From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Wed, 14 Jun 2023 07:46:55 -0400 Subject: [PATCH] scap-security-guide: add openembedded distro support includes a standard profile for out-of-the-box checks Signed-off-by: Armin Kuster --- CMakeLists.txt | 5 + build_product | 1 + products/openembedded/CMakeLists.txt | 6 + products/openembedded/product.yml | 19 ++ .../openembedded/profiles/standard.profile | 166 ++++++++++++++++++ .../openembedded/transforms/constants.xslt | 10 ++ .../oval/installed_OS_is_openembedded.xml | 33 ++++ .../oval/sysctl_kernel_ipv6_disable.xml | 1 + ssg/constants.py | 5 +- 9 files changed, 245 insertions(+), 1 deletion(-) create mode 100644 products/openembedded/CMakeLists.txt create mode 100644 products/openembedded/product.yml create mode 100644 products/openembedded/profiles/standard.profile create mode 100644 products/openembedded/transforms/constants.xslt create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml diff --git a/CMakeLists.txt b/CMakeLists.txt index 6b1ac00ff99..e4191f2cef1 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) @@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}") message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}") +message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}") message(STATUS " ") @@ -409,6 +411,9 @@ endif() if(SSG_PRODUCT_UOS20) add_subdirectory("products/uos20" "uos20") endif() +if (SSG_PRODUCT_OE) + add_subdirectory("products/openembedded" "openembedded") +endif() # ZIP only contains source datastreams and kickstarts, people who # want sources to build from should get the tarball instead. diff --git a/build_product b/build_product index fc793cbe708..7bdc03edfee 100755 --- a/build_product +++ b/build_product @@ -333,6 +333,7 @@ all_cmake_products=( UBUNTU2204 UOS20 MACOS1015 + OPENEMBEDDED ) DEFAULT_OVAL_MAJOR_VERSION=5 diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt new file mode 100644 index 00000000000..1981adf53ec --- /dev/null +++ b/products/openembedded/CMakeLists.txt @@ -0,0 +1,6 @@ +# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way. +if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +ssg_build_product("openembedded") diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml new file mode 100644 index 00000000000..debf6870efe --- /dev/null +++ b/products/openembedded/product.yml @@ -0,0 +1,19 @@ +product: openembedded +full_name: OpemEmbedded +type: platform + +benchmark_id: OPENEMBEDDED +benchmark_root: "../../linux_os/guide" + +profiles_root: "./profiles" + +pkg_manager: "dnf" + +init_system: "systemd" + +cpes_root: "../../shared/applicability" +cpes: + - openembedded: + name: "cpe:/o:openembedded:nodistro:" + title: "OpenEmbedded nodistro" + check_id: installed_OS_is_openembedded diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile new file mode 100644 index 00000000000..fcb9e0e5c2c --- /dev/null +++ b/products/openembedded/profiles/standard.profile @@ -0,0 +1,166 @@ +documentation_complete: true + +title: 'Sample Security Profile for OpenEmbedded Distros' + +description: |- + This profile is an sample for use in documentation and example content. + The selected rules are standard and should pass quickly on most systems. + +selections: + - file_owner_etc_passwd + - file_groupowner_etc_passwd + - service_crond_enabled + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_cron_deny_not_exist + - file_groupowner_at_allow + - file_owner_at_allow + - file_at_deny_not_exist + - file_permissions_at_allow + - file_permissions_cron_allow + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config + - file_permissions_sshd_private_key + - file_permissions_sshd_pub_key + - sshd_set_loglevel_verbose + - sshd_set_loglevel_info + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + - sshd_disable_rhosts + - disable_host_auth + - sshd_disable_root_login + - sshd_disable_empty_passwords + - sshd_do_not_permit_user_env + - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=0 + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 + - sshd_enable_warning_banner + - sshd_enable_pam + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 + - sshd_set_max_sessions + - var_sshd_max_sessions=10 + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_retry + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 + - locking_out_password_attempts + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=required + - var_password_pam_remember=5 + - set_password_hashing_algorithm_systemauth + - var_accounts_maximum_age_login_defs=365 + - accounts_password_set_max_life_existing + - var_accounts_minimum_age_login_defs=7 + - accounts_password_set_min_life_existing + - var_accounts_password_warn_age_login_defs=7 + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + - no_shelllogin_for_systemaccounts + - accounts_tmout + - var_accounts_tmout=15_min + - accounts_root_gid_zero + - accounts_umask_etc_bashrc + - use_pam_wheel_for_su + - sshd_allow_only_protocol2 + - journald_forward_to_syslog + - journald_compress + - journald_storage + - service_auditd_enabled + - service_httpd_disabled + - service_vsftpd_disabled + - service_named_disabled + - service_nfs_disabled + - service_rpcbind_disabled + - service_slapd_disabled + - service_dhcpd_disabled + - service_cups_disabled + - service_ypserv_disabled + - service_rsyncd_disabled + - service_avahi-daemon_disabled + - service_snmpd_disabled + - service_squid_disabled + - service_smb_disabled + - service_dovecot_disabled + - banner_etc_motd + - login_banner_text=cis_banners + - banner_etc_issue + - login_banner_text=cis_banners + - file_groupowner_etc_motd + - file_owner_etc_motd + - file_permissions_etc_motd + - file_groupowner_etc_issue + - file_owner_etc_issue + - file_permissions_etc_issue + - ensure_gpgcheck_globally_activated + - package_aide_installed + - aide_periodic_cron_checking + - grub2_password + - file_groupowner_grub2_cfg + - file_owner_grub2_cfg + - file_permissions_grub2_cfg + - require_singleuser_auth + - require_emergency_target_auth + - disable_users_coredumps + - configure_crypto_policy + - var_system_crypto_policy=default_policy + - dir_perms_world_writable_sticky_bits + - file_permissions_etc_passwd + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_groupowner_etc_group + - file_owner_etc_group + - file_permissions_etc_group + - file_groupowner_etc_gshadow + - file_owner_etc_gshadow + - file_groupowner_backup_etc_passwd + - file_owner_backup_etc_passwd + - file_permissions_backup_etc_passwd + - file_groupowner_backup_etc_shadow + - file_owner_backup_etc_shadow + - file_permissions_backup_etc_shadow + - file_groupowner_backup_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_group + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_gshadow + - file_permissions_unauthorized_world_writable + - file_permissions_ungroupowned + - accounts_root_path_dirs_no_write + - root_path_no_dot + - accounts_no_uid_except_zero + - file_ownership_home_directories + - file_groupownership_home_directories + - no_netrc_files + - no_rsh_trust_files + - account_unique_id + - group_unique_id + - group_unique_name + - wireless_disable_interfaces + - package_firewalld_installed + - service_firewalld_enabled + - package_iptables_installed diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt new file mode 100644 index 00000000000..152571e8bbf --- /dev/null +++ b/products/openembedded/transforms/constants.xslt @@ -0,0 +1,10 @@ + + + + +OpenEmbedded +openembedded +empty +openembedded + + diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml new file mode 100644 index 00000000000..11ebdca913b --- /dev/null +++ b/shared/checks/oval/installed_OS_is_openembedded.xml @@ -0,0 +1,33 @@ + + + + OpenEmbedded + + multi_platform_all + + The operating system installed is an OpenEmbedded based system + + + + + + + + + + + + + /etc/os-release + + + + + + + /etc/os-release + ^ID=nodistro$ + 1 + + + diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml index affb9770cb9..4f22df262c2 100644 --- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml @@ -8,6 +8,7 @@ multi_platform_debian multi_platform_example multi_platform_fedora + multi_platform_openembedded multi_platform_opensuse multi_platform_ol multi_platform_rhcos diff --git a/ssg/constants.py b/ssg/constants.py index f66ba008fac..630fbdfcb95 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -219,6 +219,7 @@ "Ubuntu 20.04": "ubuntu2004", "Ubuntu 22.04": "ubuntu2204", "UnionTech OS Server 20": "uos20", + "OpenEmbedded": "openembedded", "Not Applicable" : "example" } @@ -267,7 +268,7 @@ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", "opensuse", "sle", "ol", "ocp", "rhcos", - "example", "eks", "alinux", "uos", "anolis"] + "example", "eks", "alinux", "uos", "anolis", "openembedded"] MULTI_PLATFORM_MAPPING = { "multi_platform_alinux": ["alinux2", "alinux3"], @@ -285,6 +286,7 @@ "multi_platform_sle": ["sle12", "sle15"], "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"], "multi_platform_uos": ["uos20"], + "multi_platform_openembedded": ["openembedded"], } RHEL_CENTOS_CPE_MAPPING = { @@ -454,6 +456,7 @@ 'ocp': 'Red Hat OpenShift Container Platform', 'rhcos': 'Red Hat Enterprise Linux CoreOS', 'eks': 'Amazon Elastic Kubernetes Service', + 'openembedded': 'OpenEmbedded', } # References that can not be used with product-qualifiers