diff options
author | Armin Kuster <akuster808@gmail.com> | 2023-06-23 15:58:40 -0400 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-07-31 06:18:52 -0400 |
commit | 64b8f9b68e795295b1defc94078f3ffd634f48ca (patch) | |
tree | b87a8fbd357010f1641e08ad336ad435722aa837 | |
parent | 4c787f3258dd480009d4a3460519fb37752521ba (diff) | |
download | meta-security-64b8f9b68e795295b1defc94078f3ffd634f48ca.tar.gz |
scap-security-guide: refactor patches
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch (renamed from recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch) | 227 | ||||
-rw-r--r-- | recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch | 231 | ||||
-rw-r--r-- | recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch (renamed from recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch) | 57 | ||||
-rw-r--r-- | recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb | 7 |
4 files changed, 215 insertions, 307 deletions
diff --git a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch b/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch index f003f72..0db2b12 100644 --- a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch +++ b/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch | |||
@@ -1,24 +1,27 @@ | |||
1 | From f6287d146762b8360bd7099f4724a58eedba7d2a Mon Sep 17 00:00:00 2001 | 1 | From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001 |
2 | From: Armin Kuster <akuster808@gmail.com> | 2 | From: Armin Kuster <akuster808@gmail.com> |
3 | Date: Wed, 14 Jun 2023 07:46:55 -0400 | 3 | Date: Wed, 14 Jun 2023 07:46:55 -0400 |
4 | Subject: [PATCH] scap-security-guide: add openembedded | 4 | Subject: [PATCH 1/2] scap-security-guide: add openembedded distro support |
5 | |||
6 | includes a standard profile for out-of-the-box checks | ||
5 | 7 | ||
6 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | 8 | Signed-off-by: Armin Kuster <akuster808@gmail.com> |
7 | 9 | ||
8 | Upstream-Status: Pending | 10 | Upstream-Status: Pending |
11 | https://github.com/ComplianceAsCode/content/pull/10793 | ||
9 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | 12 | Signed-off-by: Armin Kuster <akuster808@gmail.com> |
10 | 13 | ||
11 | --- | 14 | --- |
12 | CMakeLists.txt | 5 +++ | 15 | CMakeLists.txt | 5 + |
13 | build_product | 1 + | 16 | build_product | 1 + |
14 | products/openembedded/CMakeLists.txt | 6 ++++ | 17 | products/openembedded/CMakeLists.txt | 6 + |
15 | products/openembedded/product.yml | 19 +++++++++++ | 18 | products/openembedded/product.yml | 19 ++ |
16 | .../openembedded/profiles/standard.profile | 12 +++++++ | 19 | .../openembedded/profiles/standard.profile | 166 ++++++++++++++++++ |
17 | .../openembedded/transforms/constants.xslt | 10 ++++++ | 20 | .../openembedded/transforms/constants.xslt | 10 ++ |
18 | .../oval/installed_OS_is_openembedded.xml | 33 +++++++++++++++++++ | 21 | .../oval/installed_OS_is_openembedded.xml | 33 ++++ |
19 | .../oval/sysctl_kernel_ipv6_disable.xml | 1 + | 22 | .../oval/sysctl_kernel_ipv6_disable.xml | 1 + |
20 | ssg/constants.py | 5 ++- | 23 | ssg/constants.py | 5 +- |
21 | 9 files changed, 91 insertions(+), 1 deletion(-) | 24 | 9 files changed, 245 insertions(+), 1 deletion(-) |
22 | create mode 100644 products/openembedded/CMakeLists.txt | 25 | create mode 100644 products/openembedded/CMakeLists.txt |
23 | create mode 100644 products/openembedded/product.yml | 26 | create mode 100644 products/openembedded/product.yml |
24 | create mode 100644 products/openembedded/profiles/standard.profile | 27 | create mode 100644 products/openembedded/profiles/standard.profile |
@@ -26,10 +29,10 @@ Signed-off-by: Armin Kuster <akuster808@gmail.com> | |||
26 | create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml | 29 | create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml |
27 | 30 | ||
28 | diff --git a/CMakeLists.txt b/CMakeLists.txt | 31 | diff --git a/CMakeLists.txt b/CMakeLists.txt |
29 | index 85ec289644..09ac96784e 100644 | 32 | index 6b1ac00ff9..e4191f2cef 100644 |
30 | --- a/CMakeLists.txt | 33 | --- a/CMakeLists.txt |
31 | +++ b/CMakeLists.txt | 34 | +++ b/CMakeLists.txt |
32 | @@ -95,6 +95,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be | 35 | @@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be |
33 | option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) | 36 | option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) |
34 | option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) | 37 | option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) |
35 | option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) | 38 | option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) |
@@ -37,16 +40,16 @@ index 85ec289644..09ac96784e 100644 | |||
37 | 40 | ||
38 | 41 | ||
39 | option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) | 42 | option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) |
40 | @@ -289,6 +290,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") | 43 | @@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") |
41 | message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") | 44 | message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") |
42 | message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}") | 45 | message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}") |
43 | message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}") | 46 | message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}") |
44 | +message(STATUS "OpenEmbedded nodistro: ${SSG_PRODUCT_OE}") | 47 | +message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}") |
45 | |||
46 | 48 | ||
47 | 49 | ||
48 | @@ -410,6 +412,9 @@ endif() | 50 | message(STATUS " ") |
49 | if (SSG_PRODUCT_UOS20) | 51 | @@ -409,6 +411,9 @@ endif() |
52 | if(SSG_PRODUCT_UOS20) | ||
50 | add_subdirectory("products/uos20" "uos20") | 53 | add_subdirectory("products/uos20" "uos20") |
51 | endif() | 54 | endif() |
52 | +if (SSG_PRODUCT_OE) | 55 | +if (SSG_PRODUCT_OE) |
@@ -56,14 +59,14 @@ index 85ec289644..09ac96784e 100644 | |||
56 | # ZIP only contains source datastreams and kickstarts, people who | 59 | # ZIP only contains source datastreams and kickstarts, people who |
57 | # want sources to build from should get the tarball instead. | 60 | # want sources to build from should get the tarball instead. |
58 | diff --git a/build_product b/build_product | 61 | diff --git a/build_product b/build_product |
59 | index fc793cbe70..197d925b7e 100755 | 62 | index fc793cbe70..7bdc03edfe 100755 |
60 | --- a/build_product | 63 | --- a/build_product |
61 | +++ b/build_product | 64 | +++ b/build_product |
62 | @@ -333,6 +333,7 @@ all_cmake_products=( | 65 | @@ -333,6 +333,7 @@ all_cmake_products=( |
63 | UBUNTU2204 | 66 | UBUNTU2204 |
64 | UOS20 | 67 | UOS20 |
65 | MACOS1015 | 68 | MACOS1015 |
66 | + OPENEMBEDDED | 69 | + OPENEMBEDDED |
67 | ) | 70 | ) |
68 | 71 | ||
69 | DEFAULT_OVAL_MAJOR_VERSION=5 | 72 | DEFAULT_OVAL_MAJOR_VERSION=5 |
@@ -81,7 +84,7 @@ index 0000000000..1981adf53e | |||
81 | +ssg_build_product("openembedded") | 84 | +ssg_build_product("openembedded") |
82 | diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml | 85 | diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml |
83 | new file mode 100644 | 86 | new file mode 100644 |
84 | index 0000000000..9f2f12d737 | 87 | index 0000000000..debf6870ef |
85 | --- /dev/null | 88 | --- /dev/null |
86 | +++ b/products/openembedded/product.yml | 89 | +++ b/products/openembedded/product.yml |
87 | @@ -0,0 +1,19 @@ | 90 | @@ -0,0 +1,19 @@ |
@@ -101,15 +104,15 @@ index 0000000000..9f2f12d737 | |||
101 | +cpes_root: "../../shared/applicability" | 104 | +cpes_root: "../../shared/applicability" |
102 | +cpes: | 105 | +cpes: |
103 | + - openembedded: | 106 | + - openembedded: |
104 | + name: "cpe:/o:openembedded" | 107 | + name: "cpe:/o:openembedded:nodistro:" |
105 | + title: "OpenEmbedded nodistro" | 108 | + title: "OpenEmbedded nodistro" |
106 | + check_id: installed_OS_is_openembedded | 109 | + check_id: installed_OS_is_openembedded |
107 | diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile | 110 | diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile |
108 | new file mode 100644 | 111 | new file mode 100644 |
109 | index 0000000000..44339d716c | 112 | index 0000000000..fcb9e0e5c2 |
110 | --- /dev/null | 113 | --- /dev/null |
111 | +++ b/products/openembedded/profiles/standard.profile | 114 | +++ b/products/openembedded/profiles/standard.profile |
112 | @@ -0,0 +1,12 @@ | 115 | @@ -0,0 +1,166 @@ |
113 | +documentation_complete: true | 116 | +documentation_complete: true |
114 | + | 117 | + |
115 | +title: 'Sample Security Profile for OpenEmbedded Distros' | 118 | +title: 'Sample Security Profile for OpenEmbedded Distros' |
@@ -121,10 +124,164 @@ index 0000000000..44339d716c | |||
121 | +selections: | 124 | +selections: |
122 | + - file_owner_etc_passwd | 125 | + - file_owner_etc_passwd |
123 | + - file_groupowner_etc_passwd | 126 | + - file_groupowner_etc_passwd |
127 | + - service_crond_enabled | ||
128 | + - file_groupowner_crontab | ||
129 | + - file_owner_crontab | ||
130 | + - file_permissions_crontab | ||
131 | + - file_groupowner_cron_hourly | ||
132 | + - file_owner_cron_hourly | ||
133 | + - file_permissions_cron_hourly | ||
134 | + - file_groupowner_cron_daily | ||
135 | + - file_owner_cron_daily | ||
136 | + - file_permissions_cron_daily | ||
137 | + - file_groupowner_cron_weekly | ||
138 | + - file_owner_cron_weekly | ||
139 | + - file_permissions_cron_weekly | ||
140 | + - file_groupowner_cron_monthly | ||
141 | + - file_owner_cron_monthly | ||
142 | + - file_permissions_cron_monthly | ||
143 | + - file_groupowner_cron_d | ||
144 | + - file_owner_cron_d | ||
145 | + - file_permissions_cron_d | ||
146 | + - file_groupowner_cron_allow | ||
147 | + - file_owner_cron_allow | ||
148 | + - file_cron_deny_not_exist | ||
149 | + - file_groupowner_at_allow | ||
150 | + - file_owner_at_allow | ||
151 | + - file_at_deny_not_exist | ||
152 | + - file_permissions_at_allow | ||
153 | + - file_permissions_cron_allow | ||
154 | + - file_groupowner_sshd_config | ||
155 | + - file_owner_sshd_config | ||
156 | + - file_permissions_sshd_config | ||
157 | + - file_permissions_sshd_private_key | ||
158 | + - file_permissions_sshd_pub_key | ||
159 | + - sshd_set_loglevel_verbose | ||
160 | + - sshd_set_loglevel_info | ||
161 | + - sshd_max_auth_tries_value=4 | ||
162 | + - sshd_set_max_auth_tries | ||
163 | + - sshd_disable_rhosts | ||
164 | + - disable_host_auth | ||
165 | + - sshd_disable_root_login | ||
166 | + - sshd_disable_empty_passwords | ||
167 | + - sshd_do_not_permit_user_env | ||
168 | + - sshd_idle_timeout_value=15_minutes | ||
169 | + - sshd_set_idle_timeout | ||
170 | + - sshd_set_keepalive | ||
171 | + - var_sshd_set_keepalive=0 | ||
172 | + - sshd_set_login_grace_time | ||
173 | + - var_sshd_set_login_grace_time=60 | ||
174 | + - sshd_enable_warning_banner | ||
175 | + - sshd_enable_pam | ||
176 | + - sshd_set_maxstartups | ||
177 | + - var_sshd_set_maxstartups=10:30:60 | ||
178 | + - sshd_set_max_sessions | ||
179 | + - var_sshd_max_sessions=10 | ||
180 | + - accounts_password_pam_minclass | ||
181 | + - accounts_password_pam_minlen | ||
182 | + - accounts_password_pam_retry | ||
183 | + - var_password_pam_minclass=4 | ||
184 | + - var_password_pam_minlen=14 | ||
185 | + - locking_out_password_attempts | ||
186 | + - accounts_password_pam_pwhistory_remember_password_auth | ||
187 | + - accounts_password_pam_pwhistory_remember_system_auth | ||
188 | + - var_password_pam_remember_control_flag=required | ||
189 | + - var_password_pam_remember=5 | ||
190 | + - set_password_hashing_algorithm_systemauth | ||
191 | + - var_accounts_maximum_age_login_defs=365 | ||
192 | + - accounts_password_set_max_life_existing | ||
193 | + - var_accounts_minimum_age_login_defs=7 | ||
194 | + - accounts_password_set_min_life_existing | ||
195 | + - var_accounts_password_warn_age_login_defs=7 | ||
196 | + - account_disable_post_pw_expiration | ||
197 | + - var_account_disable_post_pw_expiration=30 | ||
198 | + - no_shelllogin_for_systemaccounts | ||
199 | + - accounts_tmout | ||
200 | + - var_accounts_tmout=15_min | ||
201 | + - accounts_root_gid_zero | ||
202 | + - accounts_umask_etc_bashrc | ||
203 | + - use_pam_wheel_for_su | ||
204 | + - sshd_allow_only_protocol2 | ||
205 | + - journald_forward_to_syslog | ||
206 | + - journald_compress | ||
207 | + - journald_storage | ||
208 | + - service_auditd_enabled | ||
209 | + - service_httpd_disabled | ||
210 | + - service_vsftpd_disabled | ||
211 | + - service_named_disabled | ||
212 | + - service_nfs_disabled | ||
213 | + - service_rpcbind_disabled | ||
214 | + - service_slapd_disabled | ||
215 | + - service_dhcpd_disabled | ||
216 | + - service_cups_disabled | ||
217 | + - service_ypserv_disabled | ||
218 | + - service_rsyncd_disabled | ||
219 | + - service_avahi-daemon_disabled | ||
220 | + - service_snmpd_disabled | ||
221 | + - service_squid_disabled | ||
222 | + - service_smb_disabled | ||
223 | + - service_dovecot_disabled | ||
224 | + - banner_etc_motd | ||
225 | + - login_banner_text=cis_banners | ||
226 | + - banner_etc_issue | ||
227 | + - login_banner_text=cis_banners | ||
228 | + - file_groupowner_etc_motd | ||
229 | + - file_owner_etc_motd | ||
230 | + - file_permissions_etc_motd | ||
231 | + - file_groupowner_etc_issue | ||
232 | + - file_owner_etc_issue | ||
233 | + - file_permissions_etc_issue | ||
234 | + - ensure_gpgcheck_globally_activated | ||
235 | + - package_aide_installed | ||
236 | + - aide_periodic_cron_checking | ||
237 | + - grub2_password | ||
238 | + - file_groupowner_grub2_cfg | ||
239 | + - file_owner_grub2_cfg | ||
240 | + - file_permissions_grub2_cfg | ||
241 | + - require_singleuser_auth | ||
242 | + - require_emergency_target_auth | ||
243 | + - disable_users_coredumps | ||
244 | + - configure_crypto_policy | ||
245 | + - var_system_crypto_policy=default_policy | ||
246 | + - dir_perms_world_writable_sticky_bits | ||
124 | + - file_permissions_etc_passwd | 247 | + - file_permissions_etc_passwd |
248 | + - file_owner_etc_shadow | ||
249 | + - file_groupowner_etc_shadow | ||
250 | + - file_groupowner_etc_group | ||
251 | + - file_owner_etc_group | ||
252 | + - file_permissions_etc_group | ||
253 | + - file_groupowner_etc_gshadow | ||
254 | + - file_owner_etc_gshadow | ||
255 | + - file_groupowner_backup_etc_passwd | ||
256 | + - file_owner_backup_etc_passwd | ||
257 | + - file_permissions_backup_etc_passwd | ||
258 | + - file_groupowner_backup_etc_shadow | ||
259 | + - file_owner_backup_etc_shadow | ||
260 | + - file_permissions_backup_etc_shadow | ||
261 | + - file_groupowner_backup_etc_group | ||
262 | + - file_owner_backup_etc_group | ||
263 | + - file_permissions_backup_etc_group | ||
264 | + - file_groupowner_backup_etc_gshadow | ||
265 | + - file_owner_backup_etc_gshadow | ||
266 | + - file_permissions_unauthorized_world_writable | ||
267 | + - file_permissions_ungroupowned | ||
268 | + - accounts_root_path_dirs_no_write | ||
269 | + - root_path_no_dot | ||
270 | + - accounts_no_uid_except_zero | ||
271 | + - file_ownership_home_directories | ||
272 | + - file_groupownership_home_directories | ||
273 | + - no_netrc_files | ||
274 | + - no_rsh_trust_files | ||
275 | + - account_unique_id | ||
276 | + - group_unique_id | ||
277 | + - group_unique_name | ||
278 | + - wireless_disable_interfaces | ||
279 | + - package_firewalld_installed | ||
280 | + - service_firewalld_enabled | ||
281 | + - package_iptables_installed | ||
125 | diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt | 282 | diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt |
126 | new file mode 100644 | 283 | new file mode 100644 |
127 | index 0000000000..85e812a7c1 | 284 | index 0000000000..152571e8bb |
128 | --- /dev/null | 285 | --- /dev/null |
129 | +++ b/products/openembedded/transforms/constants.xslt | 286 | +++ b/products/openembedded/transforms/constants.xslt |
130 | @@ -0,0 +1,10 @@ | 287 | @@ -0,0 +1,10 @@ |
@@ -132,15 +289,15 @@ index 0000000000..85e812a7c1 | |||
132 | + | 289 | + |
133 | +<xsl:include href="../../../shared/transforms/shared_constants.xslt"/> | 290 | +<xsl:include href="../../../shared/transforms/shared_constants.xslt"/> |
134 | + | 291 | + |
135 | +<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable> | 292 | +<xsl:variable name="product_long_name">OpenEmbedded</xsl:variable> |
136 | +<xsl:variable name="product_short_name">OE nodistro</xsl:variable> | 293 | +<xsl:variable name="product_short_name">openembedded</xsl:variable> |
137 | +<xsl:variable name="product_stig_id_name">empty</xsl:variable> | 294 | +<xsl:variable name="product_stig_id_name">empty</xsl:variable> |
138 | +<xsl:variable name="prod_type">openembedded</xsl:variable> | 295 | +<xsl:variable name="prod_type">openembedded</xsl:variable> |
139 | + | 296 | + |
140 | +</xsl:stylesheet> | 297 | +</xsl:stylesheet> |
141 | diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml | 298 | diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml |
142 | new file mode 100644 | 299 | new file mode 100644 |
143 | index 0000000000..17c2873686 | 300 | index 0000000000..11ebdca913 |
144 | --- /dev/null | 301 | --- /dev/null |
145 | +++ b/shared/checks/oval/installed_OS_is_openembedded.xml | 302 | +++ b/shared/checks/oval/installed_OS_is_openembedded.xml |
146 | @@ -0,0 +1,33 @@ | 303 | @@ -0,0 +1,33 @@ |
@@ -151,19 +308,19 @@ index 0000000000..17c2873686 | |||
151 | + <affected family="unix"> | 308 | + <affected family="unix"> |
152 | + <platform>multi_platform_all</platform> | 309 | + <platform>multi_platform_all</platform> |
153 | + </affected> | 310 | + </affected> |
154 | + <description>The operating system installed is an OpenEmbedded System</description> | 311 | + <description>The operating system installed is an OpenEmbedded based system</description> |
155 | + </metadata> | 312 | + </metadata> |
156 | + <criteria comment="System is OpenEmbedded" operator="AND"> | 313 | + <criteria comment="System is OpenEmbedded based" operator="AND"> |
157 | + <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> | 314 | + <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> |
158 | + <criterion comment="OpenEmbedded distro" test_ref="test_os_release" /> | 315 | + <criterion comment="OpenEmbedded distro" test_ref="test_os_openembedded" /> |
159 | + <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" /> | 316 | + <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" /> |
160 | + </criteria> | 317 | + </criteria> |
161 | + </definition> | 318 | + </definition> |
162 | + | 319 | + |
163 | + <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release" version="1"> | 320 | + <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_openembedded" version="1"> |
164 | + <unix:object object_ref="obj_os_release" /> | 321 | + <unix:object object_ref="obj_os_openembedded" /> |
165 | + </unix:file_test> | 322 | + </unix:file_test> |
166 | + <unix:file_object comment="check /etc/os-release file" id="obj_os_release" version="1"> | 323 | + <unix:file_object comment="check /etc/os-release file" id="obj_os_openembedded" version="1"> |
167 | + <unix:filepath>/etc/os-release</unix:filepath> | 324 | + <unix:filepath>/etc/os-release</unix:filepath> |
168 | + </unix:file_object> | 325 | + </unix:file_object> |
169 | + | 326 | + |
diff --git a/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch b/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch deleted file mode 100644 index 061c5f0..0000000 --- a/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch +++ /dev/null | |||
@@ -1,231 +0,0 @@ | |||
1 | From 7af2da3bbe1d5b4cba89c6dae9ea267717b865ea Mon Sep 17 00:00:00 2001 | ||
2 | From: Armin Kuster <akuster808@gmail.com> | ||
3 | Date: Wed, 21 Jun 2023 07:46:38 -0400 | ||
4 | Subject: [PATCH] standard.profile: expand checks | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | Upstream-status: Pending | ||
10 | --- | ||
11 | .../openembedded/profiles/standard.profile | 206 ++++++++++++++++++ | ||
12 | 1 file changed, 206 insertions(+) | ||
13 | |||
14 | diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile | ||
15 | index 44339d716c..877d1a3971 100644 | ||
16 | --- a/products/openembedded/profiles/standard.profile | ||
17 | +++ b/products/openembedded/profiles/standard.profile | ||
18 | @@ -9,4 +9,210 @@ description: |- | ||
19 | selections: | ||
20 | - file_owner_etc_passwd | ||
21 | - file_groupowner_etc_passwd | ||
22 | + - service_crond_enabled | ||
23 | + - file_groupowner_crontab | ||
24 | + - file_owner_crontab | ||
25 | + - file_permissions_crontab | ||
26 | + - file_groupowner_cron_hourly | ||
27 | + - file_owner_cron_hourly | ||
28 | + - file_permissions_cron_hourly | ||
29 | + - file_groupowner_cron_daily | ||
30 | + - file_owner_cron_daily | ||
31 | + - file_permissions_cron_daily | ||
32 | + - file_groupowner_cron_weekly | ||
33 | + - file_owner_cron_weekly | ||
34 | + - file_permissions_cron_weekly | ||
35 | + - file_groupowner_cron_monthly | ||
36 | + - file_owner_cron_monthly | ||
37 | + - file_permissions_cron_monthly | ||
38 | + - file_groupowner_cron_d | ||
39 | + - file_owner_cron_d | ||
40 | + - file_permissions_cron_d | ||
41 | + - file_groupowner_cron_allow | ||
42 | + - file_owner_cron_allow | ||
43 | + - file_cron_deny_not_exist | ||
44 | + - file_groupowner_at_allow | ||
45 | + - file_owner_at_allow | ||
46 | + - file_at_deny_not_exist | ||
47 | + - file_permissions_at_allow | ||
48 | + - file_permissions_cron_allow | ||
49 | + - file_groupowner_sshd_config | ||
50 | + - file_owner_sshd_config | ||
51 | + - file_permissions_sshd_config | ||
52 | + - file_permissions_sshd_private_key | ||
53 | + - file_permissions_sshd_pub_key | ||
54 | + - sshd_set_loglevel_verbose | ||
55 | + - sshd_set_loglevel_info | ||
56 | + - sshd_max_auth_tries_value=4 | ||
57 | + - sshd_set_max_auth_tries | ||
58 | + - sshd_disable_rhosts | ||
59 | + - disable_host_auth | ||
60 | + - sshd_disable_root_login | ||
61 | + - sshd_disable_empty_passwords | ||
62 | + - sshd_do_not_permit_user_env | ||
63 | + - sshd_idle_timeout_value=15_minutes | ||
64 | + - sshd_set_idle_timeout | ||
65 | + - sshd_set_keepalive | ||
66 | + - var_sshd_set_keepalive=0 | ||
67 | + - sshd_set_login_grace_time | ||
68 | + - var_sshd_set_login_grace_time=60 | ||
69 | + - sshd_enable_warning_banner | ||
70 | + - sshd_enable_pam | ||
71 | + - sshd_set_maxstartups | ||
72 | + - var_sshd_set_maxstartups=10:30:60 | ||
73 | + - sshd_set_max_sessions | ||
74 | + - var_sshd_max_sessions=10 | ||
75 | + - accounts_password_pam_minclass | ||
76 | + - accounts_password_pam_minlen | ||
77 | + - accounts_password_pam_retry | ||
78 | + - var_password_pam_minclass=4 | ||
79 | + - var_password_pam_minlen=14 | ||
80 | + - locking_out_password_attempts | ||
81 | + - accounts_password_pam_pwhistory_remember_password_auth | ||
82 | + - accounts_password_pam_pwhistory_remember_system_auth | ||
83 | + - var_password_pam_remember_control_flag=required | ||
84 | + - var_password_pam_remember=5 | ||
85 | + - set_password_hashing_algorithm_systemauth | ||
86 | + - accounts_maximum_age_login_defs | ||
87 | + - var_accounts_maximum_age_login_defs=365 | ||
88 | + - accounts_password_set_max_life_existing | ||
89 | + - accounts_minimum_age_login_defs | ||
90 | + - var_accounts_minimum_age_login_defs=7 | ||
91 | + - accounts_password_set_min_life_existing | ||
92 | + - accounts_password_warn_age_login_defs | ||
93 | + - var_accounts_password_warn_age_login_defs=7 | ||
94 | + - account_disable_post_pw_expiration | ||
95 | + - var_account_disable_post_pw_expiration=30 | ||
96 | + - no_shelllogin_for_systemaccounts | ||
97 | + - accounts_tmout | ||
98 | + - var_accounts_tmout=15_min | ||
99 | + - accounts_root_gid_zero | ||
100 | + - accounts_umask_etc_bashrc | ||
101 | + - accounts_umask_etc_login_defs | ||
102 | + - use_pam_wheel_for_su | ||
103 | + - sshd_allow_only_protocol2 | ||
104 | + - journald_forward_to_syslog | ||
105 | + - journald_compress | ||
106 | + - journald_storage | ||
107 | + - service_auditd_enabled | ||
108 | + - service_httpd_disabled | ||
109 | + - service_vsftpd_disabled | ||
110 | + - service_named_disabled | ||
111 | + - service_nfs_disabled | ||
112 | + - service_rpcbind_disabled | ||
113 | + - service_slapd_disabled | ||
114 | + - service_dhcpd_disabled | ||
115 | + - service_cups_disabled | ||
116 | + - service_ypserv_disabled | ||
117 | + - service_rsyncd_disabled | ||
118 | + - service_avahi-daemon_disabled | ||
119 | + - service_snmpd_disabled | ||
120 | + - service_squid_disabled | ||
121 | + - service_smb_disabled | ||
122 | + - service_dovecot_disabled | ||
123 | + - banner_etc_motd | ||
124 | + - login_banner_text=cis_banners | ||
125 | + - banner_etc_issue | ||
126 | + - login_banner_text=cis_banners | ||
127 | + - file_groupowner_etc_motd | ||
128 | + - file_owner_etc_motd | ||
129 | + - file_permissions_etc_motd | ||
130 | + - file_groupowner_etc_issue | ||
131 | + - file_owner_etc_issue | ||
132 | + - file_permissions_etc_issue | ||
133 | + - ensure_gpgcheck_globally_activated | ||
134 | + - package_aide_installed | ||
135 | + - aide_periodic_cron_checking | ||
136 | + - grub2_password | ||
137 | + - file_groupowner_grub2_cfg | ||
138 | + - file_owner_grub2_cfg | ||
139 | + - file_permissions_grub2_cfg | ||
140 | + - require_singleuser_auth | ||
141 | + - require_emergency_target_auth | ||
142 | + - disable_users_coredumps | ||
143 | + - coredump_disable_backtraces | ||
144 | + - coredump_disable_storage | ||
145 | + - configure_crypto_policy | ||
146 | + - var_system_crypto_policy=default_policy | ||
147 | + - dir_perms_world_writable_sticky_bits | ||
148 | - file_permissions_etc_passwd | ||
149 | + - file_owner_etc_shadow | ||
150 | + - file_groupowner_etc_shadow | ||
151 | + - file_groupowner_etc_group | ||
152 | + - file_owner_etc_group | ||
153 | + - file_permissions_etc_group | ||
154 | + - file_groupowner_etc_gshadow | ||
155 | + - file_owner_etc_gshadow | ||
156 | + - file_groupowner_backup_etc_passwd | ||
157 | + - file_owner_backup_etc_passwd | ||
158 | + - file_permissions_backup_etc_passwd | ||
159 | + - file_groupowner_backup_etc_shadow | ||
160 | + - file_owner_backup_etc_shadow | ||
161 | + - file_permissions_backup_etc_shadow | ||
162 | + - file_groupowner_backup_etc_group | ||
163 | + - file_owner_backup_etc_group | ||
164 | + - file_permissions_backup_etc_group | ||
165 | + - file_groupowner_backup_etc_gshadow | ||
166 | + - file_owner_backup_etc_gshadow | ||
167 | + - file_permissions_backup_etc_gshadow | ||
168 | + - file_permissions_unauthorized_world_writable | ||
169 | + - file_permissions_ungroupowned | ||
170 | + - accounts_root_path_dirs_no_write | ||
171 | + - root_path_no_dot | ||
172 | + - accounts_no_uid_except_zero | ||
173 | + - file_ownership_home_directories | ||
174 | + - file_groupownership_home_directories | ||
175 | + - no_netrc_files | ||
176 | + - no_rsh_trust_files | ||
177 | + - account_unique_id | ||
178 | + - group_unique_id | ||
179 | + - group_unique_name | ||
180 | + - kernel_module_sctp_disabled | ||
181 | + - kernel_module_dccp_disabled | ||
182 | + - wireless_disable_interfaces | ||
183 | + - sysctl_net_ipv4_ip_forward | ||
184 | + - sysctl_net_ipv6_conf_all_forwarding | ||
185 | + - sysctl_net_ipv6_conf_all_forwarding_value=disabled | ||
186 | + - sysctl_net_ipv4_conf_all_send_redirects | ||
187 | + - sysctl_net_ipv4_conf_default_send_redirects | ||
188 | + - sysctl_net_ipv4_conf_all_accept_source_route | ||
189 | + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled | ||
190 | + - sysctl_net_ipv4_conf_default_accept_source_route | ||
191 | + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled | ||
192 | + - sysctl_net_ipv6_conf_all_accept_source_route | ||
193 | + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled | ||
194 | + - sysctl_net_ipv6_conf_default_accept_source_route | ||
195 | + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled | ||
196 | + - sysctl_net_ipv4_conf_all_accept_redirects | ||
197 | + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled | ||
198 | + - sysctl_net_ipv4_conf_default_accept_redirects | ||
199 | + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled | ||
200 | + - sysctl_net_ipv6_conf_all_accept_redirects | ||
201 | + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled | ||
202 | + - sysctl_net_ipv6_conf_default_accept_redirects | ||
203 | + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled | ||
204 | + - sysctl_net_ipv4_conf_all_secure_redirects | ||
205 | + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled | ||
206 | + - sysctl_net_ipv4_conf_default_secure_redirects | ||
207 | + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled | ||
208 | + - sysctl_net_ipv4_conf_all_log_martians | ||
209 | + - sysctl_net_ipv4_conf_all_log_martians_value=enabled | ||
210 | + - sysctl_net_ipv4_conf_default_log_martians | ||
211 | + - sysctl_net_ipv4_conf_default_log_martians_value=enabled | ||
212 | + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | ||
213 | + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled | ||
214 | + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | ||
215 | + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled | ||
216 | + - sysctl_net_ipv4_conf_all_rp_filter | ||
217 | + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled | ||
218 | + - sysctl_net_ipv4_conf_default_rp_filter | ||
219 | + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled | ||
220 | + - sysctl_net_ipv4_tcp_syncookies | ||
221 | + - sysctl_net_ipv4_tcp_syncookies_value=enabled | ||
222 | + - sysctl_net_ipv6_conf_all_accept_ra | ||
223 | + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled | ||
224 | + - sysctl_net_ipv6_conf_default_accept_ra | ||
225 | + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled | ||
226 | + - package_firewalld_installed | ||
227 | + - service_firewalld_enabled | ||
228 | + - package_iptables_installed | ||
229 | -- | ||
230 | 2.34.1 | ||
231 | |||
diff --git a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch b/recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch index 355f954..1639264 100644 --- a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch +++ b/recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch | |||
@@ -1,30 +1,27 @@ | |||
1 | From 23a224203a73688567f500380644e5cf30c8ed99 Mon Sep 17 00:00:00 2001 | 1 | From 2be977a60c944a54594d5786b2d8869ed72a9a06 Mon Sep 17 00:00:00 2001 |
2 | From: Armin Kuster <akuster808@gmail.com> | 2 | From: Armin Kuster <akuster808@gmail.com> |
3 | Date: Thu, 22 Jun 2023 06:19:26 -0400 | 3 | Date: Wed, 5 Jul 2023 12:57:52 -0400 |
4 | Subject: [PATCH] scap-security-guide: add Poky support | 4 | Subject: [PATCH 2/2] scap-security-guide: Add Poky support |
5 | 5 | ||
6 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | 6 | Signed-off-by: Armin Kuster <akuster808@gmail.com> |
7 | 7 | ||
8 | Upstream-Status: Pending | 8 | Upstream-Status: Pending |
9 | Waiting to see if OE changes get merged. | ||
9 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | 10 | Signed-off-by: Armin Kuster <akuster808@gmail.com> |
10 | 11 | ||
12 | |||
11 | --- | 13 | --- |
12 | products/openembedded/product.yml | 7 +++- | 14 | products/openembedded/product.yml | 6 ++++ |
13 | .../openembedded/transforms/constants.xslt | 4 +-- | 15 | shared/checks/oval/installed_OS_is_poky.xml | 33 +++++++++++++++++++++ |
14 | shared/checks/oval/installed_OS_is_poky.xml | 33 +++++++++++++++++++ | 16 | 2 files changed, 39 insertions(+) |
15 | 3 files changed, 41 insertions(+), 3 deletions(-) | ||
16 | create mode 100644 shared/checks/oval/installed_OS_is_poky.xml | 17 | create mode 100644 shared/checks/oval/installed_OS_is_poky.xml |
17 | 18 | ||
18 | diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml | 19 | diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml |
19 | index 9f2f12d737..a495e197c0 100644 | 20 | index debf6870ef..d63479d5d3 100644 |
20 | --- a/products/openembedded/product.yml | 21 | --- a/products/openembedded/product.yml |
21 | +++ b/products/openembedded/product.yml | 22 | +++ b/products/openembedded/product.yml |
22 | @@ -14,6 +14,11 @@ init_system: "systemd" | 23 | @@ -17,3 +17,9 @@ cpes: |
23 | cpes_root: "../../shared/applicability" | 24 | name: "cpe:/o:openembedded:nodistro:" |
24 | cpes: | ||
25 | - openembedded: | ||
26 | - name: "cpe:/o:openembedded" | ||
27 | + name: "cpe:/o:openembedded:nodistro:" | ||
28 | title: "OpenEmbedded nodistro" | 25 | title: "OpenEmbedded nodistro" |
29 | check_id: installed_OS_is_openembedded | 26 | check_id: installed_OS_is_openembedded |
30 | + | 27 | + |
@@ -32,24 +29,10 @@ index 9f2f12d737..a495e197c0 100644 | |||
32 | + name: "cpe:/o:openembedded:poky:" | 29 | + name: "cpe:/o:openembedded:poky:" |
33 | + title: "OpenEmbedded Poky reference distribution" | 30 | + title: "OpenEmbedded Poky reference distribution" |
34 | + check_id: installed_OS_is_poky | 31 | + check_id: installed_OS_is_poky |
35 | diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt | 32 | + |
36 | index 85e812a7c1..8901def2f9 100644 | ||
37 | --- a/products/openembedded/transforms/constants.xslt | ||
38 | +++ b/products/openembedded/transforms/constants.xslt | ||
39 | @@ -2,8 +2,8 @@ | ||
40 | |||
41 | <xsl:include href="../../../shared/transforms/shared_constants.xslt"/> | ||
42 | |||
43 | -<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable> | ||
44 | -<xsl:variable name="product_short_name">OE nodistro</xsl:variable> | ||
45 | +<xsl:variable name="product_long_name">OpenEmbedded based distribution</xsl:variable> | ||
46 | +<xsl:variable name="product_short_name">OE distros</xsl:variable> | ||
47 | <xsl:variable name="product_stig_id_name">empty</xsl:variable> | ||
48 | <xsl:variable name="prod_type">openembedded</xsl:variable> | ||
49 | |||
50 | diff --git a/shared/checks/oval/installed_OS_is_poky.xml b/shared/checks/oval/installed_OS_is_poky.xml | 33 | diff --git a/shared/checks/oval/installed_OS_is_poky.xml b/shared/checks/oval/installed_OS_is_poky.xml |
51 | new file mode 100644 | 34 | new file mode 100644 |
52 | index 0000000000..9c41acd786 | 35 | index 0000000000..b8805cf31b |
53 | --- /dev/null | 36 | --- /dev/null |
54 | +++ b/shared/checks/oval/installed_OS_is_poky.xml | 37 | +++ b/shared/checks/oval/installed_OS_is_poky.xml |
55 | @@ -0,0 +1,33 @@ | 38 | @@ -0,0 +1,33 @@ |
@@ -60,19 +43,19 @@ index 0000000000..9c41acd786 | |||
60 | + <affected family="unix"> | 43 | + <affected family="unix"> |
61 | + <platform>multi_platform_all</platform> | 44 | + <platform>multi_platform_all</platform> |
62 | + </affected> | 45 | + </affected> |
63 | + <description>The operating system installed is a Poky referenece based System</description> | 46 | + <description>The operating system installed is a Poky based System</description> |
64 | + </metadata> | 47 | + </metadata> |
65 | + <criteria comment="System is Poky reference distribution" operator="AND"> | 48 | + <criteria comment="System is Poky based distribution" operator="AND"> |
66 | + <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> | 49 | + <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> |
67 | + <criterion comment="Poky based distro" test_ref="test_os_release_poky" /> | 50 | + <criterion comment="Poky based distro" test_ref="test_os_poky" /> |
68 | + <criterion comment="Poky referenece distribution is installed" test_ref="test_poky" /> | 51 | + <criterion comment="Poky based distribution is installed" test_ref="test_poky" /> |
69 | + </criteria> | 52 | + </criteria> |
70 | + </definition> | 53 | + </definition> |
71 | + | 54 | + |
72 | + <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release_poky" version="1"> | 55 | + <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_poky" version="1"> |
73 | + <unix:object object_ref="obj_os_release_poky" /> | 56 | + <unix:object object_ref="obj_os_poky" /> |
74 | + </unix:file_test> | 57 | + </unix:file_test> |
75 | + <unix:file_object comment="check /etc/os-release file" id="obj_os_release_poky" version="1"> | 58 | + <unix:file_object comment="check /etc/os-release file" id="obj_os_poky" version="1"> |
76 | + <unix:filepath>/etc/os-release</unix:filepath> | 59 | + <unix:filepath>/etc/os-release</unix:filepath> |
77 | + </unix:file_object> | 60 | + </unix:file_object> |
78 | + | 61 | + |
diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb index 31ab96e..6e62f22 100644 --- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb +++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb | |||
@@ -6,12 +6,11 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" | |||
6 | LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820" | 6 | LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820" |
7 | LICENSE = "BSD-3-Clause" | 7 | LICENSE = "BSD-3-Clause" |
8 | 8 | ||
9 | SRCREV = "dad85502ce8da722a6afc391346c41cee61e90a9" | 9 | SRCREV = "3a1012bc9ec2b01b3b71c6feefd3cff0f52bd64d" |
10 | SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \ | 10 | SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \ |
11 | file://0001-scap-security-guide-add-openembedded.patch \ | ||
12 | file://0001-standard.profile-expand-checks.patch \ | ||
13 | file://0001-scap-security-guide-add-Poky-support.patch \ | ||
14 | file://run_eval.sh \ | 11 | file://run_eval.sh \ |
12 | file://0001-scap-security-guide-add-openembedded-distro-support.patch \ | ||
13 | file://0002-scap-security-guide-Add-Poky-support.patch \ | ||
15 | " | 14 | " |
16 | 15 | ||
17 | 16 | ||