mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-11 15:00:34 +00:00
Code Issues Projects Releases Wiki Activity

scap-security-guide: bump the number of test that pass

Browse Source 
Add a eval script.
Lets see how many checks pass out of the box

Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Armin Kuster
2023-06-21 10:19:14 -04:00
parent 4dc2b52027
commit 2b052a6165
3 changed files with 241 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

228
recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch Normal file
View File

@@ -0,0 +1,228 @@
From 7af2da3bbe1d5b4cba89c6dae9ea267717b865ea Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster808@gmail.com>
Date: Wed, 21 Jun 2023 07:46:38 -0400
Subject: [PATCH] standard.profile: expand checks
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../openembedded/profiles/standard.profile | 206 ++++++++++++++++++
1 file changed, 206 insertions(+)
diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
index 44339d716c..877d1a3971 100644
--- a/products/openembedded/profiles/standard.profile
+++ b/products/openembedded/profiles/standard.profile
@@ -9,4 +9,210 @@ description: |-
selections:
- file_owner_etc_passwd
- file_groupowner_etc_passwd
+ - service_crond_enabled
+ - file_groupowner_crontab
+ - file_owner_crontab
+ - file_permissions_crontab
+ - file_groupowner_cron_hourly
+ - file_owner_cron_hourly
+ - file_permissions_cron_hourly
+ - file_groupowner_cron_daily
+ - file_owner_cron_daily
+ - file_permissions_cron_daily
+ - file_groupowner_cron_weekly
+ - file_owner_cron_weekly
+ - file_permissions_cron_weekly
+ - file_groupowner_cron_monthly
+ - file_owner_cron_monthly
+ - file_permissions_cron_monthly
+ - file_groupowner_cron_d
+ - file_owner_cron_d
+ - file_permissions_cron_d
+ - file_groupowner_cron_allow
+ - file_owner_cron_allow
+ - file_cron_deny_not_exist
+ - file_groupowner_at_allow
+ - file_owner_at_allow
+ - file_at_deny_not_exist
+ - file_permissions_at_allow
+ - file_permissions_cron_allow
+ - file_groupowner_sshd_config
+ - file_owner_sshd_config
+ - file_permissions_sshd_config
+ - file_permissions_sshd_private_key
+ - file_permissions_sshd_pub_key
+ - sshd_set_loglevel_verbose
+ - sshd_set_loglevel_info
+ - sshd_max_auth_tries_value=4
+ - sshd_set_max_auth_tries
+ - sshd_disable_rhosts
+ - disable_host_auth
+ - sshd_disable_root_login
+ - sshd_disable_empty_passwords
+ - sshd_do_not_permit_user_env
+ - sshd_idle_timeout_value=15_minutes
+ - sshd_set_idle_timeout
+ - sshd_set_keepalive
+ - var_sshd_set_keepalive=0
+ - sshd_set_login_grace_time
+ - var_sshd_set_login_grace_time=60
+ - sshd_enable_warning_banner
+ - sshd_enable_pam
+ - sshd_set_maxstartups
+ - var_sshd_set_maxstartups=10:30:60
+ - sshd_set_max_sessions
+ - var_sshd_max_sessions=10
+ - accounts_password_pam_minclass
+ - accounts_password_pam_minlen
+ - accounts_password_pam_retry
+ - var_password_pam_minclass=4
+ - var_password_pam_minlen=14
+ - locking_out_password_attempts
+ - accounts_password_pam_pwhistory_remember_password_auth
+ - accounts_password_pam_pwhistory_remember_system_auth
+ - var_password_pam_remember_control_flag=required
+ - var_password_pam_remember=5
+ - set_password_hashing_algorithm_systemauth
+ - accounts_maximum_age_login_defs
+ - var_accounts_maximum_age_login_defs=365
+ - accounts_password_set_max_life_existing
+ - accounts_minimum_age_login_defs
+ - var_accounts_minimum_age_login_defs=7
+ - accounts_password_set_min_life_existing
+ - accounts_password_warn_age_login_defs
+ - var_accounts_password_warn_age_login_defs=7
+ - account_disable_post_pw_expiration
+ - var_account_disable_post_pw_expiration=30
+ - no_shelllogin_for_systemaccounts
+ - accounts_tmout
+ - var_accounts_tmout=15_min
+ - accounts_root_gid_zero
+ - accounts_umask_etc_bashrc
+ - accounts_umask_etc_login_defs
+ - use_pam_wheel_for_su
+ - sshd_allow_only_protocol2
+ - journald_forward_to_syslog
+ - journald_compress
+ - journald_storage
+ - service_auditd_enabled
+ - service_httpd_disabled
+ - service_vsftpd_disabled
+ - service_named_disabled
+ - service_nfs_disabled
+ - service_rpcbind_disabled
+ - service_slapd_disabled
+ - service_dhcpd_disabled
+ - service_cups_disabled
+ - service_ypserv_disabled
+ - service_rsyncd_disabled
+ - service_avahi-daemon_disabled
+ - service_snmpd_disabled
+ - service_squid_disabled
+ - service_smb_disabled
+ - service_dovecot_disabled
+ - banner_etc_motd
+ - login_banner_text=cis_banners
+ - banner_etc_issue
+ - login_banner_text=cis_banners
+ - file_groupowner_etc_motd
+ - file_owner_etc_motd
+ - file_permissions_etc_motd
+ - file_groupowner_etc_issue
+ - file_owner_etc_issue
+ - file_permissions_etc_issue
+ - ensure_gpgcheck_globally_activated
+ - package_aide_installed
+ - aide_periodic_cron_checking
+ - grub2_password
+ - file_groupowner_grub2_cfg
+ - file_owner_grub2_cfg
+ - file_permissions_grub2_cfg
+ - require_singleuser_auth
+ - require_emergency_target_auth
+ - disable_users_coredumps
+ - coredump_disable_backtraces
+ - coredump_disable_storage
+ - configure_crypto_policy
+ - var_system_crypto_policy=default_policy
+ - dir_perms_world_writable_sticky_bits
- file_permissions_etc_passwd
+ - file_owner_etc_shadow
+ - file_groupowner_etc_shadow
+ - file_groupowner_etc_group
+ - file_owner_etc_group
+ - file_permissions_etc_group
+ - file_groupowner_etc_gshadow
+ - file_owner_etc_gshadow
+ - file_groupowner_backup_etc_passwd
+ - file_owner_backup_etc_passwd
+ - file_permissions_backup_etc_passwd
+ - file_groupowner_backup_etc_shadow
+ - file_owner_backup_etc_shadow
+ - file_permissions_backup_etc_shadow
+ - file_groupowner_backup_etc_group
+ - file_owner_backup_etc_group
+ - file_permissions_backup_etc_group
+ - file_groupowner_backup_etc_gshadow
+ - file_owner_backup_etc_gshadow
+ - file_permissions_backup_etc_gshadow
+ - file_permissions_unauthorized_world_writable
+ - file_permissions_ungroupowned
+ - accounts_root_path_dirs_no_write
+ - root_path_no_dot
+ - accounts_no_uid_except_zero
+ - file_ownership_home_directories
+ - file_groupownership_home_directories
+ - no_netrc_files
+ - no_rsh_trust_files
+ - account_unique_id
+ - group_unique_id
+ - group_unique_name
+ - kernel_module_sctp_disabled
+ - kernel_module_dccp_disabled
+ - wireless_disable_interfaces
+ - sysctl_net_ipv4_ip_forward
+ - sysctl_net_ipv6_conf_all_forwarding
+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled
+ - sysctl_net_ipv4_conf_all_send_redirects
+ - sysctl_net_ipv4_conf_default_send_redirects
+ - sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
+ - sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
+ - sysctl_net_ipv6_conf_all_accept_source_route
+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
+ - sysctl_net_ipv6_conf_default_accept_source_route
+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+ - sysctl_net_ipv4_conf_all_accept_redirects
+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+ - sysctl_net_ipv4_conf_default_accept_redirects
+ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
+ - sysctl_net_ipv6_conf_all_accept_redirects
+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+ - sysctl_net_ipv6_conf_default_accept_redirects
+ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
+ - sysctl_net_ipv4_conf_all_secure_redirects
+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
+ - sysctl_net_ipv4_conf_default_secure_redirects
+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
+ - sysctl_net_ipv4_conf_all_log_martians
+ - sysctl_net_ipv4_conf_all_log_martians_value=enabled
+ - sysctl_net_ipv4_conf_default_log_martians
+ - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
+ - sysctl_net_ipv4_conf_all_rp_filter
+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
+ - sysctl_net_ipv4_conf_default_rp_filter
+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
+ - sysctl_net_ipv4_tcp_syncookies
+ - sysctl_net_ipv4_tcp_syncookies_value=enabled
+ - sysctl_net_ipv6_conf_all_accept_ra
+ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
+ - sysctl_net_ipv6_conf_default_accept_ra
+ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
+ - package_firewalld_installed
+ - service_firewalld_enabled
+ - package_iptables_installed
--
2.34.1

3
recipes-compliance/scap-security-guide/files/run_eval.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
oscap xccdf eval --results results.xml --report report.html --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-openembedded-ds.xml

12
recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
View File

@@ -8,7 +8,10 @@ LICENSE = "BSD-3-Clause"
SRCREV = "dad85502ce8da722a6afc391346c41cee61e90a9"
SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \
file://0001-scap-security-guide-add-openembedded.patch "
file://0001-scap-security-guide-add-openembedded.patch \
file://0001-standard.profile-expand-checks.patch \
file://run_eval.sh \
"
DEPENDS = "openscap-native python3-pyyaml-native python3-jinja2-native libxml2-native expat-native coreutils-native"
@@ -29,6 +32,11 @@ do_configure:prepend () {
sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt
}
FILES:${PN} += "${datadir}/xml"
do_install:append() {
install -d ${D}${datadir}/openscap
install ${WORKDIR}/run_eval.sh ${D}${datadir}/openscap/.
}
FILES:${PN} += "${datadir}/xml ${datadir}/openscap"
RDEPENDS:${PN} = "openscap"