Add a eval script. Lets see how many checks pass out of the box Signed-off-by: Armin Kuster <akuster...@gmail.com> --- .../0001-standard.profile-expand-checks.patch | 228 ++++++++++++++++++ .../scap-security-guide/files/run_eval.sh | 3 + .../scap-security-guide_0.1.67.bb | 12 +- 3 files changed, 241 insertions(+), 2 deletions(-) create mode 100644 recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch create mode 100644 recipes-compliance/scap-security-guide/files/run_eval.sh
diff --git a/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch b/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch new file mode 100644 index 0000000..0621360 --- /dev/null +++ b/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch @@ -0,0 +1,228 @@ +From 7af2da3bbe1d5b4cba89c6dae9ea267717b865ea Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster...@gmail.com> +Date: Wed, 21 Jun 2023 07:46:38 -0400 +Subject: [PATCH] standard.profile: expand checks + +Signed-off-by: Armin Kuster <akuster...@gmail.com> +--- + .../openembedded/profiles/standard.profile | 206 ++++++++++++++++++ + 1 file changed, 206 insertions(+) + +diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile +index 44339d716c..877d1a3971 100644 +--- a/products/openembedded/profiles/standard.profile ++++ b/products/openembedded/profiles/standard.profile +@@ -9,4 +9,210 @@ description: |- + selections: + - file_owner_etc_passwd + - file_groupowner_etc_passwd ++ - service_crond_enabled ++ - file_groupowner_crontab ++ - file_owner_crontab ++ - file_permissions_crontab ++ - file_groupowner_cron_hourly ++ - file_owner_cron_hourly ++ - file_permissions_cron_hourly ++ - file_groupowner_cron_daily ++ - file_owner_cron_daily ++ - file_permissions_cron_daily ++ - file_groupowner_cron_weekly ++ - file_owner_cron_weekly ++ - file_permissions_cron_weekly ++ - file_groupowner_cron_monthly ++ - file_owner_cron_monthly ++ - file_permissions_cron_monthly ++ - file_groupowner_cron_d ++ - file_owner_cron_d ++ - file_permissions_cron_d ++ - file_groupowner_cron_allow ++ - file_owner_cron_allow ++ - file_cron_deny_not_exist ++ - file_groupowner_at_allow ++ - file_owner_at_allow ++ - file_at_deny_not_exist ++ - file_permissions_at_allow ++ - file_permissions_cron_allow ++ - file_groupowner_sshd_config ++ - file_owner_sshd_config ++ - file_permissions_sshd_config ++ - file_permissions_sshd_private_key ++ - file_permissions_sshd_pub_key ++ - sshd_set_loglevel_verbose ++ - sshd_set_loglevel_info ++ - sshd_max_auth_tries_value=4 ++ - sshd_set_max_auth_tries ++ - sshd_disable_rhosts ++ - disable_host_auth ++ - sshd_disable_root_login ++ - sshd_disable_empty_passwords ++ - sshd_do_not_permit_user_env ++ - sshd_idle_timeout_value=15_minutes ++ - sshd_set_idle_timeout ++ - sshd_set_keepalive ++ - var_sshd_set_keepalive=0 ++ - sshd_set_login_grace_time ++ - var_sshd_set_login_grace_time=60 ++ - sshd_enable_warning_banner ++ - sshd_enable_pam ++ - sshd_set_maxstartups ++ - var_sshd_set_maxstartups=10:30:60 ++ - sshd_set_max_sessions ++ - var_sshd_max_sessions=10 ++ - accounts_password_pam_minclass ++ - accounts_password_pam_minlen ++ - accounts_password_pam_retry ++ - var_password_pam_minclass=4 ++ - var_password_pam_minlen=14 ++ - locking_out_password_attempts ++ - accounts_password_pam_pwhistory_remember_password_auth ++ - accounts_password_pam_pwhistory_remember_system_auth ++ - var_password_pam_remember_control_flag=required ++ - var_password_pam_remember=5 ++ - set_password_hashing_algorithm_systemauth ++ - accounts_maximum_age_login_defs ++ - var_accounts_maximum_age_login_defs=365 ++ - accounts_password_set_max_life_existing ++ - accounts_minimum_age_login_defs ++ - var_accounts_minimum_age_login_defs=7 ++ - accounts_password_set_min_life_existing ++ - accounts_password_warn_age_login_defs ++ - var_accounts_password_warn_age_login_defs=7 ++ - account_disable_post_pw_expiration ++ - var_account_disable_post_pw_expiration=30 ++ - no_shelllogin_for_systemaccounts ++ - accounts_tmout ++ - var_accounts_tmout=15_min ++ - accounts_root_gid_zero ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_login_defs ++ - use_pam_wheel_for_su ++ - sshd_allow_only_protocol2 ++ - journald_forward_to_syslog ++ - journald_compress ++ - journald_storage ++ - service_auditd_enabled ++ - service_httpd_disabled ++ - service_vsftpd_disabled ++ - service_named_disabled ++ - service_nfs_disabled ++ - service_rpcbind_disabled ++ - service_slapd_disabled ++ - service_dhcpd_disabled ++ - service_cups_disabled ++ - service_ypserv_disabled ++ - service_rsyncd_disabled ++ - service_avahi-daemon_disabled ++ - service_snmpd_disabled ++ - service_squid_disabled ++ - service_smb_disabled ++ - service_dovecot_disabled ++ - banner_etc_motd ++ - login_banner_text=cis_banners ++ - banner_etc_issue ++ - login_banner_text=cis_banners ++ - file_groupowner_etc_motd ++ - file_owner_etc_motd ++ - file_permissions_etc_motd ++ - file_groupowner_etc_issue ++ - file_owner_etc_issue ++ - file_permissions_etc_issue ++ - ensure_gpgcheck_globally_activated ++ - package_aide_installed ++ - aide_periodic_cron_checking ++ - grub2_password ++ - file_groupowner_grub2_cfg ++ - file_owner_grub2_cfg ++ - file_permissions_grub2_cfg ++ - require_singleuser_auth ++ - require_emergency_target_auth ++ - disable_users_coredumps ++ - coredump_disable_backtraces ++ - coredump_disable_storage ++ - configure_crypto_policy ++ - var_system_crypto_policy=default_policy ++ - dir_perms_world_writable_sticky_bits + - file_permissions_etc_passwd ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_groupowner_etc_group ++ - file_owner_etc_group ++ - file_permissions_etc_group ++ - file_groupowner_etc_gshadow ++ - file_owner_etc_gshadow ++ - file_groupowner_backup_etc_passwd ++ - file_owner_backup_etc_passwd ++ - file_permissions_backup_etc_passwd ++ - file_groupowner_backup_etc_shadow ++ - file_owner_backup_etc_shadow ++ - file_permissions_backup_etc_shadow ++ - file_groupowner_backup_etc_group ++ - file_owner_backup_etc_group ++ - file_permissions_backup_etc_group ++ - file_groupowner_backup_etc_gshadow ++ - file_owner_backup_etc_gshadow ++ - file_permissions_backup_etc_gshadow ++ - file_permissions_unauthorized_world_writable ++ - file_permissions_ungroupowned ++ - accounts_root_path_dirs_no_write ++ - root_path_no_dot ++ - accounts_no_uid_except_zero ++ - file_ownership_home_directories ++ - file_groupownership_home_directories ++ - no_netrc_files ++ - no_rsh_trust_files ++ - account_unique_id ++ - group_unique_id ++ - group_unique_name ++ - kernel_module_sctp_disabled ++ - kernel_module_dccp_disabled ++ - wireless_disable_interfaces ++ - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv6_conf_all_forwarding ++ - sysctl_net_ipv6_conf_all_forwarding_value=disabled ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_all_log_martians_value=enabled ++ - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians_value=enabled ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled ++ - sysctl_net_ipv4_conf_default_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled ++ - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_tcp_syncookies_value=enabled ++ - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled ++ - sysctl_net_ipv6_conf_default_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled ++ - package_firewalld_installed ++ - service_firewalld_enabled ++ - package_iptables_installed +-- +2.34.1 + diff --git a/recipes-compliance/scap-security-guide/files/run_eval.sh b/recipes-compliance/scap-security-guide/files/run_eval.sh new file mode 100644 index 0000000..cc79bac --- /dev/null +++ b/recipes-compliance/scap-security-guide/files/run_eval.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +oscap xccdf eval --results results.xml --report report.html --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-openembedded-ds.xml diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb index 420a6d8..a9023ec 100644 --- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb +++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb @@ -8,7 +8,10 @@ LICENSE = "BSD-3-Clause" SRCREV = "dad85502ce8da722a6afc391346c41cee61e90a9" SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \ - file://0001-scap-security-guide-add-openembedded.patch " + file://0001-scap-security-guide-add-openembedded.patch \ + file://0001-standard.profile-expand-checks.patch \ + file://run_eval.sh \ + " DEPENDS = "openscap-native python3-pyyaml-native python3-jinja2-native libxml2-native expat-native coreutils-native" @@ -29,6 +32,11 @@ do_configure:prepend () { sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt } -FILES:${PN} += "${datadir}/xml" +do_install:append() { + install -d ${D}${datadir}/openscap + install ${WORKDIR}/run_eval.sh ${D}${datadir}/openscap/. +} + +FILES:${PN} += "${datadir}/xml ${datadir}/openscap" RDEPENDS:${PN} = "openscap" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#60386): https://lists.yoctoproject.org/g/yocto/message/60386 Mute This Topic: https://lists.yoctoproject.org/mt/99687366/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-