled
+ title: Ensure SysRq Key Disabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_kernel_sysrq
+ - sysctl_kernel_sysrq.severity=high
+
+ - id: 3.5.22_ptrace_scope_correct
+ title: Ensure ptrace_scope Set Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - sysctl_kernel_yama_ptrace_scope
+ - sysctl_kernel_yama_ptrace_scope.severity=low
+
+ - id: 3.5.23_seccomp_enabled
+ title: Ensure Seccomp Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - kernel_config_seccomp
+ - kernel_config_seccomp.severity=low
+
+ - id: 3.6.1_ntpd_configuration_correct
+ title: Ensure Ntpd Configuration Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_ntpd_enabled
+ - service_ntpd_enabled.severity=low
+ - ntpd_configure_restrictions
+ - ntpd_configure_restrictions.severity=low
+ - ntpd_specify_remote_server
+ - ntpd_specify_remote_server.severity=low
+
+ - id: 3.6.2_chrony_configuration_correct
+ title: Ensure Chrony Configuration Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_chronyd_enabled
+ - service_chronyd_enabled.severity=low
+ - chronyd_specify_remote_server
+ - chronyd_specify_remote_server.severity=low
+
+
+ - id: 4.1.1_auditd_enabled
+ title: Ensure Auditd Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_auditd_enabled
+ - service_auditd_enabled.severity=high
+
+ - id: 4.1.2_auditd_rotate_enabled
+ title: Ensure Auditd Rotate Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - auditd_data_retention_max_log_file_action
+ - auditd_data_retention_max_log_file_action.severity=high
+ - var_auditd_max_log_file_action=rotate
+ - auditd_data_retention_num_logs
+ - auditd_data_retention_num_logs.severity=high
+ - var_auditd_num_logs=5
+
+ - id: 4.1.3_lastlog_config
+ title: Ensure Lastlog Recorded
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_login_events_lastlog
+ - audit_rules_login_events_lastlog.severity=low
+
+ - id: 4.1.4_audit_account_change
+ title: Ensure Account Info Changing Audited
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_usergroup_modification_group
+ - audit_rules_usergroup_modification_group.severity=low
+ - audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_gshadow.severity=low
+ - audit_rules_usergroup_modification_opasswd
+ - audit_rules_usergroup_modification_opasswd.severity=low
+ - audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_passwd.severity=low
+ - audit_rules_usergroup_modification_shadow
+ - audit_rules_usergroup_modification_shadow.severity=low
+
+ - id: 4.1.5_audit_escalation
+ title: Ensure Escalation Audited
+ levels:
+ - base
+ status: planned
+
+ - id: 4.1.6_audit_module
+ title: Ensure Module Changes Audited
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_privileged_commands_modprobe
+ - audit_rules_privileged_commands_modprobe.severity=low
+ - audit_rules_privileged_commands_insmod
+ - audit_rules_privileged_commands_insmod.severity=low
+ - audit_rules_privileged_commands_rmmod
+ - audit_rules_privileged_commands_rmmod.severity=low
+ - audit_rules_kernel_module_loading
+ - audit_rules_kernel_module_loading.severity=low
+
+ - id: 4.1.7_audit_sudo
+ title: Ensure Sudo Operation Audited
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_privileged_commands_sudo
+ - audit_rules_privileged_commands_sudo.severity=low
+
+ - id: 4.1.8_enable_audit_during_boot
+ title: Ensure Auditd Enabled During Boot
+ levels:
+ - base
+ status: automated
+ rules:
+ - grub2_audit_argument
+ - grub2_audit_argument.severity=low
+
+ - id: 4.1.9_audit_backlog_limit_correct
+ title: Ensure Audit Backlog Limit Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - grub2_audit_backlog_limit_argument
+ - grub2_audit_backlog_limit_argument.severity=low
+
+ - id: 4.1.10_audit_not_use_auditctl
+ title: Ensure Auditctl Not Used
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_immutable
+ - audit_rules_immutable.severity=low
+
+ - id: 4.1.11_audit_logsize_correct
+ title: Ensure Audit Log Size Set Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - auditd_data_retention_max_log_file
+ - auditd_data_retention_max_log_file.severity=high
+ - auditd_data_retention_max_log_file_action
+ - auditd_data_retention_max_log_file_action.severity=high
+
+ - id: 4.1.12_audit_disk_space_config
+ title: Ensure Audit Disk Space Set Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - auditd_data_retention_space_left
+ - auditd_data_retention_space_left.severity=low
+ - auditd_data_retention_space_left_action
+ - auditd_data_retention_space_left_action.severity=low
+ - var_auditd_space_left_action=syslog
+ - auditd_data_retention_admin_space_left_percentage
+ - auditd_data_retention_admin_space_left_percentage.severity=low
+ - var_auditd_admin_space_left_percentage=50pc
+ - auditd_data_retention_admin_space_left_action
+ - auditd_data_retention_admin_space_left_action.severity=low
+ - var_auditd_admin_space_left_action=suspend
+ - auditd_audispd_disk_full_action
+ - auditd_audispd_disk_full_action.severity=low
+ - auditd_data_disk_full_action
+ - auditd_data_disk_full_action.severity=low
+ - var_auditd_disk_full_action=suspend
+ - auditd_data_disk_error_action
+ - auditd_data_disk_error_action.severity=low
+ - var_auditd_disk_error_action=suspend
+
+ - id: 4.1.13_audit_sudoers
+ title: Ensure Sudoers Audited
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_sudoers
+ - audit_rules_sudoers.severity=low
+
+ - id: 4.1.14_audit_session
+ title: Ensure Session Audited
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_session_events
+ - audit_rules_session_events.severity=low
+
+ - id: 4.1.15_audit_time_changing
+ title: Ensure Time Changing Audited
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_time_adjtimex
+ - audit_rules_time_adjtimex.severity=low
+ - audit_rules_time_settimeofday
+ - audit_rules_time_settimeofday.severity=low
+ - audit_rules_time_clock_settime
+ - audit_rules_time_clock_settime.severity=low
+
+ - id: 4.1.16_audit_selinux
+ title: Ensure SELinux Audited
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_mac_modification
+ - audit_rules_mac_modification.severity=low
+ - audit_rules_mac_modification_usr_share
+ - audit_rules_mac_modification_usr_share.severity=low
+
+ - id: 4.1.17_audit_network
+ title: Ensure Network Audited
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_networkconfig_modification
+ - audit_rules_networkconfig_modification.severity=low
+
+ - id: 4.1.18_audit_successful_file_access
+ title: Ensure Successful File Access Audited
+ levels:
+ - base
+ status: manual
+ rules:
+ - audit_rules_successful_file_modification_chmod
+ - audit_rules_successful_file_modification_chmod.severity=low
+ - audit_rules_successful_file_modification_fchmod
+ - audit_rules_successful_file_modification_fchmod.severity=low
+ - audit_rules_successful_file_modification_fchmodat
+ - audit_rules_successful_file_modification_fchmodat.severity=low
+ - audit_rules_successful_file_modification_chown
+ - audit_rules_successful_file_modification_chown.severity=low
+ - audit_rules_successful_file_modification_fchown
+ - audit_rules_successful_file_modification_fchown.severity=low
+ - audit_rules_successful_file_modification_fchownat
+ - audit_rules_successful_file_modification_fchownat.severity=low
+ - audit_rules_successful_file_modification_setxattr
+ - audit_rules_successful_file_modification_setxattr.severity=low
+ - audit_rules_successful_file_modification_lsetxattr
+ - audit_rules_successful_file_modification_lsetxattr.severity=low
+ - audit_rules_successful_file_modification_fsetxattr
+ - audit_rules_successful_file_modification_fsetxattr.severity=low
+ - audit_rules_successful_file_modification_removexattr
+ - audit_rules_successful_file_modification_removexattr.severity=low
+ - audit_rules_successful_file_modification_lremovexattr
+ - audit_rules_successful_file_modification_lremovexattr.severity=low
+ - audit_rules_successful_file_modification_fremovexattr
+ - audit_rules_successful_file_modification_fremovexattr.severity=low
+
+ - id: 4.1.19_audit_unsuccessful_file_access
+ title: Ensure Unsuccessful File Access Audited
+ levels:
+ - base
+ status: automated
+ rules:
+ - audit_rules_unsuccessful_file_modification
+ - audit_rules_unsuccessful_file_modification.severity=low
+
+ - id: 4.1.20_audit_file_delete
+ title: Ensure File Delete Audited
+ levels:
+ - base
+ status: manual
+ rules:
+ - audit_rules_successful_file_modification_rename
+ - audit_rules_successful_file_modification_rename.severity=low
+ - audit_rules_successful_file_modification_renameat
+ - audit_rules_successful_file_modification_renameat.severity=low
+ - audit_rules_successful_file_modification_unlink
+ - audit_rules_successful_file_modification_unlink.severity=low
+ - audit_rules_successful_file_modification_unlinkat
+ - audit_rules_successful_file_modification_unlinkat.severity=low
+
+ - id: 4.1.21_audit_mount
+ title: Ensure Mount Audited
+ levels:
+ - base
+ status: planned
+
+ - id: 4.2.1_rsyslog_enabled
+ title: Ensure Rsyslog Enabled
+ levels:
+ - base
+ status: automated
+ rules:
+ - service_rsyslog_enabled
+ - service_rsyslog_enabled.severity=high
+
+ - id: 4.2.2_rsyslog_auth
+ title: Ensure Authentication Logged
+ levels:
+ - base
+ status: automated
+ rules:
+ - rsyslog_remote_access_monitoring
+ - rsyslog_remote_access_monitoring.severity=high
+
+ - id: 4.2.3_rsyslog_cron
+ title: Ensure Cron Logged
+ levels:
+ - base
+ status: automated
+ rules:
+ - rsyslog_cron_logging
+ - rsyslog_cron_logging.severity=high
+
+ - id: 4.2.4_rsyslog_file_permission
+ title: Ensure Rsyslog's Files Permission Correct
+ levels:
+ - base
+ status: automated
+ rules:
+ - rsyslog_filecreatemode
+ - rsyslog_filecreatemode.severity=low
+
+ - id: 4.2.5_rsyslog_for_services
+ title: Ensure Important Services Logged
+ levels:
+ - base
+ status: automated
+ rules:
+ - rsyslog_logging_configured
+ - rsyslog_logging_configured.severity=low
+
+ - id: 4.2.6_rsyslog_journald_transfer
+ title: Ensure Journald Transfer Set Correct
+ levels:
+ - base
+ status: planned
+
+ - id: 4.2.7_rsyslog_rotate
+ title: Ensure Rotate Setting In Rsyslog
+ levels:
+ - base
+ status: planned
+
+ - id: 4.2.8_rsyslog_remote_server_config
+ title: Ensure Remote Log Server Correct
+ levels:
+ - base
+ status: planned
+
+ - id: 4.2.9_rsyslog_only_specified_server_receive_logs
+ title: Ensure Only Specified Server Can Receive Logs
+ levels:
+ - base
+ status: automated
+ rules:
+ - rsyslog_accept_remote_messages_tcp
+ - rsyslog_accept_remote_messages_tcp.severity=low
+ - rsyslog_accept_remote_messages_udp
+ - rsyslog_accept_remote_messages_udp.severity=low
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index 2b0e53a..e799bae 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Avahi Server Software'
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
2024-02-19 19:22:35 +08:00
index 4ce4b1e..e63cf34 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Who Owns cron.d'
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
2024-02-19 19:22:35 +08:00
index 032b15e..226d9c8 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Who Owns cron.daily'
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
2024-02-19 19:22:35 +08:00
index 2d4f1f9..9065a84 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Who Owns cron.hourly'
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
2024-02-19 19:22:35 +08:00
index d47730c..35a16a3 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Who Owns cron.monthly'
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
2024-02-19 19:22:35 +08:00
index c63c3de..7eadb97 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Who Owns cron.weekly'
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
2024-02-19 19:22:35 +08:00
index 3f43b81..6e39d76 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Who Owns Crontab'
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
2024-02-19 19:22:35 +08:00
index 49b2e3a..1cc18db 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Owner on cron.d'
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
2024-02-19 19:22:35 +08:00
index 74210b6..0a448d8 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Owner on cron.daily'
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
2024-02-19 19:22:35 +08:00
index 9e4ab04..f9130b7 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Owner on cron.hourly'
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
2024-02-19 19:22:35 +08:00
index 78dadcc..05ace52 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Owner on cron.monthly'
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
2024-02-19 19:22:35 +08:00
index 69001b6..51f3d9b 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Owner on cron.weekly'
diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
2024-02-19 19:22:35 +08:00
index 2636571..e5e1357 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Owner on crontab'
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
2024-02-19 19:22:35 +08:00
index 8d5e6dd..4dcd062 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Permissions on cron.d'
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
2024-02-19 19:22:35 +08:00
index 175ba80..f2a3301 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Permissions on cron.daily'
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
2024-02-19 19:22:35 +08:00
index 7578b5d..48b5bcc 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Permissions on cron.hourly'
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
2024-02-19 19:22:35 +08:00
index 4694a91..3da1b9e 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Permissions on cron.monthly'
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
2024-02-19 19:22:35 +08:00
index 5409311..b382c42 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Permissions on cron.weekly'
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
2024-02-19 19:22:35 +08:00
index 009a233..777a0f1 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Permissions on crontab'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml
2024-02-19 19:22:35 +08:00
index 81e089f..18a9520 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure that /etc/at.deny does not exist'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml
2024-02-19 19:22:35 +08:00
index a164bf3..9eed643 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure that /etc/cron.deny does not exist'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
2024-02-19 19:22:35 +08:00
index c060951..c0821cd 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Who Owns /etc/at.allow file'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
2024-02-19 19:22:35 +08:00
index a62e314..1fb33f6 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Who Owns /etc/cron.allow file'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
2024-02-19 19:22:35 +08:00
index dafb8d4..20b64ab 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify User Who Owns /etc/at.allow file'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
2024-02-19 19:22:35 +08:00
index 4e59001..0eae2e6 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify User Who Owns /etc/cron.allow file'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
2024-02-19 19:22:35 +08:00
index aaa429e..30b6553 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Permissions on /etc/at.allow file'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
2024-02-19 19:22:35 +08:00
index c2710c4..1961b9a 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Permissions on /etc/cron.allow file'
diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
2024-02-19 19:22:35 +08:00
index ec390e3..3a3c6d1 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Enable cron Service'
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index 356f236..b8324bf 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Disable DHCP Service'
diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index ce858b1..1387845 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Disable named Service'
diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
2024-02-19 19:22:35 +08:00
index 044177b..07543b0 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
+++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Uninstall httpd Package'
diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
2024-02-19 19:22:35 +08:00
index 2ec31a2..6644f7d 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -8,7 +8,7 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure LDAP client is not installed'
diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
2024-02-19 19:22:35 +08:00
index bf75fff..828d36d 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
@@ -11,7 +11,7 @@
documentation_complete: true
-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Uninstall openldap-servers Package'
diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index 9071b7e..fd41721 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Disable rpcbind Service'
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index 91f73ab..8cdd594 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Disable Network File System (nfs)'
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
2024-02-19 19:22:35 +08:00
index c74221c..6a2919f 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhv4
2023-10-09 21:11:46 +08:00
title: 'Specify a Remote NTP Server'
diff --git a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml
2024-02-19 19:22:35 +08:00
index de51899..e4a62cb 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml
+++ b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,rhel7,sle12,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Configure server restrictions for ntpd'
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
2024-02-19 19:22:35 +08:00
index c5f90c4..5f79ef7 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Remove NIS Client'
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
2024-02-19 19:22:35 +08:00
index b057fc5..359340e 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Uninstall ypserv Package'
diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index de1f832..1653ad3 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Ensure rsyncd service is disabled'
@@ -47,3 +47,5 @@ template:
packagename@ol7: rsync
packagename@sle12: rsync
packagename@sle15: rsync
+ packagename@openeuler2203: rsync
2024-02-19 19:22:35 +08:00
+ packagename@openeuler2403: rsync
2023-10-09 21:11:46 +08:00
diff --git a/linux_os/guide/services/printing/package_cups_removed/rule.yml b/linux_os/guide/services/printing/package_cups_removed/rule.yml
2024-02-19 19:22:35 +08:00
index df44086..e6e13cf 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/printing/package_cups_removed/rule.yml
+++ b/linux_os/guide/services/printing/package_cups_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Uninstall CUPS Package'
diff --git a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml
2024-02-19 19:22:35 +08:00
index 1b633c6..2b8ef03 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml
+++ b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Uninstall Samba Package'
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
2024-02-19 19:22:35 +08:00
index 3763480..aaf1c94 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: debian10,debian11,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: debian10,debian11,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Uninstall net-snmp Package'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
2024-02-19 19:22:35 +08:00
index 91e0556..3e32b5e 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,rhel7,sle12,sle15,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: ol7,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Use Only Strong Ciphers'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml
2024-02-19 19:22:35 +08:00
index 0a0b3a9..a928355 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Use Only Strong Key Exchange algorithms'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
2024-02-19 19:22:35 +08:00
index b6fea18..c9e4f13 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,rhel7,sle12,sle15,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: ol7,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Use Only Strong MACs'
diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var
index 9becb4b..c0519e2 100644
--- a/linux_os/guide/services/ssh/sshd_strong_kex.var
+++ b/linux_os/guide/services/ssh/sshd_strong_kex.var
@@ -17,3 +17,4 @@ options:
cis_sle12: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
cis_sle15: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
cis_ubuntu2004: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+ std_openeuler: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
2024-02-19 19:22:35 +08:00
index 170f89f..5af9d26 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Remove the X Windows Package Group'
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
2024-02-19 19:22:35 +08:00
index 607ed94..eb84592 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Disable graphical user interface'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
2024-02-19 19:22:35 +08:00
index 5e6d02f..ce9a463 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Ownership of System Login Banner'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml
2024-02-19 19:22:35 +08:00
index 76b10f4..be54b97 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Ownership of System Login Banner for Remote Connections'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
2024-02-19 19:22:35 +08:00
index 2e796ee..90ef7e1 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify Group Ownership of Message of the Day Banner'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
2024-02-19 19:22:35 +08:00
index 70b4f39..0f8b6e1 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify ownership of System Login Banner'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml
2024-02-19 19:22:35 +08:00
index cff8e39..8efa940 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify ownership of System Login Banner for Remote Connections'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
2024-02-19 19:22:35 +08:00
index 16011b1..954946b 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify ownership of Message of the Day Banner'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
2024-02-19 19:22:35 +08:00
index 9968c5c..a7b4364 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify permissions on System Login Banner'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml
2024-02-19 19:22:35 +08:00
index cb8d9db..02b69cb 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify permissions on System Login Banner for Remote Connections'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
2024-02-19 19:22:35 +08:00
index 339274b..0038c14 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify permissions on Message of the Day Banner'
diff --git a/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml b/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml
new file mode 100644
2024-02-19 19:22:35 +08:00
index 0000000..548b47b
2023-10-09 21:11:46 +08:00
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403
2023-10-09 21:11:46 +08:00
+
+title: 'Check Warning Banners Correctly'
+
+description: |-
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ Warning banners contain warning information added on the system login page and are marked by all users who log in to the system.
+ <br />
+ Proper security warning information may increase the risk of system attacks or violate local laws and regulations.
+ <br />
+ openEuler security warning banners must be formulated by security department personnel and comply with local laws and regulations.
+ <br />
+ In addition, don't expose the system version, application server type, functions through warning banners, to prevent attackers from obtaining system information and launching attacks.
+ <br />
+ Run the <tt>cat</tt> command to check the warning banners in the <tt>/etc/motd</tt>, <tt>/etc/issue</tt>, and <tt>/etc/issue.net</tt> files. Check whether the information is reasonable.
+
+rationale: |-
+ None
+
+severity: high
+
+platform: machine
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
2024-02-19 19:22:35 +08:00
index f3e6931..2118833 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Limit Password Reuse'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml
new file mode 100644
index 0000000..0abb80d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml
@@ -0,0 +1,291 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="5">
+ {{{ oval_metadata("Lockout account after failed login attempts") }}}
+ <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
+ <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
+ <!-- pam_unix.so is a control module present in all realistic scenarios and also used
+ as reference for the correct position of pam_faillock.so in auth section. If the
+ system is properly configured, it must appear only once in auth section. -->
+ <criteria operator="AND"
+ comment="Count occurrences of pam_unix.so in system-auth and password-auth">
+ <criterion test_ref="test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"
+ comment="pam_unix.so appears only once in auth section of system-auth"/>
+ <criterion test_ref="test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"
+ comment="pam_unix.so appears only once in auth section of password-auth"/>
+ </criteria>
+
+ <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
+ versions, in /etc/security/faillock.conf. The last is the recommended option when
+ available. Also, is the option used by auselect tool. However, regardless the
+ approach, a minimal declaration is common in pam files. -->
+ <criteria operator="AND" comment="Check common definition of pam_faillock.so">
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"
+ comment="pam_faillock.so is properly defined in auth section of system-auth"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"
+ comment="pam_faillock.so is properly defined in account section of system-auth"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"
+ comment="pam_faillock.so is properly defined in auth section of password-auth"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"
+ comment="pam_faillock.so is properly defined in account section of password-auth"/>
+ </criteria>
+ </criteria>
+
+ <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
+ possible. But due to backwards compatibility, they are also allowed in pam files
+ directly. In case they are defined in both places, pam files have precedence and this
+ may confuse the assessment. The following tests ensure only one option is used. Note
+ that if faillock.conf is available, authselect tool only manage parameters on it -->
+ <criteria operator="OR" comment="Check expected value for pam_faillock.so deny parameter">
+ <criteria operator="AND"
+ comment="Check expected pam_faillock.so deny parameter in pam files">
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_deny_parameter_pamd_system"
+ comment="Check the deny parameter in auth section of system-auth file"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_deny_parameter_pamd_password"
+ comment="Check the deny parameter in auth section of password-auth file"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf"
+ comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
+ </criteria>
+ <criteria operator="AND"
+ comment="Check expected pam_faillock.so deny parameter in faillock.conf">
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system"
+ comment="Check the deny parameter is not present system-auth file"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password"
+ comment="Check the deny parameter is not present password-auth file"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"
+ comment="Ensure the deny parameter is present in /etc/security/faillock.conf"/>
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+
+ <!-- The following tests demand complex regex which are necessary more than once.
+ These variables make simpler the usage of regex patterns. -->
+ <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_unix_regex"
+ datatype="string" version="1"
+ comment="regex to identify pam_unix.so in auth section of pam files">
+ <value>^[\s]*auth\N+pam_unix\.so</value>
+ </constant_variable>
+
+ <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"
+ datatype="string" version="1"
+ comment="regex to identify pam_faillock.so entries in auth section of pam files">
+ <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
+ </constant_variable>
+
+ <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_faillock_account_regex"
+ datatype="string" version="1"
+ comment="regex to identify pam_faillock.so entry in account section of pam files">
+ <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so</value>
+ </constant_variable>
+
+ <constant_variable
+ id="var_accounts_passwords_pam_faillock_deny_pam_faillock_deny_parameter_regex"
+ datatype="string" version="1"
+ comment="regex to identify pam_faillock.so deny entry in auth section of pam files">
+ <value>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</value>
+ </constant_variable>
+
+ <constant_variable
+ id="var_accounts_passwords_pam_faillock_deny_faillock_conf_deny_parameter_regex"
+ datatype="string" version="1"
+ comment="regex to identify deny entry in /etc/security/faillock.conf">
+ <value>^[\s]*deny[\s]*=[\s]*([0-9]+)</value>
+ </constant_variable>
+
+ <!-- Check occurrences of pam_unix.so in auth section of system-auth file -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"
+ comment="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_deny_pam_unix_regex"/>
+ <!-- It is not expected to find a second instance of this pattern -->
+ <ind:instance datatype="int" operation="greater than">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"
+ comment="No more than one pam_unix.so is expected in auth section of system-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"/>
+ </ind:textfilecontent54_test>
+
+ <!-- Check occurrences of pam_unix.so in auth section in password-auth -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"
+ comment="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_deny_pam_unix_regex"/>
+ <ind:instance datatype="int" operation="greater than">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"
+ comment="No more than one pam_unix.so is expected in auth section of password-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"/>
+ </ind:textfilecontent54_test>
+
+ <!-- Check common definition of pam_faillock.so in system-auth -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"
+ comment="Check common definition of pam_faillock.so in auth section of system-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"
+ comment="One and only one occurrence is expected in auth section of system-auth">
+ <ind:object
+ object_ref="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"
+ comment="Check common definition of pam_faillock.so in account section of system-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_account_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"
+ comment="One and only one occurrence is expected in auth section of system-auth">
+ <ind:object
+ object_ref="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"/>
+ </ind:textfilecontent54_test>
+
+ <!-- Check common definition of pam_faillock.so in password-auth -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"
+ comment="Check common definition of pam_faillock.so in auth section of password-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"
+ comment="One and only one occurrence is expected in auth section of password-auth">
+ <ind:object
+ object_ref="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"
+ comment="Check common definition of pam_faillock.so in account section of password-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_account_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"
+ comment="One and only one occurrence is expected in auth section of password-auth">
+ <ind:object
+ object_ref="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"/>
+ </ind:textfilecontent54_test>
+
+ <!-- boundaries to test the parameter value -->
+ <!-- Specify the required external variable & create corresponding state from it -->
+ <external_variable id="var_accounts_passwords_pam_faillock_deny" datatype="int"
+ comment="number of failed login attempts allowed" version="1"/>
+
+ <ind:textfilecontent54_state version="1"
+ id="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound">
+ <ind:subexpression datatype="int" operation="less than or equal"
+ var_ref="var_accounts_passwords_pam_faillock_deny"/>
+ </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_state version="1"
+ id="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound">
+ <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
+ </ind:textfilecontent54_state>
+
+ <!-- Check the pam_faillock.so deny parameter in system-auth -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_deny_parameter_pamd_system"
+ comment="Get the pam_faillock.so deny parameter from system-auth file">
+ <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_deny_parameter_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_parameter_pamd_system"
+ comment="Check the expected deny value in system-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_system"/>
+ <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound"/>
+ <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system"
+ comment="Check the absence of deny parameter in system-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_system"/>
+ </ind:textfilecontent54_test>
+
+ <!-- Check the pam_faillock.so deny parameter in password-auth -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_deny_parameter_pamd_password"
+ comment="Get the pam_faillock.so deny parameter from password-auth file">
+ <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_deny_parameter_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_parameter_pamd_password"
+ comment="Check the expected deny value in password-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_password"/>
+ <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound"/>
+ <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password"
+ comment="Check the absence of deny parameter in password-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_password"/>
+ </ind:textfilecontent54_test>
+
+ <!-- Check pam_faillock.so deny parameter in /etc/security/faillock.conf -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"
+ comment="Check the expected pam_faillock.so deny parameter in /etc/security/faillock.conf">
+ <ind:filepath operation="pattern match">^/etc/security/faillock.conf$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_deny_faillock_conf_deny_parameter_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"
+ comment="Check the expected deny value in in /etc/security/faillock.conf">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"/>
+ <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound"/>
+ <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf"
+ comment="Check the absence of deny parameter in /etc/security/faillock.conf">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"/>
+ </ind:textfilecontent54_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
2024-02-19 19:22:35 +08:00
index 3f7bbd8..d1d77f0 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Lock Accounts After Failed Password Attempts'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml
new file mode 100644
index 0000000..94c1eca
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml
@@ -0,0 +1,285 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="3">
+ {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}}
+ <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
+ <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
+ <!-- pam_unix.so is a control module present in all realistic scenarios and also used
+ as reference for the correct position of pam_faillock.so in auth section. If the
+ system is properly configured, it must appear only once in auth section. -->
+ <criteria operator="AND"
+ comment="Count occurrences of pam_unix.so in system-auth and password-auth">
+ <criterion test_ref="test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"
+ comment="pam_unix.so appears only once in auth section of system-auth"/>
+ <criterion test_ref="test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"
+ comment="pam_unix.so appears only once in auth section of password-auth"/>
+ </criteria>
+
+ <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
+ versions, in /etc/security/faillock.conf. The last is the recommended option when
+ available. Also, is the option used by auselect tool. However, regardless the
+ approach, a minimal declaration is common in pam files. -->
+ <criteria operator="AND" comment="Check common definition of pam_faillock.so">
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"
+ comment="pam_faillock.so is properly defined in auth section of system-auth"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"
+ comment="pam_faillock.so is properly defined in account section of system-auth"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"
+ comment="pam_faillock.so is properly defined in auth section of password-auth"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"
+ comment="pam_faillock.so is properly defined in account section of password-auth"/>
+ </criteria>
+ </criteria>
+
+ <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
+ possible. But due to backwards compatibility, they are also allowed in pam files
+ directly. In case they are defined in both places, pam files have precedence and this
+ may confuse the assessment. The following tests ensure only one option is used. Note
+ that if faillock.conf is available, authselect tool only manage parameters on this file
+ -->
+ <criteria operator="OR"
+ comment="Check expected value for pam_faillock.so unlock_time parameter">
+ <criteria operator="AND"
+ comment="Check expected pam_faillock.so unlock_time parameter in pam files">
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"
+ comment="Check the unlock_time parameter in auth section of system-auth file"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"
+ comment="Check the unlock_time parameter in auth section of password-auth file"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf"
+ comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
+ </criteria>
+ <criteria operator="AND"
+ comment="Check expected pam_faillock.so unlock_time parameter in faillock.conf">
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system"
+ comment="Check the unlock_time parameter is not present system-auth file"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password"
+ comment="Check the unlock_time parameter is not present password-auth file"/>
+ <criterion
+ test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"
+ comment="Ensure the unlock_time parameter is present in /etc/security/faillock.conf"/>
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+
+ <!-- The following tests demand complex regex which are necessary more than once.
+ These variables make simpler the usage of regex patterns. -->
+ <constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_unix_regex"
+ datatype="string" version="1"
+ comment="regex to identify pam_unix.so in auth section of pam files">
+ <value>^[\s]*auth\N+pam_unix\.so</value>
+ </constant_variable>
+
+ <constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"
+ datatype="string" version="1"
+ comment="regex to identify pam_faillock.so entries in auth section of pam files">
+ <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
+ </constant_variable>
+
+ <constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_account_regex"
+ datatype="string" version="1"
+ comment="regex to identify pam_faillock.so entry in account section of pam files">
+ <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so</value>
+ </constant_variable>
+
+ <constant_variable
+ id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_unlock_time_parameter_regex"
+ datatype="string" version="1"
+ comment="regex to identify pam_faillock.so unlock_time entry in auth section of pam files">
+ <value>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</value>
+ </constant_variable>
+
+ <constant_variable
+ id="var_accounts_passwords_pam_faillock_unlock_time_faillock_conf_unlock_time_parameter_regex"
+ datatype="string" version="1"
+ comment="regex to identify unlock_time entry in /etc/security/faillock.conf">
+ <value>^[\s]*unlock_time[\s]*=[\s]*([0-9]+)</value>
+ </constant_variable>
+
+ <!-- Check occurrences of pam_unix.so in auth section of system-auth file -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"
+ comment="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_unix_regex"/>
+ <!-- It is not expected to find a second instance of this pattern -->
+ <ind:instance datatype="int" operation="greater than">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"
+ comment="No more than one pam_unix.so is expected in auth section of system-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"/>
+ </ind:textfilecontent54_test>
+
+ <!-- Check occurrences of pam_unix.so in auth section in password-auth -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"
+ comment="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_unix_regex"/>
+ <ind:instance datatype="int" operation="greater than">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"
+ comment="No more than one pam_unix.so is expected in auth section of password-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"/>
+ </ind:textfilecontent54_test>
+
+ <!-- Check common definition of pam_faillock.so in system-auth -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"
+ comment="Check common definition of pam_faillock.so in auth section of system-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"
+ comment="One and only one occurrence is expected in auth section of system-auth">
+ <ind:object
+ object_ref="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"
+ comment="Check common definition of pam_faillock.so in account section of system-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_account_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"
+ comment="One and only one occurrence is expected in auth section of system-auth">
+ <ind:object
+ object_ref="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"/>
+ </ind:textfilecontent54_test>
+
+ <!-- Check common definition of pam_faillock.so in password-auth -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"
+ comment="Check common definition of pam_faillock.so in auth section of password-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"
+ comment="One and only one occurrence is expected in auth section of password-auth">
+ <ind:object
+ object_ref="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"
+ comment="Check common definition of pam_faillock.so in account section of password-auth">
+ <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_account_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"
+ comment="One and only one occurrence is expected in auth section of password-auth">
+ <ind:object
+ object_ref="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"/>
+ </ind:textfilecontent54_test>
+
+ <!-- boundaries to test the parameter value -->
+ <!-- Specify the required external variable & create corresponding state from it -->
+ <external_variable id="var_accounts_passwords_pam_faillock_unlock_time" datatype="int"
+ comment="number of failed login attempts allowed" version="1"/>
+
+ <ind:textfilecontent54_state version="1"
+ id="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound">
+ <ind:subexpression datatype="int" operation="greater than or equal"
+ var_ref="var_accounts_passwords_pam_faillock_unlock_time"/>
+ </ind:textfilecontent54_state>
+
+ <!-- Check the pam_faillock.so unlock_time parameter in system-auth -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"
+ comment="Get the pam_faillock.so unlock_time parameter from system-auth file">
+ <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_unlock_time_parameter_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"
+ comment="Check the expected unlock_time value in system-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"/>
+ <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system"
+ comment="Check the absence of unlock_time parameter in system-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"/>
+ </ind:textfilecontent54_test>
+
+ <!-- Check the pam_faillock.so unlock_time parameter in password-auth -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"
+ comment="Get the pam_faillock.so unlock_time parameter from password-auth file">
+ <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_unlock_time_parameter_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"
+ comment="Check the expected unlock_time value in password-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"/>
+ <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password"
+ comment="Check the absence of unlock_time parameter in password-auth">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"/>
+ </ind:textfilecontent54_test>
+
+ <!-- Check pam_faillock.so unlock_time parameter in /etc/security/faillock.conf -->
+ <ind:textfilecontent54_object version="1"
+ id="object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"
+ comment="Check the expected pam_faillock.so unlock_time parameter in /etc/security/faillock.conf">
+ <ind:filepath operation="pattern match">^/etc/security/faillock.conf$</ind:filepath>
+ <ind:pattern operation="pattern match"
+ var_ref="var_accounts_passwords_pam_faillock_unlock_time_faillock_conf_unlock_time_parameter_regex"/>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"
+ comment="Check the expected unlock_time value in in /etc/security/faillock.conf">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"/>
+ <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+ id="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf"
+ comment="Check the absence of unlock_time parameter in /etc/security/faillock.conf">
+ <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"/>
+ </ind:textfilecontent54_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
2024-02-19 19:22:35 +08:00
index 7157b51..6022dcd 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Set Lockout Time for Failed Password Attempts'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var
index 46c73e4..206b03e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var
@@ -17,5 +17,6 @@ options:
604800: 604800
86400: 86400
900: 900
+ 300: 300
default: 0
never: 0
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
2024-02-19 19:22:35 +08:00
index e67cd88..5843fd2 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure PAM Enforces Password Requirements - Minimum Digit Characters'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
2024-02-19 19:22:35 +08:00
index d41ca6c..6ec6fba 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel8,rhel9,ubuntu2004
2023-10-09 21:11:46 +08:00
title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
2024-02-19 19:22:35 +08:00
index 198475c..15f4617 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol9,rhel8,rhel9
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol9,openeuler2203,openeuler2403,rhel8,rhel9
2023-10-09 21:11:46 +08:00
title: 'Ensure PAM Enforces Password Requirements - Enforce for root User'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
2024-02-19 19:22:35 +08:00
index 5799a7b..4de04a1 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
2024-02-19 19:22:35 +08:00
index 45a8dfa..d0c33ab 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
2024-02-19 19:22:35 +08:00
index f05b6e0..6a9b551 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure PAM Enforces Password Requirements - Minimum Length'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
2024-02-19 19:22:35 +08:00
index 632aa24..89fd371 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure PAM Enforces Password Requirements - Minimum Special Characters'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
2024-02-19 19:22:35 +08:00
index df2272b..c3052a0 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
2024-02-19 19:22:35 +08:00
index 6c631ea..5b4041c 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters'
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
2024-02-19 19:22:35 +08:00
index bf87c9c..786e396 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: "Set PAM''s Password Hashing Algorithm - password-auth"
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
2024-02-19 19:22:35 +08:00
index 5375365..803ad40 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: "Set PAM''s Password Hashing Algorithm"
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
index fadfa30..7cc8b57 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
@@ -36,7 +36,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_require_emergency_service" version="1">
<ind:filepath>/usr/lib/systemd/system/emergency.service</ind:filepath>
- {{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}}
2024-02-19 19:22:35 +08:00
+ {{%- if product in ["fedora", "ol8", "ol9", "openeuler2203", "openeuler2403", "rhel8", "rhel9", "sle12", "sle15"] -%}}
2023-10-09 21:11:46 +08:00
<ind:pattern operation="pattern match">^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency</ind:pattern>
{{%- else -%}}
<ind:pattern operation="pattern match">^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"</ind:pattern>
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
2024-02-19 19:22:35 +08:00
index e3b3c18..53bea43 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Require Authentication for Emergency Systemd Target'
@@ -86,7 +86,7 @@ fixtext: |-
Configure {{{ full_name }}} to require authentication for system emergency mode.
Add or edit the following line in "/usr/lib/systemd/system/emergency.service":
- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}}
2024-02-19 19:22:35 +08:00
+ {{% if product in ["fedora", "ol8", "ol9", "openeuler2203", "openeuler2403", "rhel8", "rhel9", "sle12", "sle15"] -%}}
2023-10-09 21:11:46 +08:00
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
{{%- else -%}}
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index f232eb7..7f9c4dc 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15
2023-10-09 21:11:46 +08:00
title: 'Disable debug-shell SystemD Service'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
2024-02-19 19:22:35 +08:00
index d4b7117..0493d9e 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
2023-10-09 21:11:46 +08:00
title: 'Assign Expiration Date to Temporary Accounts'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
2024-02-19 19:22:35 +08:00
index 3cda626..aca9ef5 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure All Accounts on the System Have Unique User IDs'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
2024-02-19 19:22:35 +08:00
index aa5a69c..0cb8d6e 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure All Groups on the System Have Unique Group ID'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
2024-02-19 19:22:35 +08:00
index 55b2c5e..e1da489 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure All Groups on the System Have Unique Group Names'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
index 3591fba..41489ff 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
@@ -84,4 +84,3 @@ srg_requirement: |-
{{{ full_name }}} user account passwords for new users or password changes must have a 60 day maximum password lifetime restriction in /etc/login.defs.
platform: package[shadow-utils]
-
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
index 3cbb4d9..7eaac40 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
@@ -84,4 +84,3 @@ srg_requirement: |-
{{{ full_name }}} passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.
platform: package[shadow-utils]
-
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
2024-02-19 19:22:35 +08:00
index c101f11..fc64d11 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
2023-10-09 21:11:46 +08:00
title: 'Verify No .forward Files Exist'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
2024-02-19 19:22:35 +08:00
index d0ed1f4..3f33979 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Enforce usage of pam_wheel for su authentication'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
2024-02-19 19:22:35 +08:00
index a660109..1b6a66f 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Set Interactive Session Timeout'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
2024-02-19 19:22:35 +08:00
index e58fb7d..a4f4432 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'All Interactive Users Home Directories Must Exist'
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
2024-02-19 19:22:35 +08:00
index 1795fac..1148bf9 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure the Default Bash Umask is Set Correctly'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml
2024-02-19 19:22:35 +08:00
index d3b0186..1dbd420 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle15
2023-10-09 21:11:46 +08:00
title: 'Record Successful Permission Changes to Files - chmod'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml
2024-02-19 19:22:35 +08:00
index 241d1d6..7996a8f 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Ownership Changes to Files - chown'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml
2024-02-19 19:22:35 +08:00
index ce7070e..c62a171 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Permission Changes to Files - fchmod'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml
2024-02-19 19:22:35 +08:00
index 4b6cee0..c839def 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Permission Changes to Files - fchmodat'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml
2024-02-19 19:22:35 +08:00
index 6bc0b95..f4eb579 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Ownership Changes to Files - fchown'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml
2024-02-19 19:22:35 +08:00
index e882a57..545979e 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Ownership Changes to Files - fchownat'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml
2024-02-19 19:22:35 +08:00
index ee4ff3a..090ecb1 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Permission Changes to Files - fremovexattr'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml
2024-02-19 19:22:35 +08:00
index d40bfde..be1e1fa 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Permission Changes to Files - fsetxattr'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml
2024-02-19 19:22:35 +08:00
index 90873b1..d313b57 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Ownership Changes to Files - lchown'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml
2024-02-19 19:22:35 +08:00
index acbfbc0..b424556 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Permission Changes to Files - lremovexattr'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml
2024-02-19 19:22:35 +08:00
index b669f75..c72f4ad 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Permission Changes to Files - lsetxattr'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml
2024-02-19 19:22:35 +08:00
index 7d7e3eb..14ed330 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Permission Changes to Files - removexattr'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml
2024-02-19 19:22:35 +08:00
index 82d103e..5f29767 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Delete Attempts to Files - rename'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml
2024-02-19 19:22:35 +08:00
index 1736c97..44bf9e0 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Delete Attempts to Files - renameat'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml
2024-02-19 19:22:35 +08:00
index 75809f4..b167733 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Permission Changes to Files - setxattr'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml
2024-02-19 19:22:35 +08:00
index 91e8f67..cb411e5 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Delete Attempts to Files - unlink'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml
2024-02-19 19:22:35 +08:00
index a11b195..86bab31 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Record Successful Delete Attempts to Files - unlinkat'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
2024-02-19 19:22:35 +08:00
index fe9f1d9..cc33a91 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
2024-02-19 19:22:35 +08:00
index 1b476f4..b873f49 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Unsuccessful Access Attempts to Files - creat'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
2024-02-19 19:22:35 +08:00
index 398110d..50b9592 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Unsuccessful Access Attempts to Files - ftruncate'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
2024-02-19 19:22:35 +08:00
index 8893d52..083feb4 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Unsuccessful Access Attempts to Files - open'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
2024-02-19 19:22:35 +08:00
index cb615dc..cb62dd9 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
2024-02-19 19:22:35 +08:00
index 1126705..aad0d0f 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Unsuccessful Access Attempts to Files - openat'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
2024-02-19 19:22:35 +08:00
index 2884c9d..8f68d62 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Unsuccessful Access Attempts to Files - truncate'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
2024-02-19 19:22:35 +08:00
index 90a7173..368747c 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
2024-02-19 19:22:35 +08:00
index f8ab574..47b8db1 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
2024-02-19 19:22:35 +08:00
index d63a995..7c0230d 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
2024-02-19 19:22:35 +08:00
index a1d7d2c..dc25542 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
2024-02-19 19:22:35 +08:00
index 34e160a..006e96e 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Attempts to Alter Logon and Logout Events - lastlog'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml
2024-02-19 19:22:35 +08:00
index 1086361..0b0e0bc 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - insmod'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
2024-02-19 19:22:35 +08:00
index 19e74ab..b4d6fb5 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - modprobe'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
2024-02-19 19:22:35 +08:00
index bb5b567..8849eb0 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - rmmod'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
2024-02-19 19:22:35 +08:00
index 3d76a1a..e8da204 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
@@ -4,7 +4,7 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudo'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml
2024-02-19 19:22:35 +08:00
index 628dc4f..6a1e04e 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol8,ol9,rhel8,rhel9
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel8,rhel9
2023-10-09 21:11:46 +08:00
title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
2024-02-19 19:22:35 +08:00
index 46128d8..b2d42c5 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Events that Modify User/Group Information - /etc/group'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
2024-02-19 19:22:35 +08:00
index 5cfe91d..f502455 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Events that Modify User/Group Information - /etc/gshadow'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
2024-02-19 19:22:35 +08:00
index d58af4c..c35d421 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Events that Modify User/Group Information - /etc/security/opasswd'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
2024-02-19 19:22:35 +08:00
index d67693e..cf91038 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Events that Modify User/Group Information - /etc/passwd'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
2024-02-19 19:22:35 +08:00
index 68a975a..b5e3762 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Record Events that Modify User/Group Information - /etc/shadow'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml
2024-02-19 19:22:35 +08:00
index 8ccde19..10032fa 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Configure audispd''s Plugin disk_full_action When Disk Is Full'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml
2024-02-19 19:22:35 +08:00
index 01c5df5..91c9cb9 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol8,ol9,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Configure auditd admin_space_left on Low Disk Space'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
2024-02-19 19:22:35 +08:00
index d9b97fb..a8fe5c7 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Configure auditd space_left on Low Disk Space'
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
2024-02-19 19:22:35 +08:00
index e81a90b..1b9abe0 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
2024-02-19 19:22:35 +08:00
index 65132d8..6e3aeb6 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Extend Audit Backlog Limit for the Audit Daemon'
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
2024-02-19 19:22:35 +08:00
index 9acb58b..21f343b 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Set Boot Loader Password in grub2'
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
2024-02-19 19:22:35 +08:00
index 18d5b92..d749483 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Set the UEFI Boot Loader Password'
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
2024-02-19 19:22:35 +08:00
index 8a7b722..6755b6a 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4
2023-10-09 21:11:46 +08:00
title: 'Ensure cron Is Logging To Rsyslog'
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
2024-02-19 19:22:35 +08:00
index 76f0e4b..47aeef5 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7,rhel8,rhel9,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Ensure logging is configured'
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml
2024-02-19 19:22:35 +08:00
index bea5ed4..1588359 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel8,rhel9,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure remote access methods are monitored in Rsyslog'
diff --git a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml
2024-02-19 19:22:35 +08:00
index f37af58..b79c97c 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure rsyslog Default File Permissions Configured'
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
2024-02-19 19:22:35 +08:00
index cd22594..18b3db5 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Verify firewalld Enabled'
diff --git a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml
2024-02-19 19:22:35 +08:00
index ae73778..6a5355a 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7,rhel8,sle15
2024-02-19 19:22:35 +08:00
+prodtype: rhel7,rhel8,openeuler2203,openeuler2403,sle15
2023-10-09 21:11:46 +08:00
title: 'Ensure network interfaces are assigned to appropriate zone'
diff --git a/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml b/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index 05f7144..1f93b40 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle15
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,sle15
2023-10-09 21:11:46 +08:00
title: 'Ensure Unnecessary Services and Ports Are Not Accepted'
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml
index 73e27ed..9b9db6f 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml
@@ -16,7 +16,11 @@ rationale: |-
severity: medium
2024-02-19 19:22:35 +08:00
+{{% if product in ['openeuler2203','openeuler2403'] %}}
2023-10-09 21:11:46 +08:00
+platform: machine
+{{% else %}}
platform: not package[nftables] and not package[ufw]
+{{% endif %}}
identifiers:
cce@sle12: CCE-92215-3
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml
index 6ab31a4..ef09802 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml
@@ -16,7 +16,11 @@ rationale: |-
severity: medium
2024-02-19 19:22:35 +08:00
+{{% if product in ['openeuler2203','openeuler2403'] %}}
2023-10-09 21:11:46 +08:00
+platform: machine
+{{% else %}}
platform: not package[nftables] and not package[ufw]
+{{% endif %}}
identifiers:
cce@sle12: CCE-92214-6
diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml
index c7ea1c0..100a1ec 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml
@@ -18,7 +18,11 @@ rationale: |-
severity: medium
2024-02-19 19:22:35 +08:00
+{{% if product in ['openeuler2203','openeuler2403'] %}}
2023-10-09 21:11:46 +08:00
+platform: machine
+{{% else %}}
platform: not package[nftables] and not package[ufw]
+{{% endif %}}
identifiers:
cce@rhel7: CCE-86719-2
diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml
2024-02-19 19:22:35 +08:00
index 88b1b36..34663ba 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Ensure Outbound and Established Connections are Configured'
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
2024-02-19 19:22:35 +08:00
index 9a69794..f05d2c9 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces'
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
2024-02-19 19:22:35 +08:00
index c1f0dc4..10100f3 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
@@ -69,3 +69,6 @@ template:
vars:
sysctlvar: net.ipv6.conf.all.accept_source_route
datatype: int
+{{% if "openeuler" in product %}}
+ missing_parameter_pass: 'true'
+{{% endif %}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
2024-02-19 19:22:35 +08:00
index c02cdc4..d155c12 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Kernel Parameter for IPv6 Forwarding'
@@ -63,3 +63,6 @@ template:
vars:
sysctlvar: net.ipv6.conf.all.forwarding
datatype: int
+{{% if "openeuler" in product %}}
+ missing_parameter_pass: 'true'
+{{% endif %}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
2024-02-19 19:22:35 +08:00
index e985040..2a54324 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default'
@@ -68,3 +68,6 @@ template:
vars:
sysctlvar: net.ipv6.conf.default.accept_source_route
datatype: int
+{{% if "openeuler" in product %}}
+ missing_parameter_pass: 'true'
+{{% endif %}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
2024-02-19 19:22:35 +08:00
index 8756e21..efd7d4a 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
2024-02-19 19:22:35 +08:00
index 2ccc278..af51919 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
2024-02-19 19:22:35 +08:00
index dfcd0b6..0de28f3 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
2024-02-19 19:22:35 +08:00
index e3b2b18..95bf511 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
2024-02-19 19:22:35 +08:00
index 849ae47..a0aa7cf 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
2024-02-19 19:22:35 +08:00
index 9a54bbc..d7dcd8a 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
2024-02-19 19:22:35 +08:00
index 9ff43ba..7e7e254 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
2024-02-19 19:22:35 +08:00
index b688a15..ac4ed33 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
2024-02-19 19:22:35 +08:00
index 90ef90f..c41f654 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
2024-02-19 19:22:35 +08:00
index 5b12a1b..bccfe90 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
2024-02-19 19:22:35 +08:00
index a5fb5f4..1b1b6a0 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
2024-02-19 19:22:35 +08:00
index 31e76dd..274288f 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
2024-02-19 19:22:35 +08:00
index e6b948b..ab99ff1 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
2024-02-19 19:22:35 +08:00
index fc30851..f73277a 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
2024-02-19 19:22:35 +08:00
index a485053..1c6493e 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces'
diff --git a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml
2024-02-19 19:22:35 +08:00
index 7d989f7..f9f161a 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure nftables Default Deny Firewall Policy'
diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
2024-02-19 19:22:35 +08:00
index 5be921e..56204f9 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7,rhel8,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,rhel7,rhel8,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Verify nftables Service is Enabled'
diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml
2024-02-19 19:22:35 +08:00
index 043c11b..6f9d562 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Set nftables Configuration for Loopback Traffic'
diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml
2024-02-19 19:22:35 +08:00
index ae1a369..5adafb8 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle15
2024-02-19 19:22:35 +08:00
+prodtype: openeuler2203,openeuler2403,sle15
2023-10-09 21:11:46 +08:00
title: 'Ensure all outbound and established connections are configured for nftables'
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index 20eeb3e..f03402b 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable SCTP Support'
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
2024-02-19 19:22:35 +08:00
index 02cb56f..17157d4 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Deactivate Wireless Network Interfaces'
@@ -117,4 +117,8 @@ fixtext: |-
srg_requirement: '{{{ full_name }}} wireless network adapters must be disabled.'
2024-02-19 19:22:35 +08:00
+{{% if product in ['openeuler2203','openeuler2403'] %}}
2023-10-09 21:11:46 +08:00
+platform: machine
+{{% else %}}
platform: wifi-iface
+{{% endif %}}
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
2024-02-19 19:22:35 +08:00
index 5683f30..a85c072 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
title: 'Ensure All SGID Executables Are Authorized'
-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20
2024-02-19 19:22:35 +08:00
+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,uos20
2023-10-09 21:11:46 +08:00
description: |-
The SGID (set group id) bit should be set only on files that were
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
2024-02-19 19:22:35 +08:00
index 249f971..58dc69a 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
title: 'Ensure All SUID Executables Are Authorized'
-prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20
2024-02-19 19:22:35 +08:00
+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,uos20
2023-10-09 21:11:46 +08:00
description: |-
The SUID (set user id) bit should be set only on files that were
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
2024-02-19 19:22:35 +08:00
index 11060d0..936873d 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure All Files Are Owned by a Group'
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
2024-02-19 19:22:35 +08:00
index 13650fc..f9af42a 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Ensure All Files Are Owned by a User'
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index 8cbcf66..ed7412f 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Disable Modprobe Loading of USB Storage Driver'
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
2024-02-19 19:22:35 +08:00
index d06852d..327c297 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804
2023-10-09 21:11:46 +08:00
title: 'Add nodev Option to Removable Media Partitions'
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
2024-02-19 19:22:35 +08:00
index 75934b9..d47a355 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804
2023-10-09 21:11:46 +08:00
title: 'Add noexec Option to Removable Media Partitions'
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
index ed025e4..024eceb 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
@@ -60,6 +60,9 @@ template:
sysctlvar: kernel.randomize_va_space
sysctlval: '2'
datatype: int
+{{% if "openeuler" in product %}}
+ missing_parameter_pass: 'true'
+{{% endif %}}
fixtext: |-
Configure {{{ full_name }}} to implement virtual address space randomization.
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
2024-02-19 19:22:35 +08:00
index b73d219..e122550 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Restrict Access to Kernel Message Buffer'
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
2024-02-19 19:22:35 +08:00
index bf2e143..4df4480 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Disallow magic SysRq key'
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
2024-02-19 19:22:35 +08:00
index e03106c..7e5b67a 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Restrict usage of ptrace to descendant processes'
diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
2024-02-19 19:22:35 +08:00
index 00cc2ff..8b5667b 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15
2023-10-09 21:11:46 +08:00
title: 'Ensure No Daemons are Unconfined by SELinux'
diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
2024-02-19 19:22:35 +08:00
index a49219e..d9abd2d 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Configure SELinux Policy'
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
2024-02-19 19:22:35 +08:00
index e3b95bc..cb37065 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel8,rhel9,rhv4,sle15,uos20
2023-10-09 21:11:46 +08:00
title: 'Configure System Cryptography Policy'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
2024-02-19 19:22:35 +08:00
index 43e5f16..9f1d220 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Build and Test AIDE Database'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
2024-02-19 19:22:35 +08:00
index a361171..ea14229 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
2023-10-09 21:11:46 +08:00
title: 'Install AIDE'
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
2024-02-19 19:22:35 +08:00
index b90f566..5fc764b 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
title: 'The operating system must restrict privilege elevation to authorized personnel'
-prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
2023-10-09 21:11:46 +08:00
description: |-
The sudo command allows a user to execute programs with elevated
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
2024-02-19 19:22:35 +08:00
index 18c6f48..26b59e9 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
2023-10-09 21:11:46 +08:00
title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration'
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
2024-02-19 19:22:35 +08:00
index 6428781..8e059b0 100644
2023-10-09 21:11:46 +08:00
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2024-02-19 19:22:35 +08:00
+prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
2023-10-09 21:11:46 +08:00
title: 'Ensure gpgcheck Enabled for All {{{ pkg_manager }}} Package Repositories'
2024-02-19 19:22:35 +08:00
diff --git a/products/openeuler2203/product.yml b/products/openeuler2203/product.yml
index 89e9f8b..5beaac5 100644
--- a/products/openeuler2203/product.yml
+++ b/products/openeuler2203/product.yml
2023-10-09 21:11:46 +08:00
@@ -8,6 +8,7 @@ benchmark_root: "../../linux_os/guide"
profiles_root: "./profiles"
pkg_manager: "dnf"
+pkg_manager_config_file: "/etc/yum.conf"
init_system: "systemd"
2024-02-19 19:22:35 +08:00
diff --git a/products/openeuler2403/product.yml b/products/openeuler2403/product.yml
index c27aaa8..36f3833 100644
--- a/products/openeuler2403/product.yml
+++ b/products/openeuler2403/product.yml
2023-10-09 21:11:46 +08:00
@@ -8,6 +8,7 @@ benchmark_root: "../../linux_os/guide"
profiles_root: "./profiles"
pkg_manager: "dnf"
+pkg_manager_config_file: "/etc/yum.conf"
init_system: "systemd"
diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml
index 07f3df9..6c8ad28 100644
--- a/shared/applicability/package.yml
+++ b/shared/applicability/package.yml
@@ -49,7 +49,7 @@ args:
pkgname: postfix
shadow-utils:
{{% if pkg_system == "rpm" %}}
- {{% if product in ["sle12", "sle15"] %}}
2024-02-19 19:22:35 +08:00
+ {{% if product in ["openeuler2203", "openeuler2403", "sle12", "sle15"] %}}
2023-10-09 21:11:46 +08:00
pkgname: shadow
{{% else %}}
pkgname: shadow-utils
--
2.21.0.windows.1
