!40 优化配置加固项

From: @jinlun123123 Reviewed-by: @flysubmarine, @zhujianwei001 Signed-off-by: @zhujianwei001
2024-12-04 07:34:52 +00:00 · 2024-12-04 07:34:52 +00:00 · 500f5a31c3
commit 500f5a31c3
parent 8df1627e7a 6245f19e1a
2 changed files with 114 additions and 28 deletions
--- a/add-openeuler-automatic-hardening.patch
+++ b/add-openeuler-automatic-hardening.patch
@ -1,6 +1,6 @@
-From a4a86e816552479cb41e3423aef67acc32fb8510 Mon Sep 17 00:00:00 2001
+From e64af3aba7460bab202a194613ecf672747fc199 Mon Sep 17 00:00:00 2001
 From: jinlun <jinlun@huawei.com>
-Date: Wed, 13 Nov 2024 14:38:36 +0800
+Date: Tue, 3 Dec 2024 17:18:17 +0800
 Subject: [PATCH] Automatic hardening is supported.

 Signed-off-by: jinlun <jinlun@huawei.com>
@ -16,29 +16,33 @@ Signed-off-by: xuce <xuce10@h-partners.com>
 .../bash/shared.sh                              |  2 +-
 .../bash/shared.sh                              |  2 +-
 .../bash/shared.sh                              | 11 +++++++++++
- .../bash/shared.sh                              | 10 ++++++++++
 .../require_singleuser_auth/rule.yml            |  2 +-
 .../gid_passwd_group_same/bash/shared.sh        | 10 ++++++++++
 .../use_pam_wheel_for_su/bash/shared.sh         |  2 +-
 .../bash/shared.sh                              |  2 +-
 .../bash/shared.sh                              |  2 +-
- .../configure_dump_journald_log/bash/shared.sh  |  5 +++++
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../configure_dump_journald_log/bash/shared.sh  |  7 +++++++
+ .../configure_dump_journald_log/rule.yml        |  4 ++--
 .../rsyslog_cron_logging/bash/shared.sh         |  4 ++--
 .../bash/shared.sh                              |  2 +-
+ .../aide/aide_build_database/oval/shared.xml    |  2 ++
 .../only_root_can_run_pkexec/bash/shared.sh     |  5 +++++
 .../su/su_always_set_path/bash/shared.sh        |  6 ++++++
 .../sce/openeuler2403.sh                        | 17 +++++++++++++++++
 .../bash/shared.sh                              |  2 +-
 shared/macros/10-bash.jinja                     | 10 +++++-----
+ .../templates/accounts_password/bash.template   |  4 ++--
+ .../templates/accounts_password/oval.template   |  4 ++--
 .../grub2_bootloader_argument/bash.template     |  2 +-
 .../bash.template                               |  2 +-
 shared/templates/service_disabled/bash.template |  2 +-
 shared/templates/service_enabled/bash.template  |  2 +-
 shared/templates/sysctl/bash.template           |  2 +-
- 29 files changed, 98 insertions(+), 28 deletions(-)
+ 34 files changed, 100 insertions(+), 36 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
 create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
 create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
@ -183,25 +187,9 @@ index 0000000..568f4f5
 +fi
 +
 +grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/password-auth
-+if [ $? -nq 0 ]; then
+if [ $? -eq 0 ]; then
 +    sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/password-auth
 +fi
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
-new file mode 100644
-index 0000000..7795559
--- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
-@@ -0,0 +1,10 @@
-+# platform = multi_platform_openeuler
-+
-+
-+cracklib-unpacker /usr/share/cracklib/pw_dict > ssg_dictionary.txt
-+create-cracklib-dict ssg_dictionary.txt
-+rm -f ssg_dictionary.txt
-+grep -oE '^ *dictcheck *= *(-?[0-9]+)([[:space:]]|$)' /etc/security/pwquality.conf
-+if [ $? -ne 0 ]; then
-+echo "dictcheck = 1" >> /etc/security/pwquality.conf
-+fi
 diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
 index 6e47912..107ef85 100644
 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@ -240,6 +228,16 @@ index cf672ee..17ed6f2 100644
 
 # uncomment the option if commented
   sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh
+index 36e7f8c..6f92e73 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_audispd_disk_full_action") }}}
+ 
 diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
 index 8a53bf8..561ff0f 100644
 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
@ -260,17 +258,49 @@ index 5007f96..1834f35 100644
 
 {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}}
 
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
+index a53f062..45ff50d 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_auditd_space_left") }}}
+ 
 diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
 new file mode 100644
-index 0000000..12febfb
+index 0000000..3f36da4
 --- /dev/null
 +++ b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
 +# platform = multi_platform_openeuler
 +
 +echo 'module(load="imjournal"' >> /etc/rsyslog.conf
 +echo 'StateFile="/run/log/imjournal.state")' >> /etc/rsyslog.conf
 +
+systemctl daemon-reload
+systemctl restart rsyslog
+diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
+index 6121f9c..4643b87 100644
+--- a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
+++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
+@@ -13,7 +13,7 @@ description: |-
+     consistent with the system. Safety.
+ 
+     <p>Check whether the relevant fields have been configured in the /etc/rsyslog.conf file:</p>
+-    <pre>$ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*</pre>
+    <pre>$ grep "^[^#]*imjournal" /etc/rsyslog.conf</pre>
+ 
+ rationale: |-
+     If there is a volatile storage device for the log, failure to dump
+@@ -22,4 +22,4 @@ rationale: |-
+     are not dumped in time, the logs may fill up the current partition,
+     causing the risk of other processes or system failures.
+ 
+-severity: high
+\ No newline at end of file
+severity: high
 diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
 index 773f889..f6f3772 100644
 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
@ -296,16 +326,29 @@ index 91b3495..265cda1 100644
 df --local -P | awk '{if (NR!=1) print $6}' \
 | xargs -I '$6' find '$6' -xdev -type d \
 \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
+index 14cf458..ffa8444 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
+@@ -17,6 +17,8 @@
+     <ind:filepath>/etc/aide.conf</ind:filepath>
+     {{% if 'sle' in product %}}
+       <ind:pattern operation="pattern match">^database=file:/([/a-z.]+)$</ind:pattern>
+    {{% elif 'openeuler2403' in product %}}
+      <ind:pattern operation="pattern match">^database_in=file:@@{DBDIR}/([a-z.]+)$</ind:pattern>
+     {{% else %}}
+       <ind:pattern operation="pattern match">^database=file:@@{DBDIR}/([a-z.]+)$</ind:pattern>
+     {{% endif %}}
 diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
 new file mode 100644
-index 0000000..1057e81
+index 0000000..8a5a7a2
 --- /dev/null
 +++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
@@ -0,0 +1,5 @@
 +# platform = multi_platform_openeuler
 +
 +echo "polkit.addAdminRule(function(action, subject) {
-+    return ["unix-user:0"];
+    return [\"unix-user:0\"];
 +});" > /etc/polkit-1/rules.d/50-default.rules
 diff --git a/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
 new file mode 100644
@ -387,6 +430,46 @@ index 292a14a..9a8eace 100644
 {{{ update_etc_default_grub_manually_absent(arg_name) }}}
 {{% endif -%}}
 {{{ grub_command("remove", arg_name) }}}
+diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template
+index 46e98c1..ac8a0d7 100644
+--- a/shared/templates/accounts_password/bash.template
+++ b/shared/templates/accounts_password/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ # reboot = false
+ # strategy = restrict
+ # complexity = low
+@@ -12,7 +12,7 @@ if grep -sq {{{ VARIABLE }}} /etc/security/pwquality.conf.d/*.conf ; then
+ fi
+ {{% endif %}}
+ 
+-{{% if "ol" in product %}}
+{{% if "ol" in product or "openeuler2403" in product %}}
+ {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth',
+                                   'password',
+                                   '',
+diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template
+index c83a666..5d5b1a7 100644
+--- a/shared/templates/accounts_password/oval.template
+++ b/shared/templates/accounts_password/oval.template
+@@ -11,14 +11,14 @@
+       <criteria operator="OR">
+         <criterion comment="pwquality.conf" test_ref="test_password_pam_pwquality_{{{ VARIABLE }}}" />
+       </criteria>
+-      {{% if "ol" in product %}}
+      {{% if "ol" in product or "openeuler2403" in product %}}
+       <criterion comment="{{{ VARIABLE }}} is not overwritten in system-auth"
+         test_ref="test_password_pam_pwquality_{{{ VARIABLE }}}_not_overwritten"/>
+       {{% endif %}}
+     </criteria>
+   </definition>
+ 
+-  {{% if "ol" in product %}}
+  {{% if "ol" in product or "openeuler2403" in product %}}
+   <ind:textfilecontent54_test check="all" check_existence="none_exist"
+     comment="check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf"
+     id="test_password_pam_pwquality_{{{ VARIABLE }}}_not_overwritten" version="1">
 diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
 index 965f4d3..4cbedf3 100644
 --- a/shared/templates/grub2_bootloader_argument/bash.template
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.68
-Release:	6
+Release:	7
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@ -65,6 +65,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html

 %changelog
+* Tue Dec 3 2024 jinlun <jinlun@huawei.com> - 0.1.68-7
+- fix some issue.
+
 * Fri Nov 15 2024 jinlun <jinlun@huawei.com> - 0.1.68-6
 - fix openeuler grub configuration to Automatic hardening.