diff --git a/SPECS/scap-security-guide/2000-add-support-for-openRuyi.patch b/SPECS/scap-security-guide/2000-add-support-for-openRuyi.patch index 26e7e8f9dd..4bfa0fa5ae 100644 --- a/SPECS/scap-security-guide/2000-add-support-for-openRuyi.patch +++ b/SPECS/scap-security-guide/2000-add-support-for-openRuyi.patch @@ -1,4 +1,4 @@ -From d77d9775046e62946ad84f7995243b9c1ce8c8e3 Mon Sep 17 00:00:00 2001 +From 053c6a433d38cd1e1176fb5aca27de98f12c290a Mon Sep 17 00:00:00 2001 From: Yafen Fang Date: Wed, 1 Apr 2026 18:16:22 +0800 Subject: [PATCH] add support for openRuyi @@ -7,41 +7,61 @@ Add openRuyi Product to provide security configuration baseline scanning capabil 1. Build the openRuyi-related support framework 2. Add common openRuyi check items --- - CMakeLists.txt | 5 + - build_product | 1 + - controls/std_openruyi.yml | 1799 +++++++++++++++++ - .../obsolete/service_rsyncd_disabled/rule.yml | 1 + - .../guide/services/ssh/sshd_strong_kex.var | 1 + - .../oval/shared.xml | 2 +- - .../require_emergency_target_auth/rule.yml | 2 +- - .../tests/invalid_username.fail.sh | 2 +- - .../oval/shared.xml | 32 + - product_properties/10-grub.yml | 5 + - products/openruyi/CMakeLists.txt | 6 + - products/openruyi/product.yml | 24 + - products/openruyi/profiles/standard.profile | 14 + - shared/applicability/bootc.yml | 2 + - shared/applicability/oval/bootc.xml | 2 + - .../oval/installed_env_has_grub2_package.xml | 4 +- - ...proc_sys_kernel_osrelease_arch_riscv64.xml | 1 + - .../applicability/oval/system_with_kernel.xml | 2 + - shared/applicability/package.yml | 4 +- - shared/applicability/riscv64_arch.yml | 5 + - shared/applicability/system_with_kernel.yml | 4 + - shared/checks/oval/bootc.xml | 2 + - .../checks/oval/installed_OS_is_openruyi.xml | 25 + - .../oval/sysctl_kernel_ipv6_disable.xml | 1 + - .../oval/system_info_architecture_64bit.xml | 2 + - .../system_info_architecture_riscv_64.xml | 29 + - shared/macros/01-general.jinja | 2 + - shared/macros/10-ansible.jinja | 6 + - ssg/constants.py | 6 +- - tests/shared/grub2.sh | 4 +- - 30 files changed, 1987 insertions(+), 8 deletions(-) + CMakeLists.txt | 5 + + build_product | 1 + + components/filesystem.yml | 2 + + controls/std_openruyi.yml | 415 ++++++++++++++++++ + .../obsolete/service_rsyncd_disabled/rule.yml | 1 + + .../guide/services/ssh/sshd_strong_kex.var | 1 + + .../oval/shared.xml | 2 +- + .../require_emergency_target_auth/rule.yml | 2 +- + .../tests/invalid_username.fail.sh | 2 +- + .../oval/shared.xml | 34 +- + .../files/file_empty_link_prohibit/rule.yml | 26 ++ + .../file_empty_link_prohibit/sce/shared.sh | 11 + + .../file_hidden_executable_prohibit/rule.yml | 25 ++ + .../sce/shared.sh | 13 + + product_properties/10-grub.yml | 5 + + products/openruyi/CMakeLists.txt | 6 + + products/openruyi/product.yml | 24 + + products/openruyi/profiles/standard.profile | 14 + + shared/applicability/bootc.yml | 2 + + shared/applicability/oval/bootc.xml | 2 + + .../oval/installed_OS_is_openruyi_riscv.xml | 25 ++ + .../oval/installed_env_has_grub2_package.xml | 4 +- + ...proc_sys_kernel_osrelease_arch_riscv64.xml | 1 + + .../applicability/oval/system_with_kernel.xml | 2 + + shared/applicability/package.yml | 4 +- + shared/applicability/riscv64_arch.yml | 5 + + shared/applicability/system_with_kernel.yml | 4 + + shared/checks/oval/bootc.xml | 2 + + .../checks/oval/installed_OS_is_openruyi.xml | 24 + + .../oval/sysctl_kernel_ipv6_disable.xml | 1 + + .../oval/system_info_architecture_64bit.xml | 2 + + .../system_info_architecture_riscv_64.xml | 29 ++ + shared/macros/01-general.jinja | 2 + + shared/macros/10-ansible.jinja | 6 + + shared/macros/10-bash.jinja | 10 +- + shared/macros/10-oval.jinja | 2 +- + .../templates/accounts_password/bash.template | 4 +- + .../templates/accounts_password/oval.template | 6 +- + .../grub2_bootloader_argument/bash.template | 2 +- + .../bash.template | 2 +- + .../templates/service_disabled/bash.template | 2 +- + .../templates/service_enabled/bash.template | 2 +- + shared/templates/sysctl/bash.template | 2 +- + ssg/constants.py | 6 +- + tests/shared/grub2.sh | 4 +- + 45 files changed, 721 insertions(+), 25 deletions(-) create mode 100644 controls/std_openruyi.yml + create mode 100644 linux_os/guide/system/permissions/files/file_empty_link_prohibit/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh + create mode 100644 linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh create mode 100644 products/openruyi/CMakeLists.txt create mode 100644 products/openruyi/product.yml create mode 100644 products/openruyi/profiles/standard.profile + create mode 100644 shared/applicability/oval/installed_OS_is_openruyi_riscv.xml create mode 100644 shared/applicability/oval/proc_sys_kernel_osrelease_arch_riscv64.xml create mode 100644 shared/applicability/riscv64_arch.yml create mode 100644 shared/checks/oval/installed_OS_is_openruyi.xml @@ -89,1811 +109,440 @@ index 76e3d3a698..49b1a9fd4f 100755 OPENSUSE RHCOS4 RHEL8 +diff --git a/components/filesystem.yml b/components/filesystem.yml +index bae7bd640e..ca95148629 100644 +--- a/components/filesystem.yml ++++ b/components/filesystem.yml +@@ -197,6 +197,8 @@ rules: + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_regular + - sysctl_fs_protected_symlinks ++- file_empty_link_prohibit ++- file_hidden_executable_prohibit + templates: + - mount + - mount_option diff --git a/controls/std_openruyi.yml b/controls/std_openruyi.yml new file mode 100644 -index 0000000000..e138af4593 +index 0000000000..ac707d41ec --- /dev/null +++ b/controls/std_openruyi.yml -@@ -0,0 +1,1799 @@ +@@ -0,0 +1,415 @@ +--- +policy: 'Standard Benchmark for openRuyi' +title: 'Standard Benchmark for openRuyi' +id: std_openruyi +version: '1.0' -+source: https://gitee.com/openeuler/security-committee/blob/master/sub-projects/secure-configuration-benchmark/release/ -+ +levels: -+ - id: l1_server -+ - id: l2_server -+ inherits_from: -+ - l1_server ++ - id: base + +controls: -+ - id: 1.1.1 -+ title: Ensure All Files Have Owner And Group -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - no_files_unowned_by_user -+ - no_files_unowned_by_user.severity=high -+ - file_permissions_ungroupowned -+ - file_permissions_ungroupowned.severity=high -+ -+ - id: 1.1.2 -+ title: Ensure No Empty Symlink -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.1.3 -+ title: Ensure No Hidden Executable Files -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.1.4 -+ title: Ensure Sticky Set On Global Writable Folder -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - dir_perms_world_writable_sticky_bits -+ - dir_perms_world_writable_sticky_bits.severity=high -+ -+ - id: 1.1.5 -+ title: Ensure UMASK Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - accounts_umask_etc_bashrc -+ - accounts_umask_etc_bashrc.severity=high -+ - var_accounts_user_umask=077 -+ -+ - id: 1.1.6 -+ title: Ensure No Global Writable File -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - file_permissions_unauthorized_world_writable -+ - file_permissions_unauthorized_world_writable.severity=high -+ -+ - id: 1.1.7 -+ title: Umount Unnecessary File System -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.1.8 -+ title: Ensure Mount As Readonly If No Need To Write -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.1.9 -+ title: Ensure Mount As Nodev -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.1.10 -+ title: Ensure Mount As Noexec -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.1.11 -+ title: Ensure Mount As Noexec And Nodev For Removable Device -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - mount_option_noexec_removable_partitions -+ - mount_option_noexec_removable_partitions.severity=high -+ - mount_option_nodev_removable_partitions -+ - mount_option_nodev_removable_partitions.severity=high -+ -+ - id: 1.1.12 -+ title: Ensure Mount As Nosuid -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.1.13 -+ title: Ensure Remove Unnecessary SUID And SGID -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - file_permissions_unauthorized_suid -+ - file_permissions_unauthorized_suid.severity=high -+ - file_permissions_unauthorized_sgid -+ - file_permissions_unauthorized_sgid.severity=high -+ -+ - id: 1.1.14 -+ title: Ensure File Permission Minimize -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.1.15 -+ title: Ensure Ulinmit Correctly -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.1.16 -+ title: Ensure Symlinks And Hardlinks Protected -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_fs_protected_symlinks -+ - sysctl_fs_protected_symlinks.severity=high -+ - sysctl_fs_protected_hardlinks -+ - sysctl_fs_protected_hardlinks.severity=high -+ -+ - id: 1.1.17 -+ title: Ensure Different Data Store In Different Partitions -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 1.1.18 -+ title: Ensure LD_LIBRARY_PATH Correct -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.1.19 -+ title: Ensure User PATH Correct -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.2.1 -+ title: Ensure FTP Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - package_ftp_removed -+ - package_ftp_removed.severity=high -+ -+ - id: 1.2.2 -+ title: Ensure TFTP Server Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - package_tftp_removed -+ - package_tftp_removed.severity=high -+ - package_tftp-server_removed -+ - package_tftp-server_removed.severity=high -+ -+ - id: 1.2.3 -+ title: Ensure Telnet Server Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - package_telnet_removed -+ - package_telnet_removed.severity=high -+ - package_telnet-server_removed -+ - package_telnet-server_removed.severity=high -+ -+ - id: 1.2.4 -+ title: Ensure SNMP Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - package_net-snmp_removed -+ - package_net-snmp_removed.severity=high -+ -+ - id: 1.2.5 -+ title: Ensure Python2 Not Installed -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.2.6 -+ title: Ensure GPG Check Configured -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - ensure_gpgcheck_globally_activated -+ - ensure_gpgcheck_globally_activated.severity=high -+ - ensure_gpgcheck_never_disabled -+ - ensure_gpgcheck_never_disabled.severity=high -+ -+ - id: 1.2.7 -+ title: Ensure Debug-Shell Disabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - service_debug-shell_disabled -+ - service_debug-shell_disabled.severity=high -+ -+ - id: 1.2.8 -+ title: Ensure Rsync Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - service_rsyncd_disabled -+ - service_rsyncd_disabled.severity=high -+ -+ - id: 1.2.9 -+ title: Ensure Avahi Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - service_avahi-daemon_disabled -+ - service_avahi-daemon_disabled.severity=high -+ -+ - id: 1.2.10 -+ title: Ensure LDAP Server Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - package_openldap-servers_removed -+ - package_openldap-servers_removed.severity=high -+ -+ - id: 1.2.11 -+ title: Ensure CUPS Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - package_cups_removed -+ - package_cups_removed.severity=high -+ -+ - id: 1.2.12 -+ title: Ensure NIS Server Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - package_ypserv_removed -+ - package_ypserv_removed.severity=high -+ -+ - id: 1.2.13 -+ title: Ensure NIS Client Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - package_ypbind_removed -+ - package_ypbind_removed.severity=high -+ -+ - id: 1.2.14 -+ title: Ensure LDAP Client Not Installed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - package_openldap-clients_removed -+ - package_openldap-clients_removed.severity=high -+ -+ - id: 1.2.15 -+ title: Ensure Network Sniffing Software Removed -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.2.16 -+ title: Ensure Debug Tools Removed -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.2.17 -+ title: Ensure Compiler Tools Removed -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 1.2.18 -+ title: Ensure X Window Not Installed -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - xwindows_remove_packages -+ - xwindows_remove_packages.severity=low -+ -+ - id: 1.2.19 -+ title: Ensure Http Service Not Installed -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - package_httpd_removed -+ - package_httpd_removed.severity=low -+ -+ - id: 1.2.20 -+ title: Ensure Samba Service Not Installed -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - package_samba_removed -+ - package_samba_removed.severity=low -+ -+ - id: 1.2.21 -+ title: Ensure DNS Service Disabled -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - service_named_disabled -+ - service_named_disabled.severity=low -+ -+ - id: 1.2.22 -+ title: Ensure NFS Service Disabled -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - service_nfs_disabled -+ - service_nfs_disabled.severity=low -+ -+ - id: 1.2.23 -+ title: Ensure RPC Service Disabled -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - service_rpcbind_disabled -+ - service_rpcbind_disabled.severity=low -+ -+ - id: 1.2.24 -+ title: Ensure DHCP Service Disabled -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - service_dhcpd_disabled -+ - service_dhcpd_disabled.severity=low -+ -+ - id: 2.1.1 -+ title: Ensure All Login Accounts Are Necessary -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 2.1.2 -+ title: Ensure No Unused Accounts -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 2.1.3 -+ title: Ensure Different Accounts Have Different GroupID -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 2.1.4 -+ title: Ensure Only Root's UID Is 0 -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - accounts_no_uid_except_zero -+ - accounts_no_uid_except_zero.severity=high -+ -+ - id: 2.1.5 -+ title: Ensure Account Related Files Have Correct Permission -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - file_owner_etc_passwd -+ - file_owner_etc_passwd.severity=high -+ - file_groupowner_etc_passwd -+ - file_groupowner_etc_passwd.severity=high -+ - file_owner_etc_shadow -+ - file_owner_etc_shadow.severity=high -+ - file_groupowner_etc_shadow -+ - file_groupowner_etc_shadow.severity=high -+ - file_owner_etc_group -+ - file_owner_etc_group.severity=high -+ - file_groupowner_etc_group -+ - file_groupowner_etc_group.severity=high -+ - file_owner_etc_gshadow -+ - file_owner_etc_gshadow.severity=high -+ - file_groupowner_etc_gshadow -+ - file_groupowner_etc_gshadow.severity=high -+ - file_owner_backup_etc_passwd -+ - file_owner_backup_etc_passwd.severity=high -+ - file_groupowner_backup_etc_passwd -+ - file_groupowner_backup_etc_passwd.severity=high -+ - file_owner_backup_etc_shadow -+ - file_owner_backup_etc_shadow.severity=high -+ - file_groupowner_backup_etc_shadow -+ - file_groupowner_backup_etc_shadow.severity=high -+ - file_owner_backup_etc_group -+ - file_owner_backup_etc_group.severity=high -+ - file_groupowner_backup_etc_group -+ - file_groupowner_backup_etc_group.severity=high -+ - file_owner_backup_etc_gshadow -+ - file_owner_backup_etc_gshadow.severity=high -+ - file_groupowner_backup_etc_gshadow -+ - file_groupowner_backup_etc_gshadow.severity=high -+ - file_permissions_etc_passwd -+ - file_permissions_etc_passwd.severity=high -+ - file_permissions_etc_shadow -+ - file_permissions_etc_shadow.severity=high -+ - file_permissions_etc_group -+ - file_permissions_etc_group.severity=high -+ - file_permissions_etc_gshadow -+ - file_permissions_etc_gshadow.severity=high -+ - file_permissions_backup_etc_passwd -+ - file_permissions_backup_etc_passwd.severity=high -+ - file_permissions_backup_etc_shadow -+ - file_permissions_backup_etc_shadow.severity=high -+ - file_permissions_backup_etc_group -+ - file_permissions_backup_etc_group.severity=high -+ - file_permissions_backup_etc_gshadow -+ - file_permissions_backup_etc_gshadow.severity=high -+ -+ - id: 2.1.6 -+ title: Ensure All Accounts Have Own Home Folder -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - accounts_user_interactive_home_directory_exists -+ - accounts_user_interactive_home_directory_exists.severity=high -+ -+ - id: 2.1.7 -+ title: Ensure All Groups Existed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - gid_passwd_group_same -+ - gid_passwd_group_same.severity=high -+ -+ - id: 2.1.8 -+ title: Ensure UID Unique -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - account_unique_id -+ - account_unique_id.severity=high -+ -+ - id: 2.1.9 -+ title: Ensure Account Name Unique -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - account_unique_name -+ - account_unique_name.severity=high -+ -+ - id: 2.1.10 -+ title: Ensure Group Unique ID -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - group_unique_id -+ - group_unique_id.severity=high -+ -+ - id: 2.1.11 -+ title: Ensure Group Unique Name -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - group_unique_name -+ - group_unique_name.severity=high -+ -+ - id: 2.1.12 -+ title: Ensure Account Expire Date Correct -+ levels: -+ - l2_server -+ status: manual -+ rules: -+ - account_temp_expire_date -+ - account_temp_expire_date.severity=low -+ -+ - id: 2.1.13 -+ title: Ensure No .forward Files In Home Folder -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - no_forward_files -+ - no_forward_files.severity=low -+ -+ - id: 2.1.14 -+ title: Ensure No .netrc Files In Home Folder -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - no_netrc_files -+ - no_netrc_files.severity=low -+ -+ - id: 2.2.1 -+ title: Ensure Set Correct Password Complexity -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - accounts_password_pam_minlen -+ - accounts_password_pam_minlen.severity=high -+ - var_password_pam_minlen=8 -+ - accounts_password_pam_minclass -+ - accounts_password_pam_minclass.severity=high -+ - var_password_pam_minclass=3 -+ - accounts_password_pam_retry -+ - accounts_password_pam_retry.severity=high -+ - var_password_pam_retry=3 -+ - accounts_password_pam_dcredit -+ - accounts_password_pam_dcredit.severity=high -+ - var_password_pam_dcredit=0 -+ - accounts_password_pam_ucredit -+ - accounts_password_pam_ucredit.severity=high -+ - var_password_pam_ucredit=0 -+ - accounts_password_pam_lcredit -+ - accounts_password_pam_lcredit.severity=high -+ - var_password_pam_lcredit=0 -+ - accounts_password_pam_ocredit -+ - accounts_password_pam_ocredit.severity=high -+ - var_password_pam_ocredit=0 -+ - accounts_password_pam_enforce_root -+ - accounts_password_pam_enforce_root.severity=high -+ -+ - id: 2.2.2 -+ title: Ensure No History Password Used -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - accounts_password_pam_unix_remember -+ - accounts_password_pam_unix_remember.severity=high -+ - var_password_pam_unix_remember=5 -+ -+ - id: 2.2.3 -+ title: Ensure Old Password Verified -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 2.2.4 -+ title: Ensure Password Not Contain User Name -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 2.2.5 -+ title: Ensure Using Strong Hash Algorithm To Encipher Password -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - set_password_hashing_algorithm_systemauth -+ - set_password_hashing_algorithm_systemauth.severity=high -+ - set_password_hashing_algorithm_passwordauth -+ - set_password_hashing_algorithm_passwordauth.severity=high -+ - var_password_hashing_algorithm_pam=sha512 -+ -+ - id: 2.2.6 -+ title: Ensure Password Dictionary Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - accounts_password_pam_dictcheck -+ - accounts_password_pam_dictcheck.severity=high -+ -+ - id: 2.2.7 -+ title: Ensure Password Expire Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - accounts_maximum_age_login_defs -+ - accounts_maximum_age_login_defs.severity=high -+ - var_accounts_maximum_age_login_defs=90 -+ - accounts_password_warn_age_login_defs -+ - accounts_password_warn_age_login_defs.severity=high -+ - var_accounts_password_warn_age_login_defs=7 -+ - accounts_minimum_age_login_defs -+ - accounts_minimum_age_login_defs.severity=high -+ - var_accounts_minimum_age_login_defs=0 -+ -+ - id: 2.2.8 -+ title: Ensure No Empty Password -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_disable_empty_passwords -+ - sshd_disable_empty_passwords.severity=high -+ -+ - id: 2.2.9 -+ title: Ensure Grub Password Set -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - grub2_password -+ - grub2_password.severity=high -+ - grub2_uefi_password -+ - grub2_uefi_password.severity=high -+ -+ - id: 2.2.10 -+ title: Ensure Password Set In Single User Mode -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - require_emergency_target_auth -+ - require_emergency_target_auth.severity=high -+ -+ - id: 2.2.11 -+ title: Ensure Password Changed At First Login -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 2.3.1 -+ title: Ensure Account Locked After Accessing Fail -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - accounts_passwords_pam_faillock_deny -+ - accounts_passwords_pam_faillock_deny.severity=high -+ - var_accounts_passwords_pam_faillock_deny=3 -+ - accounts_passwords_pam_faillock_unlock_time -+ - accounts_passwords_pam_faillock_unlock_time.severity=high -+ - var_accounts_passwords_pam_faillock_unlock_time=300 -+ -+ - id: 2.3.2 -+ title: Ensure TIMOUT Set Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - accounts_tmout -+ - accounts_tmout.severity=high -+ - var_accounts_tmout=5_min -+ -+ - id: 2.3.3 -+ title: Ensure Warning Banners Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - file_groupowner_etc_issue -+ - file_groupowner_etc_issue.severity=high -+ - file_groupowner_etc_issue_net -+ - file_groupowner_etc_issue_net.severity=high -+ - file_groupowner_etc_motd -+ - file_groupowner_etc_motd.severity=high -+ - file_owner_etc_issue -+ - file_owner_etc_issue.severity=high -+ - file_owner_etc_issue_net -+ - file_owner_etc_issue_net.severity=high -+ - file_owner_etc_motd -+ - file_owner_etc_motd.severity=high -+ - file_permissions_etc_issue -+ - file_permissions_etc_issue.severity=high -+ - file_permissions_etc_issue_net -+ - file_permissions_etc_issue_net.severity=high -+ - file_permissions_etc_motd -+ - file_permissions_etc_motd.severity=high -+ -+ - id: 2.3.4 -+ title: Ensure Warning Path Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_enable_warning_banner_net -+ - sshd_enable_warning_banner_net.severity=high -+ -+ - id: 2.4.1 -+ title: Ensure HISTSIZE Limited -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 2.4.2 -+ title: Ensure SELinux Enforce -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - selinux_state -+ - selinux_state.severity=low -+ -+ - id: 2.4.3 -+ title: Ensure SELinux Configurate Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - selinux_policytype -+ - selinux_policytype.severity=low -+ -+ - id: 2.4.4 -+ title: Ensure SU Usage Limited -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - use_pam_wheel_for_su -+ - use_pam_wheel_for_su.severity=high -+ -+ - id: 2.4.5 -+ title: Ensure Use Sudo To Run -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sudo_restrict_privilege_elevation_to_authorized -+ - sudo_restrict_privilege_elevation_to_authorized.severity=high -+ -+ - id: 2.4.6 -+ title: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 2.4.7 -+ title: Ensure Low-privilege User Cannot Escalate By Pkexec -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 2.4.8 -+ title: Ensure ALWAYS_SET_PATH Configurated -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 2.4.9 -+ title: Ensure Root Can Not Login Local -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 2.4.10 -+ title: Ensure Not Run Files wiht unconfined_service_t Flag -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - selinux_confinement_of_daemons -+ - selinux_confinement_of_daemons.severity=low -+ -+ - id: 2.5.1 -+ title: Ensure IMA Enabled -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 2.5.2 -+ title: Ensure AIDE Enabled -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - package_aide_installed -+ - package_aide_installed.severity=low -+ - aide_build_database -+ - aide_build_database.severity=low -+ -+ - id: 2.6.1 -+ title: Ensure Haveged Enabled -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 3.1.1 -+ title: Ensure No Unusual Network Service -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - kernel_module_sctp_disabled -+ - kernel_module_sctp_disabled.severity=low -+ - kernel_module_tipc_disabled -+ - kernel_module_tipc_disabled.severity=low -+ -+ - id: 3.1.2 -+ title: Ensure No WIFI -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - wireless_disable_interfaces -+ - wireless_disable_interfaces.severity=low -+ -+ - id: 3.2.1 -+ title: Ensure Firewalld Enabled -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - service_firewalld_enabled -+ - service_firewalld_enabled.severity=low -+ -+ - id: 3.2.2 -+ title: Ensure Firewalld Set Default Zone Correctly -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 3.2.3 -+ title: Ensure Firewalld Set Correct Interface Zone -+ levels: -+ - l2_server -+ status: manual -+ rules: -+ - set_firewalld_appropriate_zone -+ - set_firewalld_appropriate_zone.severity=low -+ -+ - id: 3.2.4 -+ title: Ensure Unnecessary Service And Port Disabled -+ levels: -+ - l2_server -+ status: manual -+ rules: -+ - unnecessary_firewalld_services_ports_disabled -+ - unnecessary_firewalld_services_ports_disabled.severity=low -+ -+ - id: 3.2.5 -+ title: Ensure Iptables Enabled -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - service_iptables_enabled -+ - service_iptables_enabled.severity=low -+ - service_ip6tables_enabled -+ - service_ip6tables_enabled.severity=low -+ -+ - id: 3.2.6 -+ title: Ensure Iptables Default Refuse Rules Set -+ levels: -+ - l2_server -+ status: manual -+ rules: -+ - set_iptables_default_rule -+ - set_iptables_default_rule.severity=low -+ -+ - id: 3.2.7 -+ title: Ensure Iptables Loopback Rules Set -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - set_loopback_traffic -+ - set_loopback_traffic.severity=low -+ - set_ipv6_loopback_traffic -+ - set_ipv6_loopback_traffic.severity=low -+ -+ - id: 3.2.8 -+ title: Ensure Iptables Input Rules Set -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 3.2.9 -+ title: Ensure Iptables Output Rules Set -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 3.2.10 -+ title: Ensure Iptables Input Output Connection Rules Set -+ levels: -+ - l2_server -+ status: manual -+ rules: -+ - set_iptables_outbound_n_established -+ - set_iptables_outbound_n_established.severity=low -+ -+ - id: 3.2.11 -+ title: Ensure Nftables Enabled -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - service_nftables_enabled -+ - service_nftables_enabled.severity=low -+ -+ - id: 3.2.12 -+ title: Ensure Nftables Default Refuse Rules Set -+ levels: -+ - l2_server -+ status: manual -+ rules: -+ - nftables_ensure_default_deny_policy -+ - nftables_ensure_default_deny_policy.severity=low -+ -+ - id: 3.2.13 -+ title: Ensure Nftables Loopback Rules Set -+ levels: -+ - l2_server -+ status: manual -+ rules: -+ - set_nftables_loopback_traffic -+ - set_nftables_loopback_traffic.severity=low -+ -+ - id: 3.2.14 -+ title: Ensure Nftables Input Rules Set -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 3.2.15 -+ title: Ensure Nftables Output Rules Set -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 3.2.16 -+ title: Ensure Nftables Input Output Connection Rules Set -+ levels: -+ - l2_server -+ status: manual -+ rules: -+ - set_nftables_new_connections -+ - set_nftables_new_connections.severity=low -+ -+ - id: 3.3.1 -+ title: Ensure SSHd Protocol Version Is 2 -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_allow_only_protocol2 -+ - sshd_allow_only_protocol2.severity=high -+ -+ - id: 3.3.2 -+ title: Ensure SSHd Authentication Setting Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_disable_rhosts -+ - sshd_disable_rhosts.severity=high -+ - disable_host_auth -+ - disable_host_auth.severity=high -+ -+ - id: 3.3.3 -+ title: Ensure SSHd Key Exchange Algorithm Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_use_strong_kex -+ - sshd_use_strong_kex.severity=high -+ - sshd_strong_kex=std_openruyi -+ -+ - id: 3.3.4 -+ title: Ensure SSHd Pubkey Algorithm Correct -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 3.3.5 -+ title: Ensure SSHd PAM Enabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_enable_pam -+ - sshd_enable_pam.severity=high -+ -+ - id: 3.3.6 -+ title: Ensure SSHd MACs Algorithm Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_use_strong_macs -+ - sshd_use_strong_macs.severity=high -+ -+ - id: 3.3.7 -+ title: Ensure SSHd Ciphers Algorithm Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_use_strong_ciphers -+ - sshd_use_strong_ciphers.severity=high -+ -+ - id: 3.3.8 -+ title: Ensure SSHd Ciphers Algorithm Not Overwritten -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 3.3.9 -+ title: Ensure SSHd Forbid Root Login From Remote -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_disable_root_login -+ - sshd_disable_root_login.severity=low -+ -+ - id: 3.3.10 -+ title: Ensure SSHd Log Level Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - sshd_set_loglevel_verbose -+ - sshd_set_loglevel_verbose.severity=low -+ -+ - id: 3.3.11 -+ title: Ensure SSHd Listen Address Set Correct -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 3.3.12 -+ title: Ensure SSHd MaxStartups Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - sshd_set_maxstartups -+ - sshd_set_maxstartups.severity=low -+ - var_sshd_set_maxstartups=10:30:60 -+ -+ - id: 3.3.13 -+ title: Ensure SSHd Maxsessions Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - sshd_set_max_sessions -+ - sshd_set_max_sessions.severity=low -+ - var_sshd_max_sessions=10 -+ -+ - id: 3.3.14 -+ title: Ensure SSHd X11 Forwarding Forbidden -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_disable_x11_forwarding -+ - sshd_disable_x11_forwarding.severity=high -+ -+ - id: 3.3.15 -+ title: Ensure SSHd MaxAuthTries Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - sshd_set_max_auth_tries -+ - sshd_set_max_auth_tries.severity=low -+ - sshd_max_auth_tries_value=3 -+ -+ - id: 3.3.16 -+ title: Ensure SSHd PermitUserEnvironment Forbidden -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_do_not_permit_user_env -+ - sshd_do_not_permit_user_env.severity=high -+ -+ - id: 3.3.17 -+ title: Ensure SSHd LoginGraceTime Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - sshd_set_login_grace_time -+ - sshd_set_login_grace_time.severity=low -+ - var_sshd_set_login_grace_time=60 -+ -+ - id: 3.3.18 -+ title: Ensure SSHd Authorized Keys Not Set -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 3.3.19 -+ title: Ensure SSHd Known Hosts Not Set -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_disable_user_known_hosts -+ - sshd_disable_user_known_hosts.severity=high -+ -+ - id: 3.3.20 -+ title: Ensure SSHd Has No Obsolete Configurations -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 3.3.21 -+ title: Ensure SSHd TCP Forward Disabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sshd_disable_tcp_forwarding -+ - sshd_disable_tcp_forwarding.severity=high -+ -+ - id: 3.3.22 -+ title: Ensure SSHd Has Correct White and Black Access List -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 3.4.1 -+ title: Ensure Cron Not Run Low Privilege User Writable Bash -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 3.4.2 -+ title: Ensure Cron Deamon Running -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - service_crond_enabled -+ - service_crond_enabled.severity=high -+ -+ - id: 3.4.3 -+ title: Ensure AT And Cron Set Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - file_groupowner_cron_d -+ - file_groupowner_cron_d.severity=high -+ - file_groupowner_cron_daily -+ - file_groupowner_cron_daily.severity=high -+ - file_groupowner_cron_hourly -+ - file_groupowner_cron_hourly.severity=high -+ - file_groupowner_cron_monthly -+ - file_groupowner_cron_monthly.severity=high -+ - file_groupowner_cron_weekly -+ - file_groupowner_cron_weekly.severity=high -+ - file_groupowner_crontab -+ - file_groupowner_crontab.severity=high -+ - file_owner_cron_d -+ - file_owner_cron_d.severity=high -+ - file_owner_cron_daily -+ - file_owner_cron_daily.severity=high -+ - file_owner_cron_hourly -+ - file_owner_cron_hourly.severity=high -+ - file_owner_cron_monthly -+ - file_owner_cron_monthly.severity=high -+ - file_owner_cron_weekly -+ - file_owner_cron_weekly.severity=high -+ - file_owner_crontab -+ - file_owner_crontab.severity=high -+ - file_permissions_cron_d -+ - file_permissions_cron_d.severity=high -+ - file_permissions_cron_daily -+ - file_permissions_cron_daily.severity=high -+ - file_permissions_cron_hourly -+ - file_permissions_cron_hourly.severity=high -+ - file_permissions_cron_monthly -+ - file_permissions_cron_monthly.severity=high -+ - file_permissions_cron_weekly -+ - file_permissions_cron_weekly.severity=high -+ - file_permissions_crontab -+ - file_permissions_crontab.severity=high -+ - file_at_deny_not_exist -+ - file_at_deny_not_exist.severity=high -+ - file_cron_deny_not_exist -+ - file_cron_deny_not_exist.severity=high -+ - file_groupowner_at_allow -+ - file_groupowner_at_allow.severity=high -+ - file_groupowner_cron_allow -+ - file_groupowner_cron_allow.severity=high -+ - file_owner_at_allow -+ - file_owner_at_allow.severity=high -+ - file_owner_cron_allow -+ - file_owner_cron_allow.severity=high -+ - file_permissions_at_allow -+ - file_permissions_at_allow.severity=high -+ - file_permissions_cron_allow -+ - file_permissions_cron_allow.severity=high -+ -+ - id: 3.5.1 -+ title: Ensure KASLR Enabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_kernel_randomize_va_space -+ - sysctl_kernel_randomize_va_space.severity=high -+ -+ - id: 3.5.2 -+ title: Ensure Dmesg Access Permission Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_kernel_dmesg_restrict -+ - sysctl_kernel_dmesg_restrict.severity=high -+ -+ - id: 3.5.3 -+ title: Ensure Kptr_restrict Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_kernel_kptr_restrict -+ - sysctl_kernel_kptr_restrict.severity=high -+ - sysctl_kernel_kptr_restrict_value=1 -+ -+ - id: 3.5.4 -+ title: Ensure Kernel SMAP Enabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - grub2_nosmap_argument_absent -+ - grub2_nosmap_argument_absent.severity=high -+ -+ - id: 3.5.5 -+ title: Ensure Kernel SMEP Enabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - grub2_nosmep_argument_absent -+ - grub2_nosmep_argument_absent.severity=high -+ -+ - id: 3.5.6 -+ title: Ensure ICMP Broadcast Package Not Responsed -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high -+ -+ - id: 3.5.7 -+ title: Ensure ICMP Redirect Package Not Received -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_all_accept_redirects -+ - sysctl_net_ipv4_conf_all_accept_redirects.severity=high -+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled -+ - sysctl_net_ipv4_conf_all_secure_redirects -+ - sysctl_net_ipv4_conf_all_secure_redirects.severity=high -+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled -+ - sysctl_net_ipv4_conf_default_secure_redirects -+ - sysctl_net_ipv4_conf_default_secure_redirects.severity=high -+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled -+ - sysctl_net_ipv6_conf_all_accept_redirects -+ - sysctl_net_ipv6_conf_all_accept_redirects.severity=high -+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled -+ -+ - id: 3.5.8 -+ title: Ensure No ICMP Redirect Package Forwarded -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_all_send_redirects -+ - sysctl_net_ipv4_conf_all_send_redirects.severity=high -+ - sysctl_net_ipv4_conf_default_send_redirects -+ - sysctl_net_ipv4_conf_default_send_redirects.severity=high -+ -+ - id: 3.5.9 -+ title: Ensure Ignore All ICMP Request -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 3.5.10 -+ title: Ensure Ignore Bogus Error ICMP Package -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -+ -+ - id: 3.5.11 -+ title: Ensure Reverse Proxy Filter Enabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_all_rp_filter -+ - sysctl_net_ipv4_conf_all_rp_filter.severity=high -+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled -+ - sysctl_net_ipv4_conf_default_rp_filter -+ - sysctl_net_ipv4_conf_default_rp_filter.severity=high -+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled -+ -+ - id: 3.5.12 -+ title: Ensure IP Forwarding Disabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_net_ipv4_ip_forward -+ - sysctl_net_ipv4_ip_forward.severity=high -+ - sysctl_net_ipv6_conf_all_forwarding -+ - sysctl_net_ipv6_conf_all_forwarding.severity=high -+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled -+ -+ - id: 3.5.13 -+ title: Ensure Source Route Disabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_all_accept_source_route -+ - sysctl_net_ipv4_conf_all_accept_source_route.severity=high -+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -+ - sysctl_net_ipv4_conf_default_accept_source_route -+ - sysctl_net_ipv4_conf_default_accept_source_route.severity=high -+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -+ - sysctl_net_ipv6_conf_all_accept_source_route -+ - sysctl_net_ipv6_conf_all_accept_source_route.severity=high -+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -+ - sysctl_net_ipv6_conf_default_accept_source_route -+ - sysctl_net_ipv6_conf_default_accept_source_route.severity=high -+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled -+ -+ - id: 3.5.14 -+ title: Ensure TCP-SYN Cookie Enabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_net_ipv4_tcp_syncookies -+ - sysctl_net_ipv4_tcp_syncookies.severity=high -+ -+ - id: 3.5.15 -+ title: Ensure Source Route And Redirectly Logged -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_net_ipv4_conf_all_log_martians -+ - sysctl_net_ipv4_conf_all_log_martians.severity=high -+ - sysctl_net_ipv4_conf_default_log_martians -+ - sysctl_net_ipv4_conf_default_log_martians.severity=high -+ -+ - id: 3.5.16 -+ title: Ensure tcp_timestamps Disabled -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 3.5.17 -+ title: Ensure TCP Time Wait Correct -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 3.5.18 -+ title: Ensure SYN Recv Set Correct -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 3.5.19 -+ title: Ensure No ARP Proxy -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 3.5.20 -+ title: Ensure Core Dump Set Correct -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 3.5.21 -+ title: Ensure SysRq Key Disabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - sysctl_kernel_sysrq -+ - sysctl_kernel_sysrq.severity=high -+ -+ - id: 3.5.22 -+ title: Ensure ptrace_scope Set Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - sysctl_kernel_yama_ptrace_scope -+ - sysctl_kernel_yama_ptrace_scope.severity=low -+ -+ - id: 3.5.23 -+ title: Ensure Seccomp Enabled -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - kernel_config_seccomp -+ - kernel_config_seccomp.severity=low -+ -+ - id: 3.6.1 -+ title: Ensure a single time synchronization daemon is in use (Automated) -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - var_timesync_service=systemd-timesyncd -+ - package_timesyncd_installed -+ - service_timesyncd_enabled -+ - service_chronyd_disabled -+ notes: | -+ To select which timesync daemon to install and configure, use the -+ profile variable var_timesync_service. -+ -+ - id: 3.6.2 -+ title: Ensure Chrony Configuration Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - service_chronyd_enabled -+ - service_chronyd_enabled.severity=low -+ - chronyd_specify_remote_server -+ - chronyd_specify_remote_server.severity=low -+ -+ - id: 4.1.1 -+ title: Ensure Auditd Enabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - service_auditd_enabled -+ - service_auditd_enabled.severity=high -+ -+ - id: 4.1.2 -+ title: Ensure Auditd Rotate Enabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - auditd_data_retention_max_log_file_action -+ - auditd_data_retention_max_log_file_action.severity=high -+ - var_auditd_max_log_file_action=rotate -+ - auditd_data_retention_num_logs -+ - auditd_data_retention_num_logs.severity=high -+ - var_auditd_num_logs=5 -+ -+ - id: 4.1.3 -+ title: Ensure Lastlog Recorded -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_login_events_lastlog -+ - audit_rules_login_events_lastlog.severity=low -+ -+ - id: 4.1.4 -+ title: Ensure Account Info Changing Audited -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_usergroup_modification_group -+ - audit_rules_usergroup_modification_group.severity=low -+ - audit_rules_usergroup_modification_gshadow -+ - audit_rules_usergroup_modification_gshadow.severity=low -+ - audit_rules_usergroup_modification_opasswd -+ - audit_rules_usergroup_modification_opasswd.severity=low -+ - audit_rules_usergroup_modification_passwd -+ - audit_rules_usergroup_modification_passwd.severity=low -+ - audit_rules_usergroup_modification_shadow -+ - audit_rules_usergroup_modification_shadow.severity=low -+ -+ - id: 4.1.5 -+ title: Ensure Escalation Audited -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 4.1.6 -+ title: Ensure Module Changes Audited -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_privileged_commands_modprobe -+ - audit_rules_privileged_commands_modprobe.severity=low -+ - audit_rules_privileged_commands_insmod -+ - audit_rules_privileged_commands_insmod.severity=low -+ - audit_rules_privileged_commands_rmmod -+ - audit_rules_privileged_commands_rmmod.severity=low -+ - audit_rules_kernel_module_loading -+ - audit_rules_kernel_module_loading.severity=low -+ -+ - id: 4.1.7 -+ title: Ensure Sudo Operation Audited -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_privileged_commands_sudo -+ - audit_rules_privileged_commands_sudo.severity=low -+ -+ - id: 4.1.8 -+ title: Ensure Auditd Enabled During Boot -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - grub2_audit_argument -+ - grub2_audit_argument.severity=low -+ -+ - id: 4.1.9 -+ title: Ensure Audit Backlog Limit Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - grub2_audit_backlog_limit_argument -+ - var_audit_backlog_limit=8192 -+ - grub2_audit_backlog_limit_argument.severity=low -+ -+ - id: 4.1.10 -+ title: Ensure Auditctl Not Used -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_immutable -+ - audit_rules_immutable.severity=low -+ -+ - id: 4.1.11 -+ title: Ensure Audit Log Size Set Correct -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - auditd_data_retention_max_log_file -+ - auditd_data_retention_max_log_file.severity=high -+ - auditd_data_retention_max_log_file_action -+ - auditd_data_retention_max_log_file_action.severity=high -+ -+ - id: 4.1.12 -+ title: Ensure Audit Disk Space Set Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - auditd_data_retention_space_left -+ - auditd_data_retention_space_left.severity=low -+ - auditd_data_retention_space_left_action -+ - auditd_data_retention_space_left_action.severity=low -+ - var_auditd_space_left_action=syslog -+ - auditd_data_retention_admin_space_left_percentage -+ - auditd_data_retention_admin_space_left_percentage.severity=low -+ - var_auditd_admin_space_left_percentage=50pc -+ - auditd_data_retention_admin_space_left_action -+ - auditd_data_retention_admin_space_left_action.severity=low -+ - var_auditd_admin_space_left_action=suspend -+ - auditd_audispd_disk_full_action -+ - auditd_audispd_disk_full_action.severity=low -+ - auditd_data_disk_full_action -+ - auditd_data_disk_full_action.severity=low -+ - var_auditd_disk_full_action=suspend -+ - auditd_data_disk_error_action -+ - auditd_data_disk_error_action.severity=low -+ - var_auditd_disk_error_action=suspend -+ -+ - id: 4.1.13 -+ title: Ensure Sudoers Audited -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_sudoers -+ - audit_rules_sudoers.severity=low -+ -+ - id: 4.1.14 -+ title: Ensure Session Audited -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_session_events -+ - audit_rules_session_events.severity=low -+ -+ - id: 4.1.15 -+ title: Ensure Time Changing Audited -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_time_adjtimex -+ - audit_rules_time_adjtimex.severity=low -+ - audit_rules_time_settimeofday -+ - audit_rules_time_settimeofday.severity=low -+ - audit_rules_time_clock_settime -+ - audit_rules_time_clock_settime.severity=low -+ -+ - id: 4.1.16 -+ title: Ensure SELinux Audited -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_mac_modification -+ - audit_rules_mac_modification.severity=low -+ - audit_rules_mac_modification_usr_share -+ - audit_rules_mac_modification_usr_share.severity=low -+ -+ - id: 4.1.17 -+ title: Ensure Network Audited -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_networkconfig_modification -+ - audit_rules_networkconfig_modification.severity=low -+ -+ - id: 4.1.18 -+ title: Ensure Successful File Access Audited -+ levels: -+ - l2_server -+ status: manual -+ rules: -+ - audit_rules_successful_file_modification_chmod -+ - audit_rules_successful_file_modification_chmod.severity=low -+ - audit_rules_successful_file_modification_fchmod -+ - audit_rules_successful_file_modification_fchmod.severity=low -+ - audit_rules_successful_file_modification_fchmodat -+ - audit_rules_successful_file_modification_fchmodat.severity=low -+ - audit_rules_successful_file_modification_chown -+ - audit_rules_successful_file_modification_chown.severity=low -+ - audit_rules_successful_file_modification_fchown -+ - audit_rules_successful_file_modification_fchown.severity=low -+ - audit_rules_successful_file_modification_fchownat -+ - audit_rules_successful_file_modification_fchownat.severity=low -+ - audit_rules_successful_file_modification_setxattr -+ - audit_rules_successful_file_modification_setxattr.severity=low -+ - audit_rules_successful_file_modification_lsetxattr -+ - audit_rules_successful_file_modification_lsetxattr.severity=low -+ - audit_rules_successful_file_modification_fsetxattr -+ - audit_rules_successful_file_modification_fsetxattr.severity=low -+ - audit_rules_successful_file_modification_removexattr -+ - audit_rules_successful_file_modification_removexattr.severity=low -+ - audit_rules_successful_file_modification_lremovexattr -+ - audit_rules_successful_file_modification_lremovexattr.severity=low -+ - audit_rules_successful_file_modification_fremovexattr -+ - audit_rules_successful_file_modification_fremovexattr.severity=low -+ -+ - id: 4.1.19 -+ title: Ensure Unsuccessful File Access Audited -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - audit_rules_unsuccessful_file_modification -+ - audit_rules_unsuccessful_file_modification.severity=low -+ -+ - id: 4.1.20 -+ title: Ensure File Delete Audited -+ levels: -+ - l2_server -+ status: manual -+ rules: -+ - audit_rules_successful_file_modification_rename -+ - audit_rules_successful_file_modification_rename.severity=low -+ - audit_rules_successful_file_modification_renameat -+ - audit_rules_successful_file_modification_renameat.severity=low -+ - audit_rules_successful_file_modification_unlink -+ - audit_rules_successful_file_modification_unlink.severity=low -+ - audit_rules_successful_file_modification_unlinkat -+ - audit_rules_successful_file_modification_unlinkat.severity=low -+ -+ - id: 4.1.21 -+ title: Ensure Mount Audited -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 4.2.1 -+ title: Ensure Rsyslog Enabled -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - service_rsyslog_enabled -+ - service_rsyslog_enabled.severity=high -+ -+ - id: 4.2.2 -+ title: Ensure Authentication Logged -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - rsyslog_remote_access_monitoring -+ - rsyslog_remote_access_monitoring.severity=high -+ -+ - id: 4.2.3 -+ title: Ensure Cron Logged -+ levels: -+ - l1_server -+ status: automated -+ rules: -+ - rsyslog_cron_logging -+ - rsyslog_cron_logging.severity=high -+ -+ - id: 4.2.4 -+ title: Ensure Rsyslog's Files Permission Correct -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - rsyslog_filecreatemode -+ - rsyslog_filecreatemode.severity=low -+ -+ - id: 4.2.5 -+ title: Ensure Important Services Logged -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - rsyslog_logging_configured -+ - rsyslog_logging_configured.severity=low -+ -+ - id: 4.2.6 -+ title: Ensure Journald Transfer Set Correct -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 4.2.7 -+ title: Ensure Rotate Setting In Rsyslog -+ levels: -+ - l1_server -+ status: planned -+ -+ - id: 4.2.8 -+ title: Ensure Remote Log Server Correct -+ levels: -+ - l2_server -+ status: planned -+ -+ - id: 4.2.9 -+ title: Ensure Only Specified Server Can Receive Logs -+ levels: -+ - l2_server -+ status: automated -+ rules: -+ - rsyslog_accept_remote_messages_tcp -+ - rsyslog_accept_remote_messages_tcp.severity=low -+ - rsyslog_accept_remote_messages_udp -+ - rsyslog_accept_remote_messages_udp.severity=low ++ - id: 1.1_bootloader_password ++ title: Ensure Bootloader Password is Set ++ levels: ++ - base ++ status: automated ++ rules: ++ - grub2_password ++ - grub2_password.severity=high ++ - grub2_uefi_password ++ - grub2_uefi_password.severity=high ++ ++ - id: 1.2_single_user_mode_password ++ title: Ensure Single User Mode Requires Authentication ++ levels: ++ - base ++ status: automated ++ rules: ++ - require_singleuser_auth ++ - require_singleuser_auth.severity=high ++ - require_emergency_target_auth ++ - require_emergency_target_auth.severity=high ++ ++ - id: 1.3_umask_configured ++ title: Ensure Umask is Configured Correctly ++ levels: ++ - base ++ status: automated ++ rules: ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_bashrc.severity=high ++ - accounts_umask_etc_login_defs ++ - accounts_umask_etc_login_defs.severity=high ++ - accounts_umask_etc_profile ++ - accounts_umask_etc_profile.severity=high ++ - var_accounts_user_umask=027 ++ ++ - id: 1.4_filesystem_permissions ++ title: Ensure Filesystem Permissions are Secure ++ levels: ++ - base ++ status: automated ++ rules: ++ - dir_perms_world_writable_sticky_bits ++ - dir_perms_world_writable_sticky_bits.severity=high ++ - file_permissions_unauthorized_world_writable ++ - file_permissions_unauthorized_world_writable.severity=high ++ - no_files_unowned_by_user ++ - no_files_unowned_by_user.severity=high ++ - file_permissions_ungroupowned ++ - file_permissions_ungroupowned.severity=high ++ - file_empty_link_prohibit ++ - file_empty_link_prohibit.severity=high ++ - file_hidden_executable_prohibit ++ - file_hidden_executable_prohibit.severity=high ++ ++ - id: 1.5_critical_files_ownership ++ title: Ensure Critical Files Ownership is Correct ++ levels: ++ - base ++ status: automated ++ rules: ++ - file_owner_etc_passwd ++ - file_owner_etc_passwd.severity=high ++ - file_groupowner_etc_passwd ++ - file_groupowner_etc_passwd.severity=high ++ - file_permissions_etc_passwd ++ - file_permissions_etc_passwd.severity=high ++ - file_owner_etc_shadow ++ - file_owner_etc_shadow.severity=high ++ - file_groupowner_etc_shadow ++ - file_groupowner_etc_shadow.severity=high ++ - file_permissions_etc_shadow ++ - file_permissions_etc_shadow.severity=high ++ - file_owner_etc_group ++ - file_owner_etc_group.severity=high ++ - file_groupowner_etc_group ++ - file_groupowner_etc_group.severity=high ++ - file_permissions_etc_group ++ - file_permissions_etc_group.severity=high ++ - file_owner_etc_gshadow ++ - file_owner_etc_gshadow.severity=high ++ - file_groupowner_etc_gshadow ++ - file_groupowner_etc_gshadow.severity=high ++ - file_permissions_etc_gshadow ++ - file_permissions_etc_gshadow.severity=high ++ ++ - id: 1.6_crypto_policy_configured ++ title: Ensure System Crypto Policy is Configured ++ levels: ++ - base ++ status: automated ++ rules: ++ - configure_crypto_policy ++ - configure_crypto_policy.severity=high ++ - var_system_crypto_policy=default_policy ++ ++ - id: 2.1_auditd_configured ++ title: Ensure Auditd is Configured ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_audit_installed ++ - package_audit_installed.severity=high ++ - service_auditd_enabled ++ - service_auditd_enabled.severity=high ++ - grub2_audit_argument ++ - grub2_audit_argument.severity=low ++ - grub2_audit_backlog_limit_argument ++ - grub2_audit_backlog_limit_argument.severity=low ++ - var_auditd_max_log_file=6 ++ - var_auditd_max_log_file_action=rotate ++ - var_audit_backlog_limit=8192 ++ ++ - id: 2.2_audit_rules_configured ++ title: Ensure Critical Audit Rules are Loaded ++ levels: ++ - base ++ status: automated ++ rules: ++ - audit_rules_immutable ++ - audit_rules_immutable.severity=high ++ - audit_rules_sysadmin_actions ++ - audit_rules_sysadmin_actions.severity=high ++ - audit_rules_suid_privilege_function ++ - audit_rules_suid_privilege_function.severity=high ++ - audit_sudo_log_events ++ - audit_sudo_log_events.severity=high ++ - audit_rules_time_adjtimex ++ - audit_rules_time_adjtimex.severity=high ++ - audit_rules_time_settimeofday ++ - audit_rules_time_settimeofday.severity=high ++ - audit_rules_time_clock_settime ++ - audit_rules_time_clock_settime.severity=high ++ - audit_rules_networkconfig_modification ++ - audit_rules_networkconfig_modification.severity=high ++ - audit_rules_privileged_commands ++ - audit_rules_privileged_commands.severity=high ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_group.severity=high ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_passwd.severity=high ++ - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_shadow.severity=high ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chmod.severity=high ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_chown.severity=high ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlink.severity=high ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_rename.severity=high ++ - audit_rules_mac_modification ++ - audit_rules_mac_modification.severity=high ++ - audit_rules_execution_chcon ++ - audit_rules_execution_chcon.severity=high ++ - audit_rules_kernel_module_loading_init ++ - audit_rules_kernel_module_loading_init.severity=high ++ ++ - id: 2.3_journald_configured ++ title: Ensure Journald is Configured ++ levels: ++ - base ++ status: automated ++ rules: ++ - service_systemd-journald_enabled ++ - service_systemd-journald_enabled.severity=high ++ - journald_compress ++ - journald_compress.severity=low ++ - journald_storage ++ - journald_storage.severity=low ++ ++ - id: 2.4_memory_protection_enabled ++ title: Ensure Memory Protection is Enabled ++ levels: ++ - base ++ status: automated ++ rules: ++ - sysctl_kernel_randomize_va_space ++ - sysctl_kernel_randomize_va_space.severity=high ++ - sysctl_kernel_exec_shield ++ - sysctl_kernel_exec_shield.severity=high ++ - sysctl_kernel_kptr_restrict ++ - sysctl_kernel_kptr_restrict.severity=high ++ ++ - id: 2.5_cron_permissions_configured ++ title: Ensure Cron Permissions are Configured ++ levels: ++ - base ++ status: automated ++ rules: ++ - file_owner_crontab ++ - file_owner_crontab.severity=high ++ - file_groupowner_crontab ++ - file_groupowner_crontab.severity=high ++ - file_permissions_crontab ++ - file_permissions_crontab.severity=high ++ - file_owner_cron_allow ++ - file_owner_cron_allow.severity=high ++ - file_groupowner_cron_allow ++ - file_groupowner_cron_allow.severity=high ++ - file_permissions_cron_allow ++ - file_permissions_cron_allow.severity=high ++ ++ - id: 2.6_ensure_a_single_time_synchronization_daemon_used ++ title: Ensure a single time synchronization daemon is in use (Automated) ++ levels: ++ - base ++ status: automated ++ rules: ++ - var_timesync_service=systemd-timesyncd ++ - package_timesyncd_installed ++ - service_timesyncd_enabled ++ - service_chronyd_disabled ++ notes: | ++ To select which timesync daemon to install and configure, use the ++ profile variable var_timesync_service. ++ ++ - id: 2.7_service_minimization ++ title: Ensure Unnecessary Services are Removed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_xinetd_removed ++ - package_xinetd_removed.severity=low ++ - package_dhcp_removed ++ - package_dhcp_removed.severity=low ++ - package_bind_removed ++ - package_bind_removed.severity=low ++ - package_vsftpd_removed ++ - package_vsftpd_removed.severity=low ++ - package_tftp-server_removed ++ - package_tftp-server_removed.severity=low ++ - package_httpd_removed ++ - package_httpd_removed.severity=low ++ - package_nginx_removed ++ - package_nginx_removed.severity=low ++ - package_cyrus-imapd_removed ++ - package_cyrus-imapd_removed.severity=low ++ - package_dovecot_removed ++ - package_dovecot_removed.severity=low ++ - package_samba_removed ++ - package_samba_removed.severity=low ++ - package_squid_removed ++ - package_squid_removed.severity=low ++ - package_net-snmp_removed ++ - package_net-snmp_removed.severity=low ++ - package_ypserv_removed ++ - package_ypserv_removed.severity=low ++ - package_telnet_removed ++ - package_telnet_removed.severity=low ++ - package_telnet-server_removed ++ - package_telnet-server_removed.severity=low ++ - package_rsync_removed ++ - package_rsync_removed.severity=low ++ - package_rsh_removed ++ - package_rsh_removed.severity=low ++ - package_rsh-server_removed ++ - package_rsh-server_removed.severity=low ++ - package_sendmail_removed ++ - package_sendmail_removed.severity=low ++ - package_ypbind_removed ++ - package_ypbind_removed.severity=low ++ - package_talk-server_removed ++ - package_talk-server_removed.severity=low ++ - package_talk_removed ++ - package_talk_removed.severity=low ++ - service_nfs_disabled ++ - service_nfs_disabled.severity=low ++ - service_rpcbind_disabled ++ - service_rpcbind_disabled.severity=low ++ ++ - id: 3.1_sshd_hardening ++ title: Ensure SSHD is Hardened ++ levels: ++ - base ++ status: automated ++ rules: ++ - file_owner_sshd_config ++ - file_owner_sshd_config.severity=high ++ - file_groupowner_sshd_config ++ - file_groupowner_sshd_config.severity=high ++ - file_permissions_sshd_config ++ - file_permissions_sshd_config.severity=high ++ - sshd_set_loglevel_verbose ++ - sshd_set_loglevel_verbose.severity=high ++ - sshd_enable_pam ++ - sshd_enable_pam.severity=high ++ - sshd_disable_root_login ++ - sshd_disable_root_login.severity=high ++ - disable_host_auth ++ - disable_host_auth.severity=high ++ - sshd_disable_empty_passwords ++ - sshd_disable_empty_passwords.severity=high ++ - sshd_do_not_permit_user_env ++ - sshd_do_not_permit_user_env.severity=high ++ - sshd_disable_rhosts ++ - sshd_disable_rhosts.severity=high ++ - sshd_disable_x11_forwarding ++ - sshd_disable_x11_forwarding.severity=high ++ - sshd_disable_tcp_forwarding ++ - sshd_disable_tcp_forwarding.severity=high ++ - sshd_set_max_auth_tries ++ - sshd_set_max_auth_tries.severity=high ++ - var_sshd_set_maxstartups=10:30:60 ++ - var_sshd_max_sessions=10 ++ - var_sshd_set_login_grace_time=60 ++ - sshd_set_idle_timeout ++ - sshd_set_idle_timeout.severity=high ++ - sshd_set_keepalive ++ - sshd_set_keepalive.severity=high ++ - var_rekey_limit_size=1G ++ - var_rekey_limit_time=1hour ++ - sshd_use_strong_rng ++ - sshd_use_strong_rng.severity=high ++ ++ - id: 4.1_network_hardening ++ title: Ensure Network is Hardened ++ levels: ++ - base ++ status: automated ++ rules: ++ - kernel_module_sctp_disabled ++ - kernel_module_sctp_disabled.severity=low ++ - kernel_module_dccp_disabled ++ - kernel_module_dccp_disabled.severity=low ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_all_send_redirects.severity=high ++ - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects.severity=high ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_accept_source_route.severity=high ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route.severity=high ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route.severity=high ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route.severity=high ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects.severity=high ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects.severity=high ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects.severity=high ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects.severity=high ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects.severity=high ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects.severity=high ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_all_log_martians.severity=high ++ - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians.severity=high ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_all_rp_filter.severity=high ++ - sysctl_net_ipv4_conf_default_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter.severity=high ++ - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_tcp_syncookies.severity=high ++ ++ - id: 4.2_firewalld_configured ++ title: Ensure Firewalld is Configured ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_firewalld_installed ++ - package_firewalld_installed.severity=high ++ - service_firewalld_enabled ++ - service_firewalld_enabled.severity=high ++ - service_nftables_disabled ++ - service_nftables_disabled.severity=high ++ ++ - id: 5.1_selinux_enforcing ++ title: Ensure SELinux is Enforcing ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_libselinux_installed ++ - package_libselinux_installed.severity=high ++ - grub2_enable_selinux ++ - grub2_enable_selinux.severity=high ++ - selinux_policytype ++ - selinux_policytype.severity=high ++ - var_selinux_policy_name=targeted ++ - selinux_state ++ - selinux_state.severity=high ++ - package_mcstrans_removed ++ - package_mcstrans_removed.severity=high ++ - sysctl_fs_protected_hardlinks ++ - sysctl_fs_protected_hardlinks.severity=high ++ - sysctl_fs_protected_symlinks ++ - sysctl_fs_protected_symlinks.severity=high ++ ++ - id: 5.2_periodic_compliance_scans ++ title: Ensure Periodic Compliance Scans are Performed ++ levels: ++ - base ++ status: manual diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml index 1db77bb04a..d2bc832377 100644 --- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml @@ -1955,9 +604,18 @@ index 663a3282cf..b6f05c2bc1 100644 {{% else %}} test -n "$GRUB_CFG_ROOT" || GRUB_CFG_ROOT=/boot/grub2 diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/oval/shared.xml b/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/oval/shared.xml -index 7f2f865631..475fdd2893 100644 +index 7f2f865631..577cd8a84e 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/oval/shared.xml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/oval/shared.xml +@@ -1,7 +1,7 @@ + + +- {{{ oval_metadata("The kernel config CONFIG_DEFAULT_MMAP_MIN_ADDR should have value 65536 on x86_64 and 32768 on aarch64", affected_platforms=["multi_platform_all"], rule_title=rule_title) }}} ++ {{{ oval_metadata("The kernel config CONFIG_DEFAULT_MMAP_MIN_ADDR should have value 65536 on x86_64 and 32768 on aarch64 or riscv64", affected_platforms=["multi_platform_all"], rule_title=rule_title) }}} + + + @@ -16,6 +16,12 @@ @@ -2018,6 +676,105 @@ index 7f2f865631..475fdd2893 100644 It can not be scanned automatically, please check it manually.

++

If any symlink files have no camonical path, it should be removed.

++
    ++
  • To find broken symlinks in the current directory: ++ 
    # find ./ -xtype l
    ++
    • ++
  • To find system-wide broken symlinks (excluding virtual filesystems): ++ 
    # find / \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /var \) -prune -o -xtype l -print
    ++
    • ++
  • To find broken symlinks only on the same disk partition: ++ 
    # find / -xdev -xtype l
    ++
    • ++
++ ++rationale: |- ++ Broken symlinks clutter the system, complicate maintenance, and can cause application ++ errors or unexpected behavior. Removing them ensures a cleaner, more predictable, and ++ maintainable environment. ++ ++severity: high +diff --git a/linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh b/linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh +new file mode 100644 +index 0000000000..05a047f37b +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_empty_link_prohibit/sce/shared.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = multi_platform_openruyi ++# check-import = stdout ++ ++temp=$(find / \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /var \) -prune -o -xtype l -print 2>/dev/null) ++ ++if [ -z "$temp" ]; then ++ exit "$XCCDF_RESULT_PASS" ++fi ++ ++exit "$XCCDF_RESULT_FAIL" +diff --git a/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml +new file mode 100644 +index 0000000000..e43a9ba3ae +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++ ++title: 'Disallow hidden executable files' ++ ++description: |- ++ In the Linux system, files prefixed with "." are hidden files (except for "." and ".." in the ++ current directory and upper directory), and executable hidden files are not allowed in the system. ++ ++ The three files .bashrc, .bash_profile, and .bash_logout are the script files used when the system ++ logs in/out of the shell after creating a user account. They are in line with industry practice ++ and do not need to be deleted. Other hidden executable files must have their execute permissions ++ removed or be deleted. ++ ++ To find hidden files with execute permissions: ++ 
# find / \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /var \) -prune -o -type f -name ".*" -perm /111 ! -name ".bashrc" ! -name ".bash_profile" ! -name ".bash_logout" -print
++ ++rationale: |- ++ Hidden files (prefixed with a dot) are not visible in standard directory listings, making them ++ ideal for hiding malware or backdoors. Allowing execute permissions on them increases the risk ++ of undetected malicious code execution. Prohibiting executable hidden files (with standard ++ exceptions like shell configs) reduces the attack surface and enforces least privilege. ++ ++severity: high ++ +diff --git a/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh +new file mode 100644 +index 0000000000..26a0969e09 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_hidden_executable_prohibit/sce/shared.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++# platform = multi_platform_openruyi ++# check-import = stdout ++ ++exit "$XCCDF_RESULT_FAIL" ++ ++temp=$(find / \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /var \) -prune -o -type f -name ".*" -perm /111 ! -name ".bashrc" ! -name ".bash_profile" ! -name ".bash_logout" -print 2>/dev/null) ++ ++if [ -z "$temp" ]; then ++ exit "$XCCDF_RESULT_PASS" ++fi ++ ++exit "$XCCDF_RESULT_FAIL" diff --git a/product_properties/10-grub.yml b/product_properties/10-grub.yml index b2c17c2335..f406274e58 100644 --- a/product_properties/10-grub.yml @@ -2045,7 +802,7 @@ index 0000000000..bb9c6b7b62 +ssg_build_product("openruyi") diff --git a/products/openruyi/product.yml b/products/openruyi/product.yml new file mode 100644 -index 0000000000..670940419c +index 0000000000..c9791cfa55 --- /dev/null +++ b/products/openruyi/product.yml @@ -0,0 +1,24 @@ @@ -2069,14 +826,14 @@ index 0000000000..670940419c + - openruyi: + name: "cpe:/o:openruyi:openruyi:creek" + title: "openRuyi Creek" -+ check_id: installed_OS_is_openruyi ++ check_id: installed_OS_is_openruyi_riscv + +reference_uris: + cis: 'https://workbench.cisecurity.org/communities/101' \ No newline at end of file diff --git a/products/openruyi/profiles/standard.profile b/products/openruyi/profiles/standard.profile new file mode 100644 -index 0000000000..5cc01a4388 +index 0000000000..740ab7c66a --- /dev/null +++ b/products/openruyi/profiles/standard.profile @@ -0,0 +1,14 @@ @@ -2093,7 +850,7 @@ index 0000000000..5cc01a4388 + all of these checks should pass. + +selections: -+ - std_openruyi:all:l2_server ++ - std_openruyi:all:base \ No newline at end of file diff --git a/shared/applicability/bootc.yml b/shared/applicability/bootc.yml index 1b7cabf533..38969bc682 100644 @@ -2121,6 +878,37 @@ index 4eaf3009bf..4de544308c 100644 {{% else %}} {{% set kernel_package = "kernel" %}} {{% endif %}} +diff --git a/shared/applicability/oval/installed_OS_is_openruyi_riscv.xml b/shared/applicability/oval/installed_OS_is_openruyi_riscv.xml +new file mode 100644 +index 0000000000..4383ce6d59 +--- /dev/null ++++ b/shared/applicability/oval/installed_OS_is_openruyi_riscv.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Installed operating system is openRuyi (RISCV64) ++ ++ multi_platform_all ++ ++ ++ The operating system installed on the system is openRuyi (RISCV64) ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ open[rR]uyi-release.* ++ ++ ++ diff --git a/shared/applicability/oval/installed_env_has_grub2_package.xml b/shared/applicability/oval/installed_env_has_grub2_package.xml index 827ea9f193..1845b99354 100644 --- a/shared/applicability/oval/installed_env_has_grub2_package.xml @@ -2240,10 +1028,10 @@ index 4eaf3009bf..4de544308c 100644 {{% endif %}} diff --git a/shared/checks/oval/installed_OS_is_openruyi.xml b/shared/checks/oval/installed_OS_is_openruyi.xml new file mode 100644 -index 0000000000..1e60088c71 +index 0000000000..dd87dddf9c --- /dev/null +++ b/shared/checks/oval/installed_OS_is_openruyi.xml -@@ -0,0 +1,25 @@ +@@ -0,0 +1,24 @@ + + + @@ -2257,7 +1045,6 @@ index 0000000000..1e60088c71 + + + -+ + + + @@ -2366,6 +1153,152 @@ index 33417159b0..12a5053c9c 100644 {{% elif 'debian' in product %}} - name: Update grub defaults and the bootloader menu ansible.builtin.command: /usr/sbin/update-grub +diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja +index 7ad8a71c02..c4d57cb573 100644 +--- a/shared/macros/10-bash.jinja ++++ b/shared/macros/10-bash.jinja +@@ -1973,7 +1973,7 @@ Part of the grub2_bootloader_argument template. + + #}} + {{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}} +-{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15', 'sle16', 'slmicro5'] %}} ++{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15', 'sle16', 'slmicro5', 'openruyi'] %}} + {{{ update_etc_default_grub_manually(arg_name, arg_name_value) }}} + {{% endif -%}} + {{{ grub_command("add", arg_name_value) }}} +@@ -1989,9 +1989,9 @@ Part of the grub2_bootloader_argument template. + #}} + {{%- macro update_etc_default_grub_manually_absent(arg_name) -%}} + # Correct the form of default kernel command line in GRUB +-if grep -q -E '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=?.*"' '/etc/default/grub' ; then +- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ arg_name }}}=\?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' +-fi ++while grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' '/etc/default/grub' ; do ++ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*[[:space:]]\?\){{{ arg_name }}}=\?[^[:space:]]*[[:space:]]\?\(.*"\)/\1\2/' '/etc/default/grub' ++done + {{%- endmacro %}} + + +@@ -2004,7 +2004,7 @@ Part of the grub2_bootloader_argument_absent template. + + #}} + {{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}} +-{{% if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15', 'sle16', 'slmicro5'] %}} ++{{% if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15', 'sle16', 'slmicro5', 'openruyi'] %}} + {{{ update_etc_default_grub_manually_absent(arg_name) }}} + {{% endif -%}} + {{{ grub_command("remove", arg_name) }}} +diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja +index 6466728189..8d3f2aa4e4 100644 +--- a/shared/macros/10-oval.jinja ++++ b/shared/macros/10-oval.jinja +@@ -1796,7 +1796,7 @@ The macros generates the OVAL test including the dependent OVAL object and OVAL + {{# + Macro for checking the system architecture in /proc/sys/kernel/{osrelease,arch} + +- :param arch: system architecture (x86_64, aarch64, s90x, ppc64le, ...) ++ :param arch: system architecture (x86_64, aarch64, s90x, ppc64le, riscv64 ...) + :type arch: str + #}} + {{%- macro oval_check_proc_sys_kernel_osrelease_arch(arch) -%}} +diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template +index 75420036ed..38cd2a7ac3 100644 +--- a/shared/templates/accounts_password/bash.template ++++ b/shared/templates/accounts_password/bash.template +@@ -6,13 +6,13 @@ + + {{{ bash_instantiate_variables("var_password_pam_" ~ VARIABLE) }}} + +-{{% if 'ol' in families or 'rhel' in product %}} ++{{% if 'ol' in families or 'rhel' in product or product == 'openruyi' %}} + if grep -sq {{{ VARIABLE }}} /etc/security/pwquality.conf.d/*.conf ; then + sed -i "/{{{ VARIABLE }}}/d" /etc/security/pwquality.conf.d/*.conf + fi + {{% endif %}} + +-{{% if "ol" in families %}} ++{{% if "ol" in families or product == "openruyi" %}} + {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth', + 'password', + '', +diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template +index bf4b86b19b..bddde19d20 100644 +--- a/shared/templates/accounts_password/oval.template ++++ b/shared/templates/accounts_password/oval.template +@@ -1,4 +1,4 @@ +-{{% if 'ol' in families or 'rhel' in product %}} ++{{% if 'ol' in families or 'rhel' in product or product == 'openruyi' %}} + {{% set filepath_regex="^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$" %}} + {{% else %}} + {{% set filepath_regex="^" + pwquality_path + "$" %}} +@@ -11,7 +11,7 @@ + + + +- {{% if "ol" in families %}} ++ {{% if "ol" in families or product == "openruyi" %}} + + + + +- {{% if "ol" in families %}} ++ {{% if "ol" in families or product == "openruyi" %}} + +diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template +index f43f3484c0..2a96387a7a 100644 +--- a/shared/templates/grub2_bootloader_argument/bash.template ++++ b/shared/templates/grub2_bootloader_argument/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_debian,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux ++# platform = multi_platform_debian,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_openruyi + {{# + See the OVAL template for more comments. + Product-specific categorization should be synced across all template content types +diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template +index 06db2fbc25..fbe6e9da15 100644 +--- a/shared/templates/grub2_bootloader_argument_absent/bash.template ++++ b/shared/templates/grub2_bootloader_argument_absent/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openruyi + {{# + See the OVAL template for more comments. + Product-specific categorization should be synced across all template content types +diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template +index 4c93f2b84d..136020e210 100644 +--- a/shared/templates/service_disabled/bash.template ++++ b/shared/templates/service_disabled/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_openruyi + # reboot = false + # strategy = disable + # complexity = low +diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template +index 4e207a79d7..5877749868 100644 +--- a/shared/templates/service_enabled/bash.template ++++ b/shared/templates/service_enabled/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_debian ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux,multi_platform_debian,multi_platform_openruyi + # reboot = false + # strategy = enable + # complexity = low +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index 0f0e48edee..86f960db91 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_debian,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu ++# platform = multi_platform_debian,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_openruyi + # reboot = true + # strategy = disable + # complexity = low diff --git a/ssg/constants.py b/ssg/constants.py index f104ecec2c..63bcdf287f 100644 --- a/ssg/constants.py