summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2023-06-23 15:58:40 -0400
committerArmin Kuster <akuster808@gmail.com>2023-07-31 06:18:52 -0400
commit64b8f9b68e795295b1defc94078f3ffd634f48ca (patch)
treeb87a8fbd357010f1641e08ad336ad435722aa837
parent4c787f3258dd480009d4a3460519fb37752521ba (diff)
downloadmeta-security-64b8f9b68e795295b1defc94078f3ffd634f48ca.tar.gz
scap-security-guide: refactor patches
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat
-rw-r--r--recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch (renamed from recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch)227
-rw-r--r--recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch231
-rw-r--r--recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch (renamed from recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch)57
-rw-r--r--recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb7
4 files changed, 215 insertions, 307 deletions
diff --git a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch b/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch
index f003f72..0db2b12 100644
--- a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch
+++ b/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch
@@ -1,24 +1,27 @@
1From f6287d146762b8360bd7099f4724a58eedba7d2a Mon Sep 17 00:00:00 2001 1From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001
2From: Armin Kuster <akuster808@gmail.com> 2From: Armin Kuster <akuster808@gmail.com>
3Date: Wed, 14 Jun 2023 07:46:55 -0400 3Date: Wed, 14 Jun 2023 07:46:55 -0400
4Subject: [PATCH] scap-security-guide: add openembedded 4Subject: [PATCH 1/2] scap-security-guide: add openembedded distro support
5
6includes a standard profile for out-of-the-box checks
5 7
6Signed-off-by: Armin Kuster <akuster808@gmail.com> 8Signed-off-by: Armin Kuster <akuster808@gmail.com>
7 9
8Upstream-Status: Pending 10Upstream-Status: Pending
11https://github.com/ComplianceAsCode/content/pull/10793
9Signed-off-by: Armin Kuster <akuster808@gmail.com> 12Signed-off-by: Armin Kuster <akuster808@gmail.com>
10 13
11--- 14---
12 CMakeLists.txt | 5 +++ 15 CMakeLists.txt | 5 +
13 build_product | 1 + 16 build_product | 1 +
14 products/openembedded/CMakeLists.txt | 6 ++++ 17 products/openembedded/CMakeLists.txt | 6 +
15 products/openembedded/product.yml | 19 +++++++++++ 18 products/openembedded/product.yml | 19 ++
16 .../openembedded/profiles/standard.profile | 12 +++++++ 19 .../openembedded/profiles/standard.profile | 166 ++++++++++++++++++
17 .../openembedded/transforms/constants.xslt | 10 ++++++ 20 .../openembedded/transforms/constants.xslt | 10 ++
18 .../oval/installed_OS_is_openembedded.xml | 33 +++++++++++++++++++ 21 .../oval/installed_OS_is_openembedded.xml | 33 ++++
19 .../oval/sysctl_kernel_ipv6_disable.xml | 1 + 22 .../oval/sysctl_kernel_ipv6_disable.xml | 1 +
20 ssg/constants.py | 5 ++- 23 ssg/constants.py | 5 +-
21 9 files changed, 91 insertions(+), 1 deletion(-) 24 9 files changed, 245 insertions(+), 1 deletion(-)
22 create mode 100644 products/openembedded/CMakeLists.txt 25 create mode 100644 products/openembedded/CMakeLists.txt
23 create mode 100644 products/openembedded/product.yml 26 create mode 100644 products/openembedded/product.yml
24 create mode 100644 products/openembedded/profiles/standard.profile 27 create mode 100644 products/openembedded/profiles/standard.profile
@@ -26,10 +29,10 @@ Signed-off-by: Armin Kuster <akuster808@gmail.com>
26 create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml 29 create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml
27 30
28diff --git a/CMakeLists.txt b/CMakeLists.txt 31diff --git a/CMakeLists.txt b/CMakeLists.txt
29index 85ec289644..09ac96784e 100644 32index 6b1ac00ff9..e4191f2cef 100644
30--- a/CMakeLists.txt 33--- a/CMakeLists.txt
31+++ b/CMakeLists.txt 34+++ b/CMakeLists.txt
32@@ -95,6 +95,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be 35@@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
33 option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) 36 option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
34 option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) 37 option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
35 option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) 38 option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -37,16 +40,16 @@ index 85ec289644..09ac96784e 100644
37 40
38 41
39 option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) 42 option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
40@@ -289,6 +290,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") 43@@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
41 message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") 44 message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
42 message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}") 45 message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
43 message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}") 46 message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
44+message(STATUS "OpenEmbedded nodistro: ${SSG_PRODUCT_OE}") 47+message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}")
45
46 48
47 49
48@@ -410,6 +412,9 @@ endif() 50 message(STATUS " ")
49 if (SSG_PRODUCT_UOS20) 51@@ -409,6 +411,9 @@ endif()
52 if(SSG_PRODUCT_UOS20)
50 add_subdirectory("products/uos20" "uos20") 53 add_subdirectory("products/uos20" "uos20")
51 endif() 54 endif()
52+if (SSG_PRODUCT_OE) 55+if (SSG_PRODUCT_OE)
@@ -56,14 +59,14 @@ index 85ec289644..09ac96784e 100644
56 # ZIP only contains source datastreams and kickstarts, people who 59 # ZIP only contains source datastreams and kickstarts, people who
57 # want sources to build from should get the tarball instead. 60 # want sources to build from should get the tarball instead.
58diff --git a/build_product b/build_product 61diff --git a/build_product b/build_product
59index fc793cbe70..197d925b7e 100755 62index fc793cbe70..7bdc03edfe 100755
60--- a/build_product 63--- a/build_product
61+++ b/build_product 64+++ b/build_product
62@@ -333,6 +333,7 @@ all_cmake_products=( 65@@ -333,6 +333,7 @@ all_cmake_products=(
63 UBUNTU2204 66 UBUNTU2204
64 UOS20 67 UOS20
65 MACOS1015 68 MACOS1015
66+ OPENEMBEDDED 69+ OPENEMBEDDED
67 ) 70 )
68 71
69 DEFAULT_OVAL_MAJOR_VERSION=5 72 DEFAULT_OVAL_MAJOR_VERSION=5
@@ -81,7 +84,7 @@ index 0000000000..1981adf53e
81+ssg_build_product("openembedded") 84+ssg_build_product("openembedded")
82diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml 85diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
83new file mode 100644 86new file mode 100644
84index 0000000000..9f2f12d737 87index 0000000000..debf6870ef
85--- /dev/null 88--- /dev/null
86+++ b/products/openembedded/product.yml 89+++ b/products/openembedded/product.yml
87@@ -0,0 +1,19 @@ 90@@ -0,0 +1,19 @@
@@ -101,15 +104,15 @@ index 0000000000..9f2f12d737
101+cpes_root: "../../shared/applicability" 104+cpes_root: "../../shared/applicability"
102+cpes: 105+cpes:
103+ - openembedded: 106+ - openembedded:
104+ name: "cpe:/o:openembedded" 107+ name: "cpe:/o:openembedded:nodistro:"
105+ title: "OpenEmbedded nodistro" 108+ title: "OpenEmbedded nodistro"
106+ check_id: installed_OS_is_openembedded 109+ check_id: installed_OS_is_openembedded
107diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile 110diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
108new file mode 100644 111new file mode 100644
109index 0000000000..44339d716c 112index 0000000000..fcb9e0e5c2
110--- /dev/null 113--- /dev/null
111+++ b/products/openembedded/profiles/standard.profile 114+++ b/products/openembedded/profiles/standard.profile
112@@ -0,0 +1,12 @@ 115@@ -0,0 +1,166 @@
113+documentation_complete: true 116+documentation_complete: true
114+ 117+
115+title: 'Sample Security Profile for OpenEmbedded Distros' 118+title: 'Sample Security Profile for OpenEmbedded Distros'
@@ -121,10 +124,164 @@ index 0000000000..44339d716c
121+selections: 124+selections:
122+ - file_owner_etc_passwd 125+ - file_owner_etc_passwd
123+ - file_groupowner_etc_passwd 126+ - file_groupowner_etc_passwd
127+ - service_crond_enabled
128+ - file_groupowner_crontab
129+ - file_owner_crontab
130+ - file_permissions_crontab
131+ - file_groupowner_cron_hourly
132+ - file_owner_cron_hourly
133+ - file_permissions_cron_hourly
134+ - file_groupowner_cron_daily
135+ - file_owner_cron_daily
136+ - file_permissions_cron_daily
137+ - file_groupowner_cron_weekly
138+ - file_owner_cron_weekly
139+ - file_permissions_cron_weekly
140+ - file_groupowner_cron_monthly
141+ - file_owner_cron_monthly
142+ - file_permissions_cron_monthly
143+ - file_groupowner_cron_d
144+ - file_owner_cron_d
145+ - file_permissions_cron_d
146+ - file_groupowner_cron_allow
147+ - file_owner_cron_allow
148+ - file_cron_deny_not_exist
149+ - file_groupowner_at_allow
150+ - file_owner_at_allow
151+ - file_at_deny_not_exist
152+ - file_permissions_at_allow
153+ - file_permissions_cron_allow
154+ - file_groupowner_sshd_config
155+ - file_owner_sshd_config
156+ - file_permissions_sshd_config
157+ - file_permissions_sshd_private_key
158+ - file_permissions_sshd_pub_key
159+ - sshd_set_loglevel_verbose
160+ - sshd_set_loglevel_info
161+ - sshd_max_auth_tries_value=4
162+ - sshd_set_max_auth_tries
163+ - sshd_disable_rhosts
164+ - disable_host_auth
165+ - sshd_disable_root_login
166+ - sshd_disable_empty_passwords
167+ - sshd_do_not_permit_user_env
168+ - sshd_idle_timeout_value=15_minutes
169+ - sshd_set_idle_timeout
170+ - sshd_set_keepalive
171+ - var_sshd_set_keepalive=0
172+ - sshd_set_login_grace_time
173+ - var_sshd_set_login_grace_time=60
174+ - sshd_enable_warning_banner
175+ - sshd_enable_pam
176+ - sshd_set_maxstartups
177+ - var_sshd_set_maxstartups=10:30:60
178+ - sshd_set_max_sessions
179+ - var_sshd_max_sessions=10
180+ - accounts_password_pam_minclass
181+ - accounts_password_pam_minlen
182+ - accounts_password_pam_retry
183+ - var_password_pam_minclass=4
184+ - var_password_pam_minlen=14
185+ - locking_out_password_attempts
186+ - accounts_password_pam_pwhistory_remember_password_auth
187+ - accounts_password_pam_pwhistory_remember_system_auth
188+ - var_password_pam_remember_control_flag=required
189+ - var_password_pam_remember=5
190+ - set_password_hashing_algorithm_systemauth
191+ - var_accounts_maximum_age_login_defs=365
192+ - accounts_password_set_max_life_existing
193+ - var_accounts_minimum_age_login_defs=7
194+ - accounts_password_set_min_life_existing
195+ - var_accounts_password_warn_age_login_defs=7
196+ - account_disable_post_pw_expiration
197+ - var_account_disable_post_pw_expiration=30
198+ - no_shelllogin_for_systemaccounts
199+ - accounts_tmout
200+ - var_accounts_tmout=15_min
201+ - accounts_root_gid_zero
202+ - accounts_umask_etc_bashrc
203+ - use_pam_wheel_for_su
204+ - sshd_allow_only_protocol2
205+ - journald_forward_to_syslog
206+ - journald_compress
207+ - journald_storage
208+ - service_auditd_enabled
209+ - service_httpd_disabled
210+ - service_vsftpd_disabled
211+ - service_named_disabled
212+ - service_nfs_disabled
213+ - service_rpcbind_disabled
214+ - service_slapd_disabled
215+ - service_dhcpd_disabled
216+ - service_cups_disabled
217+ - service_ypserv_disabled
218+ - service_rsyncd_disabled
219+ - service_avahi-daemon_disabled
220+ - service_snmpd_disabled
221+ - service_squid_disabled
222+ - service_smb_disabled
223+ - service_dovecot_disabled
224+ - banner_etc_motd
225+ - login_banner_text=cis_banners
226+ - banner_etc_issue
227+ - login_banner_text=cis_banners
228+ - file_groupowner_etc_motd
229+ - file_owner_etc_motd
230+ - file_permissions_etc_motd
231+ - file_groupowner_etc_issue
232+ - file_owner_etc_issue
233+ - file_permissions_etc_issue
234+ - ensure_gpgcheck_globally_activated
235+ - package_aide_installed
236+ - aide_periodic_cron_checking
237+ - grub2_password
238+ - file_groupowner_grub2_cfg
239+ - file_owner_grub2_cfg
240+ - file_permissions_grub2_cfg
241+ - require_singleuser_auth
242+ - require_emergency_target_auth
243+ - disable_users_coredumps
244+ - configure_crypto_policy
245+ - var_system_crypto_policy=default_policy
246+ - dir_perms_world_writable_sticky_bits
124+ - file_permissions_etc_passwd 247+ - file_permissions_etc_passwd
248+ - file_owner_etc_shadow
249+ - file_groupowner_etc_shadow
250+ - file_groupowner_etc_group
251+ - file_owner_etc_group
252+ - file_permissions_etc_group
253+ - file_groupowner_etc_gshadow
254+ - file_owner_etc_gshadow
255+ - file_groupowner_backup_etc_passwd
256+ - file_owner_backup_etc_passwd
257+ - file_permissions_backup_etc_passwd
258+ - file_groupowner_backup_etc_shadow
259+ - file_owner_backup_etc_shadow
260+ - file_permissions_backup_etc_shadow
261+ - file_groupowner_backup_etc_group
262+ - file_owner_backup_etc_group
263+ - file_permissions_backup_etc_group
264+ - file_groupowner_backup_etc_gshadow
265+ - file_owner_backup_etc_gshadow
266+ - file_permissions_unauthorized_world_writable
267+ - file_permissions_ungroupowned
268+ - accounts_root_path_dirs_no_write
269+ - root_path_no_dot
270+ - accounts_no_uid_except_zero
271+ - file_ownership_home_directories
272+ - file_groupownership_home_directories
273+ - no_netrc_files
274+ - no_rsh_trust_files
275+ - account_unique_id
276+ - group_unique_id
277+ - group_unique_name
278+ - wireless_disable_interfaces
279+ - package_firewalld_installed
280+ - service_firewalld_enabled
281+ - package_iptables_installed
125diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt 282diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt
126new file mode 100644 283new file mode 100644
127index 0000000000..85e812a7c1 284index 0000000000..152571e8bb
128--- /dev/null 285--- /dev/null
129+++ b/products/openembedded/transforms/constants.xslt 286+++ b/products/openembedded/transforms/constants.xslt
130@@ -0,0 +1,10 @@ 287@@ -0,0 +1,10 @@
@@ -132,15 +289,15 @@ index 0000000000..85e812a7c1
132+ 289+
133+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/> 290+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
134+ 291+
135+<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable> 292+<xsl:variable name="product_long_name">OpenEmbedded</xsl:variable>
136+<xsl:variable name="product_short_name">OE nodistro</xsl:variable> 293+<xsl:variable name="product_short_name">openembedded</xsl:variable>
137+<xsl:variable name="product_stig_id_name">empty</xsl:variable> 294+<xsl:variable name="product_stig_id_name">empty</xsl:variable>
138+<xsl:variable name="prod_type">openembedded</xsl:variable> 295+<xsl:variable name="prod_type">openembedded</xsl:variable>
139+ 296+
140+</xsl:stylesheet> 297+</xsl:stylesheet>
141diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml 298diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
142new file mode 100644 299new file mode 100644
143index 0000000000..17c2873686 300index 0000000000..11ebdca913
144--- /dev/null 301--- /dev/null
145+++ b/shared/checks/oval/installed_OS_is_openembedded.xml 302+++ b/shared/checks/oval/installed_OS_is_openembedded.xml
146@@ -0,0 +1,33 @@ 303@@ -0,0 +1,33 @@
@@ -151,19 +308,19 @@ index 0000000000..17c2873686
151+ <affected family="unix"> 308+ <affected family="unix">
152+ <platform>multi_platform_all</platform> 309+ <platform>multi_platform_all</platform>
153+ </affected> 310+ </affected>
154+ <description>The operating system installed is an OpenEmbedded System</description> 311+ <description>The operating system installed is an OpenEmbedded based system</description>
155+ </metadata> 312+ </metadata>
156+ <criteria comment="System is OpenEmbedded" operator="AND"> 313+ <criteria comment="System is OpenEmbedded based" operator="AND">
157+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> 314+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
158+ <criterion comment="OpenEmbedded distro" test_ref="test_os_release" /> 315+ <criterion comment="OpenEmbedded distro" test_ref="test_os_openembedded" />
159+ <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" /> 316+ <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" />
160+ </criteria> 317+ </criteria>
161+ </definition> 318+ </definition>
162+ 319+
163+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release" version="1"> 320+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_openembedded" version="1">
164+ <unix:object object_ref="obj_os_release" /> 321+ <unix:object object_ref="obj_os_openembedded" />
165+ </unix:file_test> 322+ </unix:file_test>
166+ <unix:file_object comment="check /etc/os-release file" id="obj_os_release" version="1"> 323+ <unix:file_object comment="check /etc/os-release file" id="obj_os_openembedded" version="1">
167+ <unix:filepath>/etc/os-release</unix:filepath> 324+ <unix:filepath>/etc/os-release</unix:filepath>
168+ </unix:file_object> 325+ </unix:file_object>
169+ 326+
diff --git a/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch b/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch
deleted file mode 100644
index 061c5f0..0000000
--- a/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch
+++ /dev/null
@@ -1,231 +0,0 @@
1From 7af2da3bbe1d5b4cba89c6dae9ea267717b865ea Mon Sep 17 00:00:00 2001
2From: Armin Kuster <akuster808@gmail.com>
3Date: Wed, 21 Jun 2023 07:46:38 -0400
4Subject: [PATCH] standard.profile: expand checks
5
6Upstream-Status: Pending
7Signed-off-by: Armin Kuster <akuster808@gmail.com>
8
9Upstream-status: Pending
10---
11 .../openembedded/profiles/standard.profile | 206 ++++++++++++++++++
12 1 file changed, 206 insertions(+)
13
14diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
15index 44339d716c..877d1a3971 100644
16--- a/products/openembedded/profiles/standard.profile
17+++ b/products/openembedded/profiles/standard.profile
18@@ -9,4 +9,210 @@ description: |-
19 selections:
20 - file_owner_etc_passwd
21 - file_groupowner_etc_passwd
22+ - service_crond_enabled
23+ - file_groupowner_crontab
24+ - file_owner_crontab
25+ - file_permissions_crontab
26+ - file_groupowner_cron_hourly
27+ - file_owner_cron_hourly
28+ - file_permissions_cron_hourly
29+ - file_groupowner_cron_daily
30+ - file_owner_cron_daily
31+ - file_permissions_cron_daily
32+ - file_groupowner_cron_weekly
33+ - file_owner_cron_weekly
34+ - file_permissions_cron_weekly
35+ - file_groupowner_cron_monthly
36+ - file_owner_cron_monthly
37+ - file_permissions_cron_monthly
38+ - file_groupowner_cron_d
39+ - file_owner_cron_d
40+ - file_permissions_cron_d
41+ - file_groupowner_cron_allow
42+ - file_owner_cron_allow
43+ - file_cron_deny_not_exist
44+ - file_groupowner_at_allow
45+ - file_owner_at_allow
46+ - file_at_deny_not_exist
47+ - file_permissions_at_allow
48+ - file_permissions_cron_allow
49+ - file_groupowner_sshd_config
50+ - file_owner_sshd_config
51+ - file_permissions_sshd_config
52+ - file_permissions_sshd_private_key
53+ - file_permissions_sshd_pub_key
54+ - sshd_set_loglevel_verbose
55+ - sshd_set_loglevel_info
56+ - sshd_max_auth_tries_value=4
57+ - sshd_set_max_auth_tries
58+ - sshd_disable_rhosts
59+ - disable_host_auth
60+ - sshd_disable_root_login
61+ - sshd_disable_empty_passwords
62+ - sshd_do_not_permit_user_env
63+ - sshd_idle_timeout_value=15_minutes
64+ - sshd_set_idle_timeout
65+ - sshd_set_keepalive
66+ - var_sshd_set_keepalive=0
67+ - sshd_set_login_grace_time
68+ - var_sshd_set_login_grace_time=60
69+ - sshd_enable_warning_banner
70+ - sshd_enable_pam
71+ - sshd_set_maxstartups
72+ - var_sshd_set_maxstartups=10:30:60
73+ - sshd_set_max_sessions
74+ - var_sshd_max_sessions=10
75+ - accounts_password_pam_minclass
76+ - accounts_password_pam_minlen
77+ - accounts_password_pam_retry
78+ - var_password_pam_minclass=4
79+ - var_password_pam_minlen=14
80+ - locking_out_password_attempts
81+ - accounts_password_pam_pwhistory_remember_password_auth
82+ - accounts_password_pam_pwhistory_remember_system_auth
83+ - var_password_pam_remember_control_flag=required
84+ - var_password_pam_remember=5
85+ - set_password_hashing_algorithm_systemauth
86+ - accounts_maximum_age_login_defs
87+ - var_accounts_maximum_age_login_defs=365
88+ - accounts_password_set_max_life_existing
89+ - accounts_minimum_age_login_defs
90+ - var_accounts_minimum_age_login_defs=7
91+ - accounts_password_set_min_life_existing
92+ - accounts_password_warn_age_login_defs
93+ - var_accounts_password_warn_age_login_defs=7
94+ - account_disable_post_pw_expiration
95+ - var_account_disable_post_pw_expiration=30
96+ - no_shelllogin_for_systemaccounts
97+ - accounts_tmout
98+ - var_accounts_tmout=15_min
99+ - accounts_root_gid_zero
100+ - accounts_umask_etc_bashrc
101+ - accounts_umask_etc_login_defs
102+ - use_pam_wheel_for_su
103+ - sshd_allow_only_protocol2
104+ - journald_forward_to_syslog
105+ - journald_compress
106+ - journald_storage
107+ - service_auditd_enabled
108+ - service_httpd_disabled
109+ - service_vsftpd_disabled
110+ - service_named_disabled
111+ - service_nfs_disabled
112+ - service_rpcbind_disabled
113+ - service_slapd_disabled
114+ - service_dhcpd_disabled
115+ - service_cups_disabled
116+ - service_ypserv_disabled
117+ - service_rsyncd_disabled
118+ - service_avahi-daemon_disabled
119+ - service_snmpd_disabled
120+ - service_squid_disabled
121+ - service_smb_disabled
122+ - service_dovecot_disabled
123+ - banner_etc_motd
124+ - login_banner_text=cis_banners
125+ - banner_etc_issue
126+ - login_banner_text=cis_banners
127+ - file_groupowner_etc_motd
128+ - file_owner_etc_motd
129+ - file_permissions_etc_motd
130+ - file_groupowner_etc_issue
131+ - file_owner_etc_issue
132+ - file_permissions_etc_issue
133+ - ensure_gpgcheck_globally_activated
134+ - package_aide_installed
135+ - aide_periodic_cron_checking
136+ - grub2_password
137+ - file_groupowner_grub2_cfg
138+ - file_owner_grub2_cfg
139+ - file_permissions_grub2_cfg
140+ - require_singleuser_auth
141+ - require_emergency_target_auth
142+ - disable_users_coredumps
143+ - coredump_disable_backtraces
144+ - coredump_disable_storage
145+ - configure_crypto_policy
146+ - var_system_crypto_policy=default_policy
147+ - dir_perms_world_writable_sticky_bits
148 - file_permissions_etc_passwd
149+ - file_owner_etc_shadow
150+ - file_groupowner_etc_shadow
151+ - file_groupowner_etc_group
152+ - file_owner_etc_group
153+ - file_permissions_etc_group
154+ - file_groupowner_etc_gshadow
155+ - file_owner_etc_gshadow
156+ - file_groupowner_backup_etc_passwd
157+ - file_owner_backup_etc_passwd
158+ - file_permissions_backup_etc_passwd
159+ - file_groupowner_backup_etc_shadow
160+ - file_owner_backup_etc_shadow
161+ - file_permissions_backup_etc_shadow
162+ - file_groupowner_backup_etc_group
163+ - file_owner_backup_etc_group
164+ - file_permissions_backup_etc_group
165+ - file_groupowner_backup_etc_gshadow
166+ - file_owner_backup_etc_gshadow
167+ - file_permissions_backup_etc_gshadow
168+ - file_permissions_unauthorized_world_writable
169+ - file_permissions_ungroupowned
170+ - accounts_root_path_dirs_no_write
171+ - root_path_no_dot
172+ - accounts_no_uid_except_zero
173+ - file_ownership_home_directories
174+ - file_groupownership_home_directories
175+ - no_netrc_files
176+ - no_rsh_trust_files
177+ - account_unique_id
178+ - group_unique_id
179+ - group_unique_name
180+ - kernel_module_sctp_disabled
181+ - kernel_module_dccp_disabled
182+ - wireless_disable_interfaces
183+ - sysctl_net_ipv4_ip_forward
184+ - sysctl_net_ipv6_conf_all_forwarding
185+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled
186+ - sysctl_net_ipv4_conf_all_send_redirects
187+ - sysctl_net_ipv4_conf_default_send_redirects
188+ - sysctl_net_ipv4_conf_all_accept_source_route
189+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
190+ - sysctl_net_ipv4_conf_default_accept_source_route
191+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
192+ - sysctl_net_ipv6_conf_all_accept_source_route
193+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
194+ - sysctl_net_ipv6_conf_default_accept_source_route
195+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
196+ - sysctl_net_ipv4_conf_all_accept_redirects
197+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
198+ - sysctl_net_ipv4_conf_default_accept_redirects
199+ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
200+ - sysctl_net_ipv6_conf_all_accept_redirects
201+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
202+ - sysctl_net_ipv6_conf_default_accept_redirects
203+ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
204+ - sysctl_net_ipv4_conf_all_secure_redirects
205+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
206+ - sysctl_net_ipv4_conf_default_secure_redirects
207+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
208+ - sysctl_net_ipv4_conf_all_log_martians
209+ - sysctl_net_ipv4_conf_all_log_martians_value=enabled
210+ - sysctl_net_ipv4_conf_default_log_martians
211+ - sysctl_net_ipv4_conf_default_log_martians_value=enabled
212+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
213+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
214+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
215+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
216+ - sysctl_net_ipv4_conf_all_rp_filter
217+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
218+ - sysctl_net_ipv4_conf_default_rp_filter
219+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
220+ - sysctl_net_ipv4_tcp_syncookies
221+ - sysctl_net_ipv4_tcp_syncookies_value=enabled
222+ - sysctl_net_ipv6_conf_all_accept_ra
223+ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
224+ - sysctl_net_ipv6_conf_default_accept_ra
225+ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
226+ - package_firewalld_installed
227+ - service_firewalld_enabled
228+ - package_iptables_installed
229--
2302.34.1
231
diff --git a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch b/recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch
index 355f954..1639264 100644
--- a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch
+++ b/recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch
@@ -1,30 +1,27 @@
1From 23a224203a73688567f500380644e5cf30c8ed99 Mon Sep 17 00:00:00 2001 1From 2be977a60c944a54594d5786b2d8869ed72a9a06 Mon Sep 17 00:00:00 2001
2From: Armin Kuster <akuster808@gmail.com> 2From: Armin Kuster <akuster808@gmail.com>
3Date: Thu, 22 Jun 2023 06:19:26 -0400 3Date: Wed, 5 Jul 2023 12:57:52 -0400
4Subject: [PATCH] scap-security-guide: add Poky support 4Subject: [PATCH 2/2] scap-security-guide: Add Poky support
5 5
6Signed-off-by: Armin Kuster <akuster808@gmail.com> 6Signed-off-by: Armin Kuster <akuster808@gmail.com>
7 7
8Upstream-Status: Pending 8Upstream-Status: Pending
9Waiting to see if OE changes get merged.
9Signed-off-by: Armin Kuster <akuster808@gmail.com> 10Signed-off-by: Armin Kuster <akuster808@gmail.com>
10 11
12
11--- 13---
12 products/openembedded/product.yml | 7 +++- 14 products/openembedded/product.yml | 6 ++++
13 .../openembedded/transforms/constants.xslt | 4 +-- 15 shared/checks/oval/installed_OS_is_poky.xml | 33 +++++++++++++++++++++
14 shared/checks/oval/installed_OS_is_poky.xml | 33 +++++++++++++++++++ 16 2 files changed, 39 insertions(+)
15 3 files changed, 41 insertions(+), 3 deletions(-)
16 create mode 100644 shared/checks/oval/installed_OS_is_poky.xml 17 create mode 100644 shared/checks/oval/installed_OS_is_poky.xml
17 18
18diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml 19diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
19index 9f2f12d737..a495e197c0 100644 20index debf6870ef..d63479d5d3 100644
20--- a/products/openembedded/product.yml 21--- a/products/openembedded/product.yml
21+++ b/products/openembedded/product.yml 22+++ b/products/openembedded/product.yml
22@@ -14,6 +14,11 @@ init_system: "systemd" 23@@ -17,3 +17,9 @@ cpes:
23 cpes_root: "../../shared/applicability" 24 name: "cpe:/o:openembedded:nodistro:"
24 cpes:
25 - openembedded:
26- name: "cpe:/o:openembedded"
27+ name: "cpe:/o:openembedded:nodistro:"
28 title: "OpenEmbedded nodistro" 25 title: "OpenEmbedded nodistro"
29 check_id: installed_OS_is_openembedded 26 check_id: installed_OS_is_openembedded
30+ 27+
@@ -32,24 +29,10 @@ index 9f2f12d737..a495e197c0 100644
32+ name: "cpe:/o:openembedded:poky:" 29+ name: "cpe:/o:openembedded:poky:"
33+ title: "OpenEmbedded Poky reference distribution" 30+ title: "OpenEmbedded Poky reference distribution"
34+ check_id: installed_OS_is_poky 31+ check_id: installed_OS_is_poky
35diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt 32+
36index 85e812a7c1..8901def2f9 100644
37--- a/products/openembedded/transforms/constants.xslt
38+++ b/products/openembedded/transforms/constants.xslt
39@@ -2,8 +2,8 @@
40
41 <xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
42
43-<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable>
44-<xsl:variable name="product_short_name">OE nodistro</xsl:variable>
45+<xsl:variable name="product_long_name">OpenEmbedded based distribution</xsl:variable>
46+<xsl:variable name="product_short_name">OE distros</xsl:variable>
47 <xsl:variable name="product_stig_id_name">empty</xsl:variable>
48 <xsl:variable name="prod_type">openembedded</xsl:variable>
49
50diff --git a/shared/checks/oval/installed_OS_is_poky.xml b/shared/checks/oval/installed_OS_is_poky.xml 33diff --git a/shared/checks/oval/installed_OS_is_poky.xml b/shared/checks/oval/installed_OS_is_poky.xml
51new file mode 100644 34new file mode 100644
52index 0000000000..9c41acd786 35index 0000000000..b8805cf31b
53--- /dev/null 36--- /dev/null
54+++ b/shared/checks/oval/installed_OS_is_poky.xml 37+++ b/shared/checks/oval/installed_OS_is_poky.xml
55@@ -0,0 +1,33 @@ 38@@ -0,0 +1,33 @@
@@ -60,19 +43,19 @@ index 0000000000..9c41acd786
60+ <affected family="unix"> 43+ <affected family="unix">
61+ <platform>multi_platform_all</platform> 44+ <platform>multi_platform_all</platform>
62+ </affected> 45+ </affected>
63+ <description>The operating system installed is a Poky referenece based System</description> 46+ <description>The operating system installed is a Poky based System</description>
64+ </metadata> 47+ </metadata>
65+ <criteria comment="System is Poky reference distribution" operator="AND"> 48+ <criteria comment="System is Poky based distribution" operator="AND">
66+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> 49+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
67+ <criterion comment="Poky based distro" test_ref="test_os_release_poky" /> 50+ <criterion comment="Poky based distro" test_ref="test_os_poky" />
68+ <criterion comment="Poky referenece distribution is installed" test_ref="test_poky" /> 51+ <criterion comment="Poky based distribution is installed" test_ref="test_poky" />
69+ </criteria> 52+ </criteria>
70+ </definition> 53+ </definition>
71+ 54+
72+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release_poky" version="1"> 55+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_poky" version="1">
73+ <unix:object object_ref="obj_os_release_poky" /> 56+ <unix:object object_ref="obj_os_poky" />
74+ </unix:file_test> 57+ </unix:file_test>
75+ <unix:file_object comment="check /etc/os-release file" id="obj_os_release_poky" version="1"> 58+ <unix:file_object comment="check /etc/os-release file" id="obj_os_poky" version="1">
76+ <unix:filepath>/etc/os-release</unix:filepath> 59+ <unix:filepath>/etc/os-release</unix:filepath>
77+ </unix:file_object> 60+ </unix:file_object>
78+ 61+
diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
index 31ab96e..6e62f22 100644
--- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
@@ -6,12 +6,11 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
6LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820" 6LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
7LICENSE = "BSD-3-Clause" 7LICENSE = "BSD-3-Clause"
8 8
9SRCREV = "dad85502ce8da722a6afc391346c41cee61e90a9" 9SRCREV = "3a1012bc9ec2b01b3b71c6feefd3cff0f52bd64d"
10SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \ 10SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \
11 file://0001-scap-security-guide-add-openembedded.patch \
12 file://0001-standard.profile-expand-checks.patch \
13 file://0001-scap-security-guide-add-Poky-support.patch \
14 file://run_eval.sh \ 11 file://run_eval.sh \
12 file://0001-scap-security-guide-add-openembedded-distro-support.patch \
13 file://0002-scap-security-guide-Add-Poky-support.patch \
15 " 14 "
16 15
17 16
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-06 15:14:50 +0000