scap-security-guide: update to 0.1.69+

Update to tip of branch Drop 0001-scap-security-guide-add-openembedded-distro-support.patch is now included in tip Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2023-08-31 07:54:32 -0400
committer: Armin Kuster <akuster808@gmail.com> 2023-09-08 12:06:31 -0400
commit: 8a91e5e9d19c692e1eefe546132848bebdbd374b (patch)
tree: e90ea9b9b536b80e4ad4ae149d36a5aa757a4bdf
parent: 533da3cd2b17c866b04bac530c90548fd46861d2 (diff)
download: meta-security-8a91e5e9d19c692e1eefe546132848bebdbd374b.tar.gz
2 files changed, 2 insertions, 391 deletions
diff --git a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch b/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch
deleted file mode 100644
index 0db2b12..0000000
--- a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch
+++ /dev/null
@@ -1,388 +0,0 @@
-From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Wed, 14 Jun 2023 07:46:55 -0400
-Subject: [PATCH 1/2] scap-security-guide: add openembedded distro support
-includes a standard profile for out-of-the-box checks
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Upstream-Status: Pending
-https://github.com/ComplianceAsCode/content/pull/10793
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
- CMakeLists.txt                                |   5 +
- build_product                                 |   1 +
- products/openembedded/CMakeLists.txt          |   6 +
- products/openembedded/product.yml             |  19 ++
- .../openembedded/profiles/standard.profile    | 166 ++++++++++++++++++
- .../openembedded/transforms/constants.xslt    |  10 ++
- .../oval/installed_OS_is_openembedded.xml     |  33 ++++
- .../oval/sysctl_kernel_ipv6_disable.xml       |   1 +
- ssg/constants.py                              |   5 +-
- 9 files changed, 245 insertions(+), 1 deletion(-)
- create mode 100644 products/openembedded/CMakeLists.txt
- create mode 100644 products/openembedded/product.yml
- create mode 100644 products/openembedded/profiles/standard.profile
- create mode 100644 products/openembedded/transforms/constants.xslt
- create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 6b1ac00ff9..e4191f2cef 100644
--- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
- option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-+option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- 
- 
- option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
-@@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
- message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
- message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
- message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
-+message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}")
- 
- 
- message(STATUS " ")
-@@ -409,6 +411,9 @@ endif()
- if(SSG_PRODUCT_UOS20)
-     add_subdirectory("products/uos20" "uos20")
- endif()
-+if (SSG_PRODUCT_OE)
-+    add_subdirectory("products/openembedded" "openembedded")
-+endif()
- 
- # ZIP only contains source datastreams and kickstarts, people who
- # want sources to build from should get the tarball instead.
-diff --git a/build_product b/build_product
-index fc793cbe70..7bdc03edfe 100755
--- a/build_product
-+++ b/build_product
-@@ -333,6 +333,7 @@ all_cmake_products=(
-        UBUNTU2204
-        UOS20
-        MACOS1015
-+       OPENEMBEDDED
- )
- 
- DEFAULT_OVAL_MAJOR_VERSION=5
-diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt
-new file mode 100644
-index 0000000000..1981adf53e
--- /dev/null
-+++ b/products/openembedded/CMakeLists.txt
-@@ -0,0 +1,6 @@
-+# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way.
-+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
-+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
-+endif()
-+
-+ssg_build_product("openembedded")
-diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
-new file mode 100644
-index 0000000000..debf6870ef
--- /dev/null
-+++ b/products/openembedded/product.yml
-@@ -0,0 +1,19 @@
-+product: openembedded
-+full_name: OpemEmbedded 
-+type: platform
-+
-+benchmark_id: OPENEMBEDDED
-+benchmark_root: "../../linux_os/guide"
-+
-+profiles_root: "./profiles"
-+
-+pkg_manager: "dnf"
-+
-+init_system: "systemd"
-+
-+cpes_root: "../../shared/applicability"
-+cpes:
-+  - openembedded:
-+      name: "cpe:/o:openembedded:nodistro:"
-+      title: "OpenEmbedded nodistro"
-+      check_id: installed_OS_is_openembedded
-diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
-new file mode 100644
-index 0000000000..fcb9e0e5c2
--- /dev/null
-+++ b/products/openembedded/profiles/standard.profile
-@@ -0,0 +1,166 @@
-+documentation_complete: true
-+
-+title: 'Sample Security Profile for OpenEmbedded Distros'
-+
-+description: |-
-+    This profile is an sample for use in documentation and example content.
-+    The selected rules are standard and should pass quickly on most systems.
-+
-+selections:
-+    - file_owner_etc_passwd
-+    - file_groupowner_etc_passwd
-+    - service_crond_enabled
-+    - file_groupowner_crontab
-+    - file_owner_crontab
-+    - file_permissions_crontab
-+    - file_groupowner_cron_hourly
-+    - file_owner_cron_hourly
-+    - file_permissions_cron_hourly
-+    - file_groupowner_cron_daily
-+    - file_owner_cron_daily
-+    - file_permissions_cron_daily
-+    - file_groupowner_cron_weekly
-+    - file_owner_cron_weekly
-+    - file_permissions_cron_weekly
-+    - file_groupowner_cron_monthly
-+    - file_owner_cron_monthly
-+    - file_permissions_cron_monthly
-+    - file_groupowner_cron_d
-+    - file_owner_cron_d
-+    - file_permissions_cron_d
-+    - file_groupowner_cron_allow
-+    - file_owner_cron_allow
-+    - file_cron_deny_not_exist
-+    - file_groupowner_at_allow
-+    - file_owner_at_allow
-+    - file_at_deny_not_exist
-+    - file_permissions_at_allow
-+    - file_permissions_cron_allow
-+    - file_groupowner_sshd_config
-+    - file_owner_sshd_config
-+    - file_permissions_sshd_config
-+    - file_permissions_sshd_private_key
-+    - file_permissions_sshd_pub_key
-+    - sshd_set_loglevel_verbose
-+    - sshd_set_loglevel_info
-+    - sshd_max_auth_tries_value=4
-+    - sshd_set_max_auth_tries
-+    - sshd_disable_rhosts
-+    - disable_host_auth
-+    - sshd_disable_root_login
-+    - sshd_disable_empty_passwords
-+    - sshd_do_not_permit_user_env
-+    - sshd_idle_timeout_value=15_minutes
-+    - sshd_set_idle_timeout
-+    - sshd_set_keepalive
-+    - var_sshd_set_keepalive=0
-+    - sshd_set_login_grace_time
-+    - var_sshd_set_login_grace_time=60
-+    - sshd_enable_warning_banner
-+    - sshd_enable_pam
-+    - sshd_set_maxstartups
-+    - var_sshd_set_maxstartups=10:30:60
-+    - sshd_set_max_sessions
-+    - var_sshd_max_sessions=10
-+    - accounts_password_pam_minclass
-+    - accounts_password_pam_minlen
-+    - accounts_password_pam_retry
-+    - var_password_pam_minclass=4
-+    - var_password_pam_minlen=14
-+    - locking_out_password_attempts
-+    - accounts_password_pam_pwhistory_remember_password_auth
-+    - accounts_password_pam_pwhistory_remember_system_auth
-+    - var_password_pam_remember_control_flag=required
-+    - var_password_pam_remember=5
-+    - set_password_hashing_algorithm_systemauth
-+    - var_accounts_maximum_age_login_defs=365
-+    - accounts_password_set_max_life_existing
-+    - var_accounts_minimum_age_login_defs=7
-+    - accounts_password_set_min_life_existing
-+    - var_accounts_password_warn_age_login_defs=7
-+    - account_disable_post_pw_expiration
-+    - var_account_disable_post_pw_expiration=30
-+    - no_shelllogin_for_systemaccounts
-+    - accounts_tmout
-+    - var_accounts_tmout=15_min
-+    - accounts_root_gid_zero
-+    - accounts_umask_etc_bashrc
-+    - use_pam_wheel_for_su
-+    - sshd_allow_only_protocol2
-+    - journald_forward_to_syslog
-+    - journald_compress
-+    - journald_storage
-+    - service_auditd_enabled
-+    - service_httpd_disabled
-+    - service_vsftpd_disabled
-+    - service_named_disabled
-+    - service_nfs_disabled
-+    - service_rpcbind_disabled
-+    - service_slapd_disabled
-+    - service_dhcpd_disabled
-+    - service_cups_disabled
-+    - service_ypserv_disabled
-+    - service_rsyncd_disabled
-+    - service_avahi-daemon_disabled
-+    - service_snmpd_disabled
-+    - service_squid_disabled
-+    - service_smb_disabled
-+    - service_dovecot_disabled
-+    - banner_etc_motd
-+    - login_banner_text=cis_banners
-+    - banner_etc_issue
-+    - login_banner_text=cis_banners
-+    - file_groupowner_etc_motd
-+    - file_owner_etc_motd
-+    - file_permissions_etc_motd
-+    - file_groupowner_etc_issue
-+    - file_owner_etc_issue
-+    - file_permissions_etc_issue
-+    - ensure_gpgcheck_globally_activated
-+    - package_aide_installed
-+    - aide_periodic_cron_checking
-+    - grub2_password
-+    - file_groupowner_grub2_cfg
-+    - file_owner_grub2_cfg
-+    - file_permissions_grub2_cfg
-+    - require_singleuser_auth
-+    - require_emergency_target_auth
-+    - disable_users_coredumps
-+    - configure_crypto_policy
-+    - var_system_crypto_policy=default_policy
-+    - dir_perms_world_writable_sticky_bits
-+    - file_permissions_etc_passwd
-+    - file_owner_etc_shadow
-+    - file_groupowner_etc_shadow
-+    - file_groupowner_etc_group
-+    - file_owner_etc_group
-+    - file_permissions_etc_group
-+    - file_groupowner_etc_gshadow
-+    - file_owner_etc_gshadow
-+    - file_groupowner_backup_etc_passwd
-+    - file_owner_backup_etc_passwd
-+    - file_permissions_backup_etc_passwd
-+    - file_groupowner_backup_etc_shadow
-+    - file_owner_backup_etc_shadow
-+    - file_permissions_backup_etc_shadow
-+    - file_groupowner_backup_etc_group
-+    - file_owner_backup_etc_group
-+    - file_permissions_backup_etc_group
-+    - file_groupowner_backup_etc_gshadow
-+    - file_owner_backup_etc_gshadow
-+    - file_permissions_unauthorized_world_writable
-+    - file_permissions_ungroupowned
-+    - accounts_root_path_dirs_no_write
-+    - root_path_no_dot
-+    - accounts_no_uid_except_zero
-+    - file_ownership_home_directories
-+    - file_groupownership_home_directories
-+    - no_netrc_files
-+    - no_rsh_trust_files
-+    - account_unique_id
-+    - group_unique_id
-+    - group_unique_name
-+    - wireless_disable_interfaces
-+    - package_firewalld_installed
-+    - service_firewalld_enabled
-+    - package_iptables_installed
-diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt
-new file mode 100644
-index 0000000000..152571e8bb
--- /dev/null
-+++ b/products/openembedded/transforms/constants.xslt
-@@ -0,0 +1,10 @@
-+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-+
-+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
-+
-+<xsl:variable name="product_long_name">OpenEmbedded</xsl:variable>
-+<xsl:variable name="product_short_name">openembedded</xsl:variable>
-+<xsl:variable name="product_stig_id_name">empty</xsl:variable>
-+<xsl:variable name="prod_type">openembedded</xsl:variable>
-+
-+</xsl:stylesheet>
-diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
-new file mode 100644
-index 0000000000..11ebdca913
--- /dev/null
-+++ b/shared/checks/oval/installed_OS_is_openembedded.xml
-@@ -0,0 +1,33 @@
-+<def-group>
-+  <definition class="inventory" id="installed_OS_is_openembedded" version="1">
-+    <metadata>
-+      <title>OpenEmbedded</title>
-+      <affected family="unix">
-+        <platform>multi_platform_all</platform>
-+      </affected>
-+      <description>The operating system installed is an OpenEmbedded based system</description>
-+    </metadata>
-+    <criteria comment="System is OpenEmbedded based" operator="AND">
-+      <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
-+      <criterion comment="OpenEmbedded distro" test_ref="test_os_openembedded" />
-+      <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" />
-+    </criteria>
-+  </definition>
-+
-+  <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_openembedded" version="1">
-+    <unix:object object_ref="obj_os_openembedded" />
-+  </unix:file_test>
-+  <unix:file_object comment="check /etc/os-release file" id="obj_os_openembedded" version="1">
-+    <unix:filepath>/etc/os-release</unix:filepath>
-+  </unix:file_object>
-+
-+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_openembedded" version="1">
-+    <ind:object object_ref="obj_openembedded" />
-+  </ind:textfilecontent54_test>
-+  <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded">
-+    <ind:filepath>/etc/os-release</ind:filepath>
-+    <ind:pattern operation="pattern match">^ID=nodistro$</ind:pattern>
-+    <ind:instance datatype="int">1</ind:instance>
-+  </ind:textfilecontent54_object>
-+
-+</def-group>
-diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-index affb9770cb..4f22df262c 100644
--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-@@ -8,6 +8,7 @@
-        <platform>multi_platform_debian</platform>
-        <platform>multi_platform_example</platform>
-        <platform>multi_platform_fedora</platform>
-+       <platform>multi_platform_openembedded</platform>
-        <platform>multi_platform_opensuse</platform>
-        <platform>multi_platform_ol</platform>
-        <platform>multi_platform_rhcos</platform>
-diff --git a/ssg/constants.py b/ssg/constants.py
-index f66ba008fa..630fbdfcb9 100644
--- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -219,6 +219,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
-     "Ubuntu 20.04": "ubuntu2004",
-     "Ubuntu 22.04": "ubuntu2204",
-     "UnionTech OS Server 20": "uos20",
-+    "OpenEmbedded": "openembedded",
-     "Not Applicable" : "example"
- }
- 
-@@ -267,7 +268,7 @@ REFERENCES = dict(
- 
- MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
-                        "opensuse", "sle", "ol", "ocp", "rhcos",
-                       "example", "eks", "alinux", "uos", "anolis"]
-+                       "example", "eks", "alinux", "uos", "anolis", "openembedded"]
- 
- MULTI_PLATFORM_MAPPING = {
-     "multi_platform_alinux": ["alinux2", "alinux3"],
-@@ -285,6 +286,7 @@ MULTI_PLATFORM_MAPPING = {
-     "multi_platform_sle": ["sle12", "sle15"],
-     "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
-     "multi_platform_uos": ["uos20"],
-+    "multi_platform_openembedded": ["openembedded"],
- }
- 
- RHEL_CENTOS_CPE_MAPPING = {
-@@ -454,6 +456,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
-     'ocp': 'Red Hat OpenShift Container Platform',
-     'rhcos': 'Red Hat Enterprise Linux CoreOS',
-     'eks': 'Amazon Elastic Kubernetes Service',
-+    'openembedded': 'OpenEmbedded',
- }
- 
- # References that can not be used with product-qualifiers
-- 
-2.34.1
diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb
index a972c24..ac839de 100644
--- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb
@@ -6,11 +6,10 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
 LICENSE = "BSD-3-Clause"
-SRCREV = "3a1012bc9ec2b01b3b71c6feefd3cff0f52bd64d"
+SRCREV = "d09e81ae00509a9be4b01359166cfbece06e47f4"
 SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \
           file://run_eval.sh \
           file://run-ptest \
-           file://0001-scap-security-guide-add-openembedded-distro-support.patch \
           file://0002-scap-security-guide-Add-Poky-support.patch \
           "
@@ -29,7 +28,7 @@ export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
 OECMAKE_GENERATOR = "Unix Makefiles"
-EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OE=ON"
+EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OPENEMBEDDED=ON"
 do_configure[depends] += "openscap-native:do_install"
author	Armin Kuster <akuster808@gmail.com>	2023-08-31 07:54:32 -0400
committer	Armin Kuster <akuster808@gmail.com>	2023-09-08 12:06:31 -0400
commit	8a91e5e9d19c692e1eefe546132848bebdbd374b (patch)
tree	e90ea9b9b536b80e4ad4ae149d36a5aa757a4bdf
parent	533da3cd2b17c866b04bac530c90548fd46861d2 (diff)
download	meta-security-8a91e5e9d19c692e1eefe546132848bebdbd374b.tar.gz

diff --git a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch b/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch deleted file mode 100644 index 0db2b12..0000000 --- a/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch +++ /dev/null
@@ -1,388 +0,0 @@
1	From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001
2	From: Armin Kuster <akuster808@gmail.com>
3	Date: Wed, 14 Jun 2023 07:46:55 -0400
4	Subject: [PATCH 1/2] scap-security-guide: add openembedded distro support
5
6	includes a standard profile for out-of-the-box checks
7
8	Signed-off-by: Armin Kuster <akuster808@gmail.com>
9
10	Upstream-Status: Pending
11	https://github.com/ComplianceAsCode/content/pull/10793
12	Signed-off-by: Armin Kuster <akuster808@gmail.com>
13
14	---
15	CMakeLists.txt \| 5 +
16	build_product \| 1 +
17	products/openembedded/CMakeLists.txt \| 6 +
18	products/openembedded/product.yml \| 19 ++
19	.../openembedded/profiles/standard.profile \| 166 ++++++++++++++++++
20	.../openembedded/transforms/constants.xslt \| 10 ++
21	.../oval/installed_OS_is_openembedded.xml \| 33 ++++
22	.../oval/sysctl_kernel_ipv6_disable.xml \| 1 +
23	ssg/constants.py \| 5 +-
24	9 files changed, 245 insertions(+), 1 deletion(-)
25	create mode 100644 products/openembedded/CMakeLists.txt
26	create mode 100644 products/openembedded/product.yml
27	create mode 100644 products/openembedded/profiles/standard.profile
28	create mode 100644 products/openembedded/transforms/constants.xslt
29	create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml
30
31	diff --git a/CMakeLists.txt b/CMakeLists.txt
32	index 6b1ac00ff9..e4191f2cef 100644
33	--- a/CMakeLists.txt
34	+++ b/CMakeLists.txt
35	@@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
36	option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
37	option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
38	option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
39	+option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
40
41
42	option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
43	@@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
44	message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
45	message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
46	message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
47	+message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}")
48
49
50	message(STATUS " ")
51	@@ -409,6 +411,9 @@ endif()
52	if(SSG_PRODUCT_UOS20)
53	add_subdirectory("products/uos20" "uos20")
54	endif()
55	+if (SSG_PRODUCT_OE)
56	+ add_subdirectory("products/openembedded" "openembedded")
57	+endif()
58
59	# ZIP only contains source datastreams and kickstarts, people who
60	# want sources to build from should get the tarball instead.
61	diff --git a/build_product b/build_product
62	index fc793cbe70..7bdc03edfe 100755
63	--- a/build_product
64	+++ b/build_product
65	@@ -333,6 +333,7 @@ all_cmake_products=(
66	UBUNTU2204
67	UOS20
68	MACOS1015
69	+ OPENEMBEDDED
70	)
71
72	DEFAULT_OVAL_MAJOR_VERSION=5
73	diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt
74	new file mode 100644
75	index 0000000000..1981adf53e
76	--- /dev/null
77	+++ b/products/openembedded/CMakeLists.txt
78	@@ -0,0 +1,6 @@
79	+# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way.
80	+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
81	+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
82	+endif()
83	+
84	+ssg_build_product("openembedded")
85	diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
86	new file mode 100644
87	index 0000000000..debf6870ef
88	--- /dev/null
89	+++ b/products/openembedded/product.yml
90	@@ -0,0 +1,19 @@
91	+product: openembedded
92	+full_name: OpemEmbedded
93	+type: platform
94	+
95	+benchmark_id: OPENEMBEDDED
96	+benchmark_root: "../../linux_os/guide"
97	+
98	+profiles_root: "./profiles"
99	+
100	+pkg_manager: "dnf"
101	+
102	+init_system: "systemd"
103	+
104	+cpes_root: "../../shared/applicability"
105	+cpes:
106	+ - openembedded:
107	+ name: "cpe:/o:openembedded:nodistro:"
108	+ title: "OpenEmbedded nodistro"
109	+ check_id: installed_OS_is_openembedded
110	diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
111	new file mode 100644
112	index 0000000000..fcb9e0e5c2
113	--- /dev/null
114	+++ b/products/openembedded/profiles/standard.profile
115	@@ -0,0 +1,166 @@
116	+documentation_complete: true
117	+
118	+title: 'Sample Security Profile for OpenEmbedded Distros'
119	+
120	+description: \|-
121	+ This profile is an sample for use in documentation and example content.
122	+ The selected rules are standard and should pass quickly on most systems.
123	+
124	+selections:
125	+ - file_owner_etc_passwd
126	+ - file_groupowner_etc_passwd
127	+ - service_crond_enabled
128	+ - file_groupowner_crontab
129	+ - file_owner_crontab
130	+ - file_permissions_crontab
131	+ - file_groupowner_cron_hourly
132	+ - file_owner_cron_hourly
133	+ - file_permissions_cron_hourly
134	+ - file_groupowner_cron_daily
135	+ - file_owner_cron_daily
136	+ - file_permissions_cron_daily
137	+ - file_groupowner_cron_weekly
138	+ - file_owner_cron_weekly
139	+ - file_permissions_cron_weekly
140	+ - file_groupowner_cron_monthly
141	+ - file_owner_cron_monthly
142	+ - file_permissions_cron_monthly
143	+ - file_groupowner_cron_d
144	+ - file_owner_cron_d
145	+ - file_permissions_cron_d
146	+ - file_groupowner_cron_allow
147	+ - file_owner_cron_allow
148	+ - file_cron_deny_not_exist
149	+ - file_groupowner_at_allow
150	+ - file_owner_at_allow
151	+ - file_at_deny_not_exist
152	+ - file_permissions_at_allow
153	+ - file_permissions_cron_allow
154	+ - file_groupowner_sshd_config
155	+ - file_owner_sshd_config
156	+ - file_permissions_sshd_config
157	+ - file_permissions_sshd_private_key
158	+ - file_permissions_sshd_pub_key
159	+ - sshd_set_loglevel_verbose
160	+ - sshd_set_loglevel_info
161	+ - sshd_max_auth_tries_value=4
162	+ - sshd_set_max_auth_tries
163	+ - sshd_disable_rhosts
164	+ - disable_host_auth
165	+ - sshd_disable_root_login
166	+ - sshd_disable_empty_passwords
167	+ - sshd_do_not_permit_user_env
168	+ - sshd_idle_timeout_value=15_minutes
169	+ - sshd_set_idle_timeout
170	+ - sshd_set_keepalive
171	+ - var_sshd_set_keepalive=0
172	+ - sshd_set_login_grace_time
173	+ - var_sshd_set_login_grace_time=60
174	+ - sshd_enable_warning_banner
175	+ - sshd_enable_pam
176	+ - sshd_set_maxstartups
177	+ - var_sshd_set_maxstartups=10:30:60
178	+ - sshd_set_max_sessions
179	+ - var_sshd_max_sessions=10
180	+ - accounts_password_pam_minclass
181	+ - accounts_password_pam_minlen
182	+ - accounts_password_pam_retry
183	+ - var_password_pam_minclass=4
184	+ - var_password_pam_minlen=14
185	+ - locking_out_password_attempts
186	+ - accounts_password_pam_pwhistory_remember_password_auth
187	+ - accounts_password_pam_pwhistory_remember_system_auth
188	+ - var_password_pam_remember_control_flag=required
189	+ - var_password_pam_remember=5
190	+ - set_password_hashing_algorithm_systemauth
191	+ - var_accounts_maximum_age_login_defs=365
192	+ - accounts_password_set_max_life_existing
193	+ - var_accounts_minimum_age_login_defs=7
194	+ - accounts_password_set_min_life_existing
195	+ - var_accounts_password_warn_age_login_defs=7
196	+ - account_disable_post_pw_expiration
197	+ - var_account_disable_post_pw_expiration=30
198	+ - no_shelllogin_for_systemaccounts
199	+ - accounts_tmout
200	+ - var_accounts_tmout=15_min
201	+ - accounts_root_gid_zero
202	+ - accounts_umask_etc_bashrc
203	+ - use_pam_wheel_for_su
204	+ - sshd_allow_only_protocol2
205	+ - journald_forward_to_syslog
206	+ - journald_compress
207	+ - journald_storage
208	+ - service_auditd_enabled
209	+ - service_httpd_disabled
210	+ - service_vsftpd_disabled
211	+ - service_named_disabled
212	+ - service_nfs_disabled
213	+ - service_rpcbind_disabled
214	+ - service_slapd_disabled
215	+ - service_dhcpd_disabled
216	+ - service_cups_disabled
217	+ - service_ypserv_disabled
218	+ - service_rsyncd_disabled
219	+ - service_avahi-daemon_disabled
220	+ - service_snmpd_disabled
221	+ - service_squid_disabled
222	+ - service_smb_disabled
223	+ - service_dovecot_disabled
224	+ - banner_etc_motd
225	+ - login_banner_text=cis_banners
226	+ - banner_etc_issue
227	+ - login_banner_text=cis_banners
228	+ - file_groupowner_etc_motd
229	+ - file_owner_etc_motd
230	+ - file_permissions_etc_motd
231	+ - file_groupowner_etc_issue
232	+ - file_owner_etc_issue
233	+ - file_permissions_etc_issue
234	+ - ensure_gpgcheck_globally_activated
235	+ - package_aide_installed
236	+ - aide_periodic_cron_checking
237	+ - grub2_password
238	+ - file_groupowner_grub2_cfg
239	+ - file_owner_grub2_cfg
240	+ - file_permissions_grub2_cfg
241	+ - require_singleuser_auth
242	+ - require_emergency_target_auth
243	+ - disable_users_coredumps
244	+ - configure_crypto_policy
245	+ - var_system_crypto_policy=default_policy
246	+ - dir_perms_world_writable_sticky_bits
247	+ - file_permissions_etc_passwd
248	+ - file_owner_etc_shadow
249	+ - file_groupowner_etc_shadow
250	+ - file_groupowner_etc_group
251	+ - file_owner_etc_group
252	+ - file_permissions_etc_group
253	+ - file_groupowner_etc_gshadow
254	+ - file_owner_etc_gshadow
255	+ - file_groupowner_backup_etc_passwd
256	+ - file_owner_backup_etc_passwd
257	+ - file_permissions_backup_etc_passwd
258	+ - file_groupowner_backup_etc_shadow
259	+ - file_owner_backup_etc_shadow
260	+ - file_permissions_backup_etc_shadow
261	+ - file_groupowner_backup_etc_group
262	+ - file_owner_backup_etc_group
263	+ - file_permissions_backup_etc_group
264	+ - file_groupowner_backup_etc_gshadow
265	+ - file_owner_backup_etc_gshadow
266	+ - file_permissions_unauthorized_world_writable
267	+ - file_permissions_ungroupowned
268	+ - accounts_root_path_dirs_no_write
269	+ - root_path_no_dot
270	+ - accounts_no_uid_except_zero
271	+ - file_ownership_home_directories
272	+ - file_groupownership_home_directories
273	+ - no_netrc_files
274	+ - no_rsh_trust_files
275	+ - account_unique_id
276	+ - group_unique_id
277	+ - group_unique_name
278	+ - wireless_disable_interfaces
279	+ - package_firewalld_installed
280	+ - service_firewalld_enabled
281	+ - package_iptables_installed
282	diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt
283	new file mode 100644
284	index 0000000000..152571e8bb
285	--- /dev/null
286	+++ b/products/openembedded/transforms/constants.xslt
287	@@ -0,0 +1,10 @@
288	+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
289	+
290	+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
291	+
292	+<xsl:variable name="product_long_name">OpenEmbedded</xsl:variable>
293	+<xsl:variable name="product_short_name">openembedded</xsl:variable>
294	+<xsl:variable name="product_stig_id_name">empty</xsl:variable>
295	+<xsl:variable name="prod_type">openembedded</xsl:variable>
296	+
297	+</xsl:stylesheet>
298	diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
299	new file mode 100644
300	index 0000000000..11ebdca913
301	--- /dev/null
302	+++ b/shared/checks/oval/installed_OS_is_openembedded.xml
303	@@ -0,0 +1,33 @@
304	+<def-group>
305	+ <definition class="inventory" id="installed_OS_is_openembedded" version="1">
306	+ <metadata>
307	+ <title>OpenEmbedded</title>
308	+ <affected family="unix">
309	+ <platform>multi_platform_all</platform>
310	+ </affected>
311	+ <description>The operating system installed is an OpenEmbedded based system</description>
312	+ </metadata>
313	+ <criteria comment="System is OpenEmbedded based" operator="AND">
314	+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
315	+ <criterion comment="OpenEmbedded distro" test_ref="test_os_openembedded" />
316	+ <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" />
317	+ </criteria>
318	+ </definition>
319	+
320	+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_openembedded" version="1">
321	+ <unix:object object_ref="obj_os_openembedded" />
322	+ </unix:file_test>
323	+ <unix:file_object comment="check /etc/os-release file" id="obj_os_openembedded" version="1">
324	+ <unix:filepath>/etc/os-release</unix:filepath>
325	+ </unix:file_object>
326	+
327	+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_openembedded" version="1">
328	+ <ind:object object_ref="obj_openembedded" />
329	+ </ind:textfilecontent54_test>
330	+ <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded">
331	+ <ind:filepath>/etc/os-release</ind:filepath>
332	+ <ind:pattern operation="pattern match">^ID=nodistro$</ind:pattern>
333	+ <ind:instance datatype="int">1</ind:instance>
334	+ </ind:textfilecontent54_object>
335	+
336	+</def-group>
337	diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
338	index affb9770cb..4f22df262c 100644
339	--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
340	+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
341	@@ -8,6 +8,7 @@
342	<platform>multi_platform_debian</platform>
343	<platform>multi_platform_example</platform>
344	<platform>multi_platform_fedora</platform>
345	+ <platform>multi_platform_openembedded</platform>
346	<platform>multi_platform_opensuse</platform>
347	<platform>multi_platform_ol</platform>
348	<platform>multi_platform_rhcos</platform>
349	diff --git a/ssg/constants.py b/ssg/constants.py
350	index f66ba008fa..630fbdfcb9 100644
351	--- a/ssg/constants.py
352	+++ b/ssg/constants.py
353	@@ -219,6 +219,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
354	"Ubuntu 20.04": "ubuntu2004",
355	"Ubuntu 22.04": "ubuntu2204",
356	"UnionTech OS Server 20": "uos20",
357	+ "OpenEmbedded": "openembedded",
358	"Not Applicable" : "example"
359	}
360
361	@@ -267,7 +268,7 @@ REFERENCES = dict(
362
363	MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
364	"opensuse", "sle", "ol", "ocp", "rhcos",
365	- "example", "eks", "alinux", "uos", "anolis"]
366	+ "example", "eks", "alinux", "uos", "anolis", "openembedded"]
367
368	MULTI_PLATFORM_MAPPING = {
369	"multi_platform_alinux": ["alinux2", "alinux3"],
370	@@ -285,6 +286,7 @@ MULTI_PLATFORM_MAPPING = {
371	"multi_platform_sle": ["sle12", "sle15"],
372	"multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
373	"multi_platform_uos": ["uos20"],
374	+ "multi_platform_openembedded": ["openembedded"],
375	}
376
377	RHEL_CENTOS_CPE_MAPPING = {
378	@@ -454,6 +456,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
379	'ocp': 'Red Hat OpenShift Container Platform',
380	'rhcos': 'Red Hat Enterprise Linux CoreOS',
381	'eks': 'Amazon Elastic Kubernetes Service',
382	+ 'openembedded': 'OpenEmbedded',
383	}
384
385	# References that can not be used with product-qualifiers
386	--
387	2.34.1
388


diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb index a972c24..ac839de 100644 --- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb +++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb
@@ -6,11 +6,10 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
6	LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"	6	LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
7	LICENSE = "BSD-3-Clause"	7	LICENSE = "BSD-3-Clause"
8		8
9	SRCREV = "3a1012bc9ec2b01b3b71c6feefd3cff0f52bd64d"	9	SRCREV = "d09e81ae00509a9be4b01359166cfbece06e47f4"
10	SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \	10	SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \
11	file://run_eval.sh \	11	file://run_eval.sh \
12	file://run-ptest \	12	file://run-ptest \
13	file://0001-scap-security-guide-add-openembedded-distro-support.patch \
14	file://0002-scap-security-guide-Add-Poky-support.patch \	13	file://0002-scap-security-guide-Add-Poky-support.patch \
15	"	14	"
16		15
@@ -29,7 +28,7 @@ export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
29		28
30	OECMAKE_GENERATOR = "Unix Makefiles"	29	OECMAKE_GENERATOR = "Unix Makefiles"
31		30
32	EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OE=ON"	31	EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OPENEMBEDDED=ON"
33		32
34	do_configure[depends] += "openscap-native:do_install"	33	do_configure[depends] += "openscap-native:do_install"
35		34