packages/scap-security-guide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!44 修改ssg中与openeuler安全规范不一致的条目

Browse Source 
From: @jinlun123123 
Reviewed-by: @flysubmarine, @zhujianwei001 
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2024-12-10 12:28:58 +00:00 committed by Gitee
commit 3a53e0413c
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
scap-is-modified-to-be-consistent-with-the-specif.patch Normal file
View File

@ -0,0 +1,72 @@
From 34a439703a12363e348329db2cc1145a7084fe4d Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Tue, 10 Dec 2024 19:25:41 +0800
Subject: [PATCH] the ssg is modified to be consistent with the specifications
---
controls/std_openeuler.yml | 1 +
.../bash/shared.sh | 6 ++++++
.../oval/shared.xml | 4 ++++
.../var_auditd_space_left.var | 1 +
4 files changed, 12 insertions(+)
diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml
index 6985d6d..3068afb 100644
--- a/controls/std_openeuler.yml
+++ b/controls/std_openeuler.yml
@@ -1752,6 +1752,7 @@ controls:
rules:
- auditd_data_retention_space_left
- auditd_data_retention_space_left.severity=low
+ - var_auditd_space_left=75MB
- auditd_data_retention_space_left_action
- auditd_data_retention_space_left_action.severity=low
- var_auditd_space_left_action=syslog
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh
index 4233f10..293dc77 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh
@@ -2,6 +2,12 @@
{{{ bash_instantiate_variables("var_auditd_admin_space_left_percentage") }}}
+{{% if "openeuler" in product %}}
+grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
+ sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage/g" /etc/audit/auditd.conf || \
+ echo "admin_space_left = $var_auditd_admin_space_left_percentage" >> /etc/audit/auditd.conf
+{{% else %}}
grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage%/g" /etc/audit/auditd.conf || \
echo "admin_space_left = $var_auditd_admin_space_left_percentage%" >> /etc/audit/auditd.conf
+{{% endif %}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml
index 16d7433..b2acd8f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml
@@ -17,7 +17,11 @@
<ind:filepath>/etc/audit/auditd.conf</ind:filepath>
<!-- Allow only space (exactly) as delimiter: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L426 -->
<!-- Require at least one space before and after the equal sign -->
+{{% if "openeuler" in product %}}
+ <ind:pattern operation="pattern match">^[\s]*admin_space_left[\s]+=[\s]+(\d+)[\s]*$</ind:pattern>
+{{% else %}}
<ind:pattern operation="pattern match">^[\s]*admin_space_left[\s]+=[\s]+(\d+)%[\s]*$</ind:pattern>
+{{% endif %}}
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var
index 4a3acba..3d86ed4 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var
@@ -10,6 +10,7 @@ interactive: false
options:
1000MB: 1000
+ 75MB: 75
100MB: 100
250MB: 250
500MB: 500
--
2.33.0

6
scap-security-guide.spec
View File

@ -1,6 +1,6 @@
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.68 Version: 0.1.68
Release: 8 Release: 9
Summary: Security guidance and baselines in SCAP formats Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/ URL: https://github.com/ComplianceAsCode/content/
@ -10,6 +10,7 @@ Patch0001: add-openeuler-support.patch
Patch0002: add-openeuler-control-rules.patch Patch0002: add-openeuler-control-rules.patch
Patch0003: optimize-rules-for-openEuler.patch Patch0003: optimize-rules-for-openEuler.patch
Patch0004: add-openeuler-automatic-hardening.patch Patch0004: add-openeuler-automatic-hardening.patch
Patch0005: scap-is-modified-to-be-consistent-with-the-specif.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
@ -65,6 +66,9 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html %doc %{_docdir}/%{name}/tables/*.html
%changelog %changelog
* Tue Dec 10 2024 jinlun <jinlun@huawei.com> - 0.1.68-9
- the ssg is modified to be consistent with the specifications
* Thu Dec 5 2024 xuce <xuce10@h-partners.com> - 0.1.68-8 * Thu Dec 5 2024 xuce <xuce10@h-partners.com> - 0.1.68-8
- fix strong MACs and permission of cron.allow and at.allow - fix strong MACs and permission of cron.allow and at.allow