SLFO-pool/openscap
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main openscap revision 40146bd45416b7e2f251b95bad72118f

Browse Source
This commit is contained in:
Adrian Schröter 2024-10-23 11:56:23 +02:00
commit f6ea68c88b
14 changed files with 3152 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

220
0001-Add-openSUSE-cpe-links.patch Normal file
View File

@ -0,0 +1,220 @@
From 48685f390b865f6edd7df8dba955c03dff6045e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= <kkaempf@suse.de>
Date: Tue, 28 Mar 2023 12:02:43 +0200
Subject: [PATCH 1/5] Add openSUSE cpe links
---
cpe/openscap-cpe-dict.xml | 24 +++++++
cpe/openscap-cpe-oval.xml | 127 ++++++++++++++++++++++++++++++++++++++
2 files changed, 151 insertions(+)
Index: openscap-1.3.10/cpe/openscap-cpe-dict.xml
===================================================================
--- openscap-1.3.10.orig/cpe/openscap-cpe-dict.xml
+++ openscap-1.3.10/cpe/openscap-cpe-dict.xml
@@ -53,4 +53,32 @@
<title xml:lang="en-us">Fedora 35</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.fedora:def:35</check>
</cpe-item>
+ <cpe-item name="cpe:/o:opensuse:leap:15.1">
+ <title xml:lang="en-us">openSUSE Leap 15.1</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:151</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:opensuse:leap:15.2">
+ <title xml:lang="en-us">openSUSE Leap 15.2</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:152</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:opensuse:leap:15.3">
+ <title xml:lang="en-us">openSUSE Leap 15.3</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:153</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:opensuse:leap:15.4">
+ <title xml:lang="en-us">openSUSE Leap 15.4</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:154</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:opensuse:leap:15.5">
+ <title xml:lang="en-us">openSUSE Leap 15.5</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:155</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:opensuse:leap:15.6">
+ <title xml:lang="en-us">openSUSE Leap 15.6</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:156</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:opensuse:tumbleweed">
+ <title xml:lang="en-us">openSUSE Tumbleweed</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:9999</check>
+ </cpe-item>
</cpe-list>
Index: openscap-1.3.10/cpe/openscap-cpe-oval.xml
===================================================================
--- openscap-1.3.10.orig/cpe/openscap-cpe-oval.xml
+++ openscap-1.3.10/cpe/openscap-cpe-oval.xml
@@ -690,6 +690,97 @@
<criterion comment="openSUSE Leap 15.0 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:150"/>
</criteria>
</definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:151" version="1">
+ <metadata>
+ <title>openSUSE Leap 15.1</title>
+ <affected family="unix">
+ <platform>openSUSE Leap 15.1</platform>
+ </affected>
+ <reference ref_id="cpe:/o:opensuse:leap:15.1" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Leap 15.1</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE Leap 15.1 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:151"/>
+ </criteria>
+ </definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:152" version="1">
+ <metadata>
+ <title>openSUSE Leap 15.2</title>
+ <affected family="unix">
+ <platform>openSUSE Leap 15.2</platform>
+ </affected>
+ <reference ref_id="cpe:/o:opensuse:leap:15.2" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Leap 15.2</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE Leap 15.2 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:152"/>
+ </criteria>
+ </definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:153" version="1">
+ <metadata>
+ <title>openSUSE Leap 15.3</title>
+ <affected family="unix">
+ <platform>openSUSE Leap 15.3</platform>
+ </affected>
+ <reference ref_id="cpe:/o:opensuse:leap:15.3" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Leap 15.3</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE Leap 15.3 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:153"/>
+ </criteria>
+ </definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:154" version="1">
+ <metadata>
+ <title>openSUSE Leap 15.4</title>
+ <affected family="unix">
+ <platform>openSUSE Leap 15.4</platform>
+ </affected>
+ <reference ref_id="cpe:/o:opensuse:leap:15.4" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Leap 15.4</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE Leap 15.4 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:154"/>
+ </criteria>
+ </definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:155" version="1">
+ <metadata>
+ <title>openSUSE Leap 15.5</title>
+ <affected family="unix">
+ <platform>openSUSE Leap 15.5</platform>
+ </affected>
+ <reference ref_id="cpe:/o:opensuse:leap:15.5" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Leap 15.5</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE Leap 15.5 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:155"/>
+ </criteria>
+ </definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:156" version="1">
+ <metadata>
+ <title>openSUSE Leap 15.6</title>
+ <affected family="unix">
+ <platform>openSUSE Leap 15.6</platform>
+ </affected>
+ <reference ref_id="cpe:/o:opensuse:leap:15.6" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Leap 15.6</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE Leap 15.6 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:156"/>
+ </criteria>
+ </definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:9999" version="1">
+ <metadata>
+ <title>openSUSE Tumbleweed</title>
+ <affected family="unix">
+ <platform>openSUSE Tumbleweed</platform>
+ </affected>
+ <reference ref_id="cpe:/o:opensuse:tumbleweed" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Tumbleweed</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE Tumbleweed is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:9999"/>
+ </criteria>
+ </definition>
<definition class="inventory" id="oval:org.open-scap.cpe.wrlinux:def:1" version="1" >
<metadata>
<title>Wind River Linux</title>
@@ -1087,6 +1178,41 @@
<object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.opensuse:ste:150"/>
</rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:151" version="2" check="at least one" comment="openSUSE-release is version 15.1"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:151"/>
+ </rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:152" version="2" check="at least one" comment="openSUSE-release is version 15.2"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:152"/>
+ </rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:153" version="2" check="at least one" comment="openSUSE-release is version 15.3"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:153"/>
+ </rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:154" version="2" check="at least one" comment="openSUSE-release is version 15.4"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:154"/>
+ </rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:155" version="2" check="at least one" comment="openSUSE-release is version 15.5"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:155"/>
+ </rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:156" version="2" check="at least one" comment="openSUSE-release is version 15.6"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:156"/>
+ </rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:9999" version="2" check="at least one" comment="openSUSE-release is openSUSE Tumbleweed"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:9999"/>
+ </rpminfo_test>
<family_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.wrlinux:tst:1" version="1" check="only one"
comment="Installed operating system is part of the Unix family."
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
@@ -1415,6 +1541,28 @@
<rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:150" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^15.0$</version>
</rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:151" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15.1$</version>
+ </rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:152" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15.2$</version>
+ </rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:153" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15.3$</version>
+ </rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:154" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15.4$</version>
+ </rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:155" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15.5$</version>
+ </rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:156" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15.6$</version>
+ </rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:9999" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <!-- matching for timestamp -->
+ <version operation="pattern match">^\d{8}$</version>
+ </rpminfo_state>
<textfilecontent54_state
id="oval:org.open-scap.cpe.wrlinux-release:ste:8"
comment="Check the /etc/wrlinux-release file for VERSION 8 specification."

119
0002-Add-SUSE-cpe-links.patch Normal file
View File

@ -0,0 +1,119 @@
From 8ef63951ad8e87a65cb252601a03bd958631f94c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= <kkaempf@suse.de>
Date: Tue, 28 Mar 2023 12:04:28 +0200
Subject: [PATCH 2/5] Add SUSE cpe links
---
cpe/openscap-cpe-dict.xml | 16 +++++++++++++++
cpe/openscap-cpe-oval.xml | 42 +++++++++++++++++++++++++++++++++++++++
2 files changed, 58 insertions(+)
diff --git a/cpe/openscap-cpe-dict.xml b/cpe/openscap-cpe-dict.xml
index cf52bee..85917a8 100644
--- a/cpe/openscap-cpe-dict.xml
+++ b/cpe/openscap-cpe-dict.xml
@@ -77,4 +77,20 @@
<title xml:lang="en-us">openSUSE Tumbleweed</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:9999</check>
</cpe-item>
+ <cpe-item name="cpe:/o:suse:sles:12">
+ <title xml:lang="en-us">SUSE Linux Enterprise Server 12</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sles:def:12</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:suse:sled:12">
+ <title xml:lang="en-us">SUSE Linux Enterprise Desktop 12</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sled:def:12</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:suse:sles:15">
+ <title xml:lang="en-us">SUSE Linux Enterprise Server 15</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sles:def:15</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:suse:sled:15">
+ <title xml:lang="en-us">SUSE Linux Enterprise Desktop 15</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sled:def:15</check>
+ </cpe-item>
</cpe-list>
diff --git a/cpe/openscap-cpe-oval.xml b/cpe/openscap-cpe-oval.xml
index a402c7f..531297b 100644
--- a/cpe/openscap-cpe-oval.xml
+++ b/cpe/openscap-cpe-oval.xml
@@ -768,6 +768,32 @@
<criterion comment="openSUSE Tumbleweed is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:9999"/>
</criteria>
</definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.sles:def:15" version="1">
+ <metadata>
+ <title>SUSE Linux Enterprise Server 15</title>
+ <affected family="unix">
+ <platform>SUSE Linux Enterprise Server 15</platform>
+ </affected>
+ <reference ref_id="cpe:/o:suse:sles:15" source="CPE"/>
+ <description>The operating system installed on the system is SUSE Linux Enterprise Server 15</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SLES 15 is installed" test_ref="oval:org.open-scap.cpe.sles:tst:15"/>
+ </criteria>
+ </definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.sled:def:15" version="1">
+ <metadata>
+ <title>SUSE Linux Enterprise Desktop 15</title>
+ <affected family="unix">
+ <platform>SUSE Linux Enterprise Desktop 15</platform>
+ </affected>
+ <reference ref_id="cpe:/o:suse:sled:15" source="CPE"/>
+ <description>The operating system installed on the system is SUSE Linux Enterprise Desktop 15</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SLED 15 is installed" test_ref="oval:org.open-scap.cpe.sled:tst:15"/>
+ </criteria>
+ </definition>
<definition class="inventory" id="oval:org.open-scap.cpe.wrlinux:def:1" version="1" >
<metadata>
<title>Wind River Linux</title>
@@ -1110,6 +1136,11 @@
<object object_ref="oval:org.open-scap.cpe.sles-release:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.sles:ste:12"/>
</rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.sles:tst:15" version="1" check="at least one" comment="sles-release is version 15"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.sles-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.sles:ste:15"/>
+ </rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.sled:tst:10" version="1" check="at least one" comment="sled-release is version 10"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/>
@@ -1125,6 +1156,11 @@
<object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.sled:ste:12"/>
</rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.sled:tst:15" version="1" check="at least one" comment="sled-release is version 15"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.sled:ste:15"/>
+ </rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:1" version="1" check="at least one" comment="openSUSE-release is version 11.4"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
@@ -1490,6 +1526,9 @@
<rpminfo_state id="oval:org.open-scap.cpe.sles:ste:12" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^12($|[^\d])</version>
</rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.sles:ste:15" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15($|[^\d])</version>
+ </rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.sled:ste:10" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^10($|[^\d])</version>
</rpminfo_state>
@@ -1499,6 +1538,9 @@
<rpminfo_state id="oval:org.open-scap.cpe.sled:ste:12" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^12($|[^\d])</version>
</rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.sled:ste:15" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15($|[^\d])</version>
+ </rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<name operation="pattern match">^openSUSE-release</name>
</rpminfo_state>
--
2.40.0

100
0003-Use-openSUSE-SUSE-cpe-links.patch Normal file
View File

@ -0,0 +1,100 @@
From 815356039b16d5abba9cdebc07c23aa967947ef3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= <kkaempf@suse.de>
Date: Tue, 28 Mar 2023 12:05:37 +0200
Subject: [PATCH 3/5] Use openSUSE/SUSE cpe links
---
utils/oscap_docker_python/get_cve_input.py | 21 ++++++++++---
.../oscap_docker_common.py | 31 ++++++++++++++++++-
2 files changed, 46 insertions(+), 6 deletions(-)
diff --git a/utils/oscap_docker_python/get_cve_input.py b/utils/oscap_docker_python/get_cve_input.py
index 6d77bdb..bb38e77 100644
--- a/utils/oscap_docker_python/get_cve_input.py
+++ b/utils/oscap_docker_python/get_cve_input.py
@@ -31,9 +31,12 @@ class getInputCVE(object):
hdr = {'User-agent': 'Mozilla/5.0'}
hdr2 = [('User-agent', 'Mozilla/5.0')]
- url = "https://www.redhat.com/security/data/oval/"
- dist_cve_name = "com.redhat.rhsa-RHEL{0}.xml.bz2"
- dists = [5, 6, 7]
+ rhel_url = "https://www.redhat.com/security/data/oval/"
+ rhel_dist_cve_name = "com.redhat.rhsa-RHEL{0}.xml.bz2"
+ rhel_dists = [5, 6, 7]
+ suse_url = "https://ftp.suse.com/pub/projects/security/oval/"
+ suse_dist_cve_name = "suse.linux.enterprise.{0}.xml"
+ suse_dists = [12, 15]
remote_pattern = '%a, %d %b %Y %H:%M:%S %Z'
def __init__(self, fs_dest, DEBUG=False):
@@ -46,10 +49,18 @@ class getInputCVE(object):
Given a distribution number (i.e. 7), it will fetch the
distribution specific data file if upstream has a newer
input file. Returns the path of file.
+ We just hack that SUSE has versions above 10 to mean SUSE
'''
- cve_file = self.dist_cve_name.format(dist)
+ if dist == "12" or dist == "15":
+ cve_file = self.suse_dist_cve_name.format(dist)
+ dist_url = urllib.parse.urljoin(self.suse_url, cve_file)
+ else:
+ cve_file = self.rhel_dist_cve_name.format(dist)
+ dist_url = urllib.parse.urljoin(self.rhel_url, cve_file)
+
+ # stderr.write("URL {0} cve_file {1}\n".format(dist_url,cve_file))
dest_file = join(self.dest, cve_file)
- dist_url = urllib.parse.urljoin(self.url, cve_file)
+
if self._is_cache_same(dest_file, dist_url):
return dest_file
diff --git a/utils/oscap_docker_python/oscap_docker_common.py b/utils/oscap_docker_python/oscap_docker_common.py
index c9afd6b..30289fd 100644
--- a/utils/oscap_docker_python/oscap_docker_common.py
+++ b/utils/oscap_docker_python/oscap_docker_common.py
@@ -55,7 +55,7 @@ def get_dist(mountpoint, oscap_binary, local_env):
'''
Test the chroot and determine what RHEL dist it is; returns
- an integer representing the dist
+ an integer representing the dist (5 - 8 for RHEL, 12 and 15 for SLES)
'''
cpe_dict = '/usr/share/openscap/cpe/openscap-cpe-oval.xml'
@@ -77,3 +77,32 @@ def get_dist(mountpoint, oscap_binary, local_env):
if "{0}{1}: true".format(CPE_RHEL, dist) in result.stdout:
print("This system seems based on RHEL{0}.".format(dist))
return dist
+
+ CPE_SLES = 'oval:org.open-scap.cpe.sles:def:'
+ DISTS = ["12", "15"]
+
+ '''
+ Test the chroot and determine what SUSE dist it is; returns
+ an integer representing the dist (12 and 15 for SUSE)
+ '''
+
+ cpe_dict = '/usr/share/openscap/cpe/openscap-cpe-oval.xml'
+ if not os.path.exists(cpe_dict):
+ # sometime it's installed into /usr/local/share instead of /usr/local
+ cpe_dict = '/usr/local/share/openscap/cpe/openscap-cpe-oval.xml'
+ if not os.path.exists(cpe_dict):
+ raise OscapError()
+
+ for dist in DISTS:
+ result = oscap_chroot(
+ mountpoint, oscap_binary,
+ ("oval", "eval", "--id", CPE_SLES + dist, cpe_dict,
+ mountpoint, "2>&1", ">", "/dev/null"),
+ '*',
+ local_env
+ )
+
+ if "{0}{1}: true".format(CPE_SLES, dist) in result.stdout:
+ print("This system seems based on SLES {0}.".format(dist))
+ return dist
+ print("System version not detected.")
--
2.40.0

24
0004-oscap-remediate-is-located-in-bindir.patch Normal file
View File

@ -0,0 +1,24 @@
From 290186ec99dedf00477447d53b2c0c01c764eaa5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= <kkaempf@suse.de>
Date: Tue, 28 Mar 2023 12:06:36 +0200
Subject: [PATCH 4/5] oscap-remediate is located in bindir
---
oscap-remediate.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/oscap-remediate.service.in b/oscap-remediate.service.in
index 2b48398..b6d07b7 100644
--- a/oscap-remediate.service.in
+++ b/oscap-remediate.service.in
@@ -8,6 +8,6 @@ Before=shutdown.target system-update.target
[Service]
Type=oneshot
-ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_LIBEXECDIR@/oscap-remediate
+ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_BINDIR@/oscap-remediate
FailureAction=reboot
--
2.40.0

BIN
openscap-1.3.10.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

4
openscap-rpmlintrc Normal file
View File

@ -0,0 +1,4 @@
# can not change docs implementation
addFilter("files-duplicate /usr/share/doc/packages/openscap/html/search")
# ignore duplicates in different schema versions
addFilter("files-duplicate /usr/share/openscap/schemas")

1376
openscap.changes Normal file
View File

File diff suppressed because it is too large Load Diff

338
openscap.spec Normal file
View File

@ -0,0 +1,338 @@
#
# spec file for package openscap
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define sover 25
%define with_bindings 0
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openscap
Version: 1.3.10
Release: 0
Summary: A Set of Libraries for Integration with SCAP
License: LGPL-2.1-or-later
Group: Development/Tools/Other
URL: https://www.open-scap.org/
Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz#/%name-%version.tar.gz
Source1: openscap-rpmlintrc
Source2: sysconfig.oscap-scan
# SUSE specific profile, based on yast2-security checks.
# Generated from http://gitorious.org/test-suite/scap
Source3: scap-yast2sec-xccdf.xml
Source4: scap-yast2sec-oval.xml
Source5: oscap-scan.service
Source6: oscap-scan.sh
Patch1: 0001-Add-openSUSE-cpe-links.patch
Patch2: 0002-Add-SUSE-cpe-links.patch
Patch3: 0003-Use-openSUSE-SUSE-cpe-links.patch
%if 0%{?suse_version} != 1599
Patch4: 0004-oscap-remediate-is-located-in-bindir.patch
%endif
BuildRequires: asciidoc
# Use package name cause of "have choice for perl(XML::Parser): brp-check-suse perl-XML-Parser"
BuildRequires: cmake
BuildRequires: dbus-1-devel
BuildRequires: doxygen
BuildRequires: gcc-c++
%if 0%{?suse_version} < 1550
BuildRequires: gconf2-devel
%endif
BuildRequires: libacl-devel
BuildRequires: libattr-devel
BuildRequires: libblkid-devel
BuildRequires: libbz2-devel
BuildRequires: libcap-devel
BuildRequires: libcurl-devel
BuildRequires: libgcrypt-devel
BuildRequires: libselinux-devel
BuildRequires: libtool
BuildRequires: libxml2-devel
BuildRequires: libxslt-devel
BuildRequires: libyaml-devel
BuildRequires: lua
BuildRequires: openldap2-devel
BuildRequires: perl-XML-Parser
BuildRequires: perl-XML-XPath
BuildRequires: pkgconfig
BuildRequires: procps
BuildRequires: procps-devel
BuildRequires: python3-devel
BuildRequires: rpm-devel
BuildRequires: swig
BuildRequires: systemd-rpm-macros
BuildRequires: unixODBC-devel
BuildRequires: xmlsec1-devel
BuildRequires: xmlsec1-openssl-devel
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(gobject-2.0)
BuildRequires: pkgconfig(libpcre2-8)
BuildRequires: pkgconfig(systemd)
# remove extra packages from version 1.2.9 and older
Obsoletes: openscap-engine-sce < %{version}
Obsoletes: openscap-extra-probes < %{version}
BuildRequires: distribution-release
%description
OpenSCAP is a set of open source libraries providing an easier path for
integration of the SCAP line of standards.
SCAP is a line of standards managed by NIST with the goal of providing
a standard language for the expression of Computer Network Defense
related information.
More information about SCAP can be found at nvd.nist.gov.
%package devel
Summary: Development Files for OpenSCAP
Group: Development/Libraries/C and C++
Requires: %{name} = %{version}-%{release}
Requires: libopenscap%{sover} = %{version}
%description devel
This package contains the development files (mainly C header files) for the
OpenSCAP C library.
%package containers
Summary: OpenSCAP plugin for scanning containers
Group: System/Libraries
Provides: openscap-docker = %{version}-%{release}
Obsoletes: openscap-docker < %{version}-%{release}
%description containers
This package contains plugins for scanning containers using OpenSCAP either via
podman or docker.
%if 0%{?with_bindings}
%package -n python-openscap
Summary: OpenSCAP Python Library
Group: Development/Libraries/Python
Requires: %{name} = %{version}-%{release}
Provides: openscap-python = %{version}-%{release}
%description -n python-openscap
The OpenSCAP Python Library for easy integration with SCAP.
%package -n perl-openscap
Summary: OpenSCAP Perl Library
Group: Development/Libraries/Perl
Requires: %{name} = %{version}-%{release}
Requires: perl = %{perl_version}
Provides: openscap-perl = %{version}-%{release}
%description -n perl-openscap
The OpenSCAP Perl Library for easy integration with SCAP.
%endif
%package -n libopenscap%{sover}
Summary: OpenSCAP C Library
Group: System/Libraries
%description -n libopenscap%{sover}
The OpenSCAP C Library for easy integration with SCAP.
%package utils
Summary: Openscap utilities
Group: System/Monitoring
Requires: %{name} = %{version}-%{release}
Requires: libopenscap%{sover} >= %{version}-%{release}
Requires(pre): %fillup_prereq
%systemd_requires
%description utils
The %{name}-utils package contains various utilities based on %{name} library.
%package content
Summary: SCAP content
Group: System/Monitoring
Requires: %{name} = %{version}-%{release}
Requires: libopenscap%{sover} >= %{version}-%{release}
%description content
SCAP content for Fedora delivered by Open-SCAP project.
%package -n libopenscap_sce%{sover}
Summary: Script Checking Engine Library for OpenSCAP
Group: System/Libraries
%description -n libopenscap_sce%{sover}
This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
%{!?python_sitearch: %global python_sitearch %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
%prep
%autosetup -p1
%build
%cmake \
-DENABLE_DOCS=TRUE \
%if 0%{?suse_version} < 1600
-DCMAKE_INSTALL_DOCDIR:PATH=%{_docdir}/%{name} \
%endif
-DCMAKE_SHARED_LINKER_FLAGS="" \
-DENABLE_OSCAP_REMEDIATE_SERVICE=TRUE \
-DWITH_PCRE2=ON \
%if !0%{?with_bindings}
-DENABLE_PYTHON3=FALSE \
-DENABLE_PERL=FALSE \
%endif
%{nil}
%if 0%{?sle_version} > 150100 || 0%{?suse_version} == 1599
%cmake_build
%else
%make_jobs
%endif
%check
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir}
cd build
# unit tests do not succeed, while working on 1.3 migration we submitted a few
# patches upstream but there is still one unit test that always fails and 1-3
# which fail occasionally
ctest %{?_smp_mflags} || :
cd ..
%install
%cmake_install
mkdir -p %{buildroot}/%{_fillupdir}
install -m 644 %{SOURCE2} %{buildroot}/%{_fillupdir}
mkdir -p %{buildroot}/%{_libexecdir}/openscap
mkdir -p %{buildroot}/%{_libdir}/openscap
install -m 644 %{SOURCE3} %{buildroot}/%{_datadir}/openscap
install -m 644 %{SOURCE4} %{buildroot}/%{_datadir}/openscap
# specific local scan during boot script
mkdir -p %{buildroot}/%{_unitdir}
install -m 644 %{SOURCE5} %{buildroot}/%{_unitdir}/oscap-scan.service
mkdir -p %{buildroot}/%{_bindir}
install -m 755 %{SOURCE6} %{buildroot}/%{_bindir}/oscap-scan
mkdir -p %{buildroot}/%{_sbindir}
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcoscap-scan
mkdir -p %{buildroot}%{_datadir}/bash-completion/completions
mv %{buildroot}%{_sysconfdir}/bash_completion.d/* %{buildroot}%{_datadir}/bash-completion/completions/
# create symlinks to default content
ln -s %{_datadir}/openscap/scap-yast2sec-oval.xml %{buildroot}/%{_datadir}/openscap/scap-oval.xml
ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/openscap/scap-xccdf.xml
# for some reason the serivce file is put under /usr/usr/lib/systemd..
mv %{buildroot}/usr/%{_unitdir}/oscap-remediate.service %{buildroot}/%{_unitdir}
# oscap-remediate should be in /usr/libexec but this is not well supported in
# older versions of the distro
%if 0%{?suse_version} != 1599
%if 0%{?sle_version} > 150200
mv %{buildroot}/%{_libexecdir}/oscap-remediate %{buildroot}/%{_bindir}
%else
# in older versions _libexecdir expands to /usr/lib, which does not help
mv %{buildroot}/%{_prefix}/libexec/oscap-remediate %{buildroot}/%{_bindir}
%endif
%endif
%post -n libopenscap%{sover} -p /sbin/ldconfig
%postun -n libopenscap%{sover} -p /sbin/ldconfig
%post -n libopenscap_sce%{sover} -p /sbin/ldconfig
%postun -n libopenscap_sce%{sover} -p /sbin/ldconfig
%post -n openscap-utils
%service_add_post oscap-scan.service oscap-remediate.service
%postun -n openscap-utils
%service_del_postun oscap-scan.service oscap-remediate.service
%pre -n openscap-utils
%service_add_pre oscap-scan.service oscap-remediate.service
%preun -n openscap-utils
%service_del_preun oscap-scan.service oscap-remediate.service
%files
%license COPYING
%doc AUTHORS NEWS
%dir %{_datadir}/openscap
%dir %{_datadir}/openscap/cpe
%dir %{_datadir}/openscap/schemas
%dir %{_datadir}/openscap/xsl
%{_datadir}/openscap/cpe/*
%{_datadir}/openscap/schemas/*
%{_datadir}/openscap/xsl/*
%files -n libopenscap%{sover}
%{_libdir}/libopenscap.so.%{sover}*
%files devel
%dir %{_docdir}/openscap
%{_docdir}/openscap/html
%{_docdir}/openscap/manual
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%{_includedir}/*
%files containers
%{python3_sitelib}/oscap_docker_python
%{_bindir}/oscap-docker
%{_bindir}/oscap-podman
%{_mandir}/man8/oscap-podman.8*
%{_mandir}/man8/oscap-docker.8*
%if 0%{?with_bindings}
%files -n python-openscap
%{python_sitearch}/*
%files -n perl-openscap
%{perl_vendorlib}/openscap.pm
%{perl_vendorarch}/openscap_pm.so
%endif
%files utils
%{_fillupdir}/sysconfig.oscap-scan
%doc docs/oscap-scan.cron
%{_mandir}/man8/*
%{_unitdir}/oscap-scan.service
%{_bindir}/autotailor
%{_bindir}/oscap
%{_bindir}/oscap-vm
%{_bindir}/oscap-scan
%{_bindir}/oscap-ssh
%{_bindir}/oscap-chroot
%{_bindir}/scap-as-rpm
%{_bindir}/oscap-run-sce-script
%{_sbindir}/rcoscap-scan
%{_datadir}/bash-completion/completions/*
%exclude %{_mandir}/man8/oscap-podman.8*
%exclude %{_mandir}/man8/oscap-docker.8*
%{_bindir}/oscap-remediate-offline
%{_prefix}/lib/systemd/system/oscap-remediate.service
%if 0%{?suse_version} != 1599
%{_bindir}/oscap-remediate
%else
%{_libexecdir}/oscap-remediate
%endif
%files content
%{_datadir}/openscap/scap*.xml
%files -n libopenscap_sce%{sover}
%{_libdir}/libopenscap_sce.so.*
%changelog

12
oscap-scan.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=OpenSCAP security scanner
Wants=local-fs.target
After=local-fs.target
[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/oscap-scan
ExecStart=/usr/bin/oscap $OPTIONS
[Install]
WantedBy=multi-user.target

26
oscap-scan.sh Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
prog="oscap"
# Check config
test -f /etc/sysconfig/oscap-scan && . /etc/sysconfig/oscap-scan
RETVAL=0
test -f /etc/sysconfig/oscap-scan || exit 6
test x"$OPTIONS" != "x" || exit 6
$prog $OPTIONS
ERR=$?
if [ $ERR -eq 0 ] ; then
logger "OpenSCAP security scan: PASS"
elif [ $ERR -eq 1 ] ; then
logger "OpenSCAP security scan: ERROR. Run oscap scan from command line."
else
logger "OpenSCAP security scan: FAILED. See results in /var/log/oscap-scan.xml.log"
fi
exit 0

577
scap-yast2sec-oval.xml Normal file
View File

@ -0,0 +1,577 @@
<?xml version="1.0"?>
<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
<generator>
<oval:product_name>vim</oval:product_name>
<oval:schema_version>5.9</oval:schema_version>
<oval:timestamp>2011-10-31T12:00:00-04:00</oval:timestamp>
</generator>
<definitions>
<!-- @@GENOVAL START DEFINITIONS -->
<definition class="compliance" id="oval:de.suse.suse121:def:2" version="1">
<metadata>
<title>sysctl net.ipv4.ip_forward must be 0</title>
<description>sysctl net.ipv4.ip_forward must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:2" comment="sysctl net.ipv4.ip_forward must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:3" version="1">
<metadata>
<title>sysctl net.ipv4.tcp_syncookies must be 1</title>
<description>sysctl net.ipv4.tcp_syncookies must be 1</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:3" comment="sysctl net.ipv4.tcp_syncookies must be 1" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:4" version="1">
<metadata>
<title>sysctl net.ipv6.conf.all.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.all.forwarding must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:4" comment="sysctl net.ipv6.conf.all.forwarding must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:5" version="1">
<metadata>
<title>sysctl net.ipv6.conf.default.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.default.forwarding must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:5" comment="sysctl net.ipv6.conf.default.forwarding must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:6" version="1">
<metadata>
<title>kernel config CONFIG_SYN_COOKIES must be y</title>
<description>kernel config CONFIG_SYN_COOKIES must be y</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:6" comment="kernel config CONFIG_SYN_COOKIES must be y" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:9" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:9" comment="file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:10" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:10" comment="file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:11" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</title>
<description>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:11" comment="file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:12" version="1">
<metadata>
<title>file /etc/pam.d/common-password must have a line that matches minlen=6</title>
<description>file /etc/pam.d/common-password must have a line that matches minlen=6</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:12" comment="file /etc/pam.d/common-password must have a line that matches minlen=6" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:13" version="1">
<metadata>
<title>file /etc/pam.d/common-password must have a line that matches remember=</title>
<description>file /etc/pam.d/common-password must have a line that matches remember=</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:13" comment="file /etc/pam.d/common-password must have a line that matches remember=" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:16" version="1">
<metadata>
<title>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</title>
<description>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:16" comment="file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:17" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^FAIL_DELAY</title>
<description>file /etc/login.defs must have a line that matches ^FAIL_DELAY</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:17" comment="file /etc/login.defs must have a line that matches ^FAIL_DELAY" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:18" version="1">
<metadata>
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:18" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:19" version="1">
<metadata>
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:19" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:22" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:22" comment="file /etc/login.defs must have a line that matches ^UID_MIN.*1000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:23" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:23" comment="file /etc/login.defs must have a line that matches ^UID_MAX.*60000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:24" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:24" comment="file /etc/login.defs must have a line that matches ^GID_MIN.*1000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:25" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:25" comment="file /etc/login.defs must have a line that matches ^GID_MAX.*60000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:29" version="1">
<metadata>
<title>sysctl kernel.sysrq must be 0</title>
<description>sysctl kernel.sysrq must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:29" comment="sysctl kernel.sysrq must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:30" version="1">
<metadata>
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:30" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:31" version="1">
<metadata>
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:31" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:32" version="1">
<metadata>
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:32" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:33" version="1">
<metadata>
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:33" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:38" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:38" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:39" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:39" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:40" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:40" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:41" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:41" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:42" version="1">
<metadata>
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:42" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:43" version="1">
<metadata>
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:43" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes" />
</criteria>
</definition>
<!-- @@GENOVAL END DEFINITIONS -->
</definitions>
<tests>
<!-- @@GENOVAL START TESTS -->
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:2" version="1" check="at least one" comment="sysctl net.ipv4.ip_forward must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:1" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:3" version="1" check="at least one" comment="sysctl net.ipv4.tcp_syncookies must be 1" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:2" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:2" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:4" version="1" check="at least one" comment="sysctl net.ipv6.conf.all.forwarding must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:4" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:5" version="1" check="at least one" comment="sysctl net.ipv6.conf.default.forwarding must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:5" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:6" version="1" check="at least one" comment="kernel config CONFIG_SYN_COOKIES must be y" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:3" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:3" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:9" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:4" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:10" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:5" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:11" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:6" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:12" version="1" check="at least one" comment="file /etc/pam.d/common-password must have a line that matches minlen=6" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:10" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:17" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:13" version="1" check="at least one" comment="file /etc/pam.d/common-password must have a line that matches remember=" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:10" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:18" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:16" version="1" check="none satisfy" comment="file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:9" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:17" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^FAIL_DELAY" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:10" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:18" version="1" check="at least one" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:12" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:23" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:19" version="1" check="at least one" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:12" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:24" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:22" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^UID_MIN.*1000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:11" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:23" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^UID_MAX.*60000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:12" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:24" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^GID_MIN.*1000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:13" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:25" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^GID_MAX.*60000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:14" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:29" version="1" check="at least one" comment="sysctl kernel.sysrq must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:6" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:30" version="1" check="none satisfy" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:9" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:15" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:31" version="1" check="none satisfy" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:9" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:16" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:32" version="1" check="at least one" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:13" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:25" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:33" version="1" check="at least one" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:13" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:26" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:38" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:19" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:39" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:20" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:40" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:21" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:41" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:22" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:42" version="1" check="at least one" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:14" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:27" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:43" version="1" check="at least one" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:14" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:28" />
</ind-def:textfilecontent54_test>
<!-- @@GENOVAL END TESTS -->
</tests>
<objects>
<!-- @@GENOVAL START OBJECTS -->
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:1" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/ip_forward">
<ind-def:filepath>/proc/sys/net/ipv4/ip_forward</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:2" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/tcp_syncookies">
<ind-def:filepath>/proc/sys/net/ipv4/tcp_syncookies</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:3" version="1" comment="Kernel configuration entry CONFIG_SYN_COOKIES">
<ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
<ind-def:pattern operation="pattern match">(CONFIG_SYN_COOKIES.*)</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:4" version="1" comment="Non-comment lines in /proc/sys/net/ipv6/conf/all/forwarding">
<ind-def:filepath>/proc/sys/net/ipv6/conf/all/forwarding</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:5" version="1" comment="Non-comment lines in /proc/sys/net/ipv6/conf/default/forwarding">
<ind-def:filepath>/proc/sys/net/ipv6/conf/default/forwarding</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:6" version="1" comment="Non-comment lines in /proc/sys/kernel/sysrq">
<ind-def:filepath>/proc/sys/kernel/sysrq</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:7" version="1" comment="Non-comment lines in /etc/login.defs">
<ind-def:filepath>/etc/login.defs</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:8" version="1" comment="Non-comment lines in /etc/pam.d/common-passwd">
<ind-def:filepath>/etc/pam.d/common-passwd</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:9" version="1" comment="Non-comment lines in /etc/default/passwd">
<ind-def:filepath>/etc/default/passwd</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:10" version="1" comment="Non-comment lines in /etc/pam.d/common-password">
<ind-def:filepath>/etc/pam.d/common-password</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:11" version="1" comment="Non-comment lines in /etc/sysconfig/dhcpd">
<ind-def:filepath>/etc/sysconfig/dhcpd</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:12" version="1" comment="Non-comment lines in /etc/sysconfig/displaymanager">
<ind-def:filepath>/etc/sysconfig/displaymanager</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:13" version="1" comment="Non-comment lines in /etc/sysconfig/security">
<ind-def:filepath>/etc/sysconfig/security</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:14" version="1" comment="Non-comment lines in /etc/sysconfig/services">
<ind-def:filepath>/etc/sysconfig/services</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<!-- @@GENOVAL END OBJECTS -->
</objects>
<states>
<!-- @@GENOVAL START STATES -->
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:1" version="1" comment="The match of 0">
<ind-def:subexpression operation="pattern match">0</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:2" version="1" comment="The match of 1">
<ind-def:subexpression operation="pattern match">1</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:3" version="1" comment="The match of CONFIG_SYN_COOKIES=y">
<ind-def:subexpression operation="pattern match">CONFIG_SYN_COOKIES=y</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:4" version="1" comment="The match of ^PASS_MAX_DAYS.*99999">
<ind-def:subexpression operation="pattern match">^PASS_MAX_DAYS.*99999</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:5" version="1" comment="The match of ^PASS_MIN_DAYS.*0">
<ind-def:subexpression operation="pattern match">^PASS_MIN_DAYS.*0</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:6" version="1" comment="The match of ^PASS_WARN_AGE.*7">
<ind-def:subexpression operation="pattern match">^PASS_WARN_AGE.*7</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:7" version="1" comment="The match of ^minlen=6">
<ind-def:subexpression operation="pattern match">^minlen=6</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:8" version="1" comment="The match of ^remember=">
<ind-def:subexpression operation="pattern match">^remember=</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:9" version="1" comment="The match of ^FAIL_DELAY.*0">
<ind-def:subexpression operation="pattern match">^FAIL_DELAY.*0</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:10" version="1" comment="The match of ^FAIL_DELAY">
<ind-def:subexpression operation="pattern match">^FAIL_DELAY</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:11" version="1" comment="The match of ^UID_MIN.*1000">
<ind-def:subexpression operation="pattern match">^UID_MIN.*1000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:12" version="1" comment="The match of ^UID_MAX.*60000">
<ind-def:subexpression operation="pattern match">^UID_MAX.*60000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:13" version="1" comment="The match of ^GID_MIN.*1000">
<ind-def:subexpression operation="pattern match">^GID_MIN.*1000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:14" version="1" comment="The match of ^GID_MAX.*60000">
<ind-def:subexpression operation="pattern match">^GID_MAX.*60000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:15" version="1" comment="The match of ^CRYPT_FILES=md5">
<ind-def:subexpression operation="pattern match">^CRYPT_FILES=md5</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:16" version="1" comment="The match of ^CRYPT_FILES=des">
<ind-def:subexpression operation="pattern match">^CRYPT_FILES=des</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:17" version="1" comment="The match of minlen=6">
<ind-def:subexpression operation="pattern match">minlen=6</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:18" version="1" comment="The match of remember=">
<ind-def:subexpression operation="pattern match">remember=</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:19" version="1" comment="The match of ^DHCPD_RUN_CHROOTED.*yes">
<ind-def:subexpression operation="pattern match">^DHCPD_RUN_CHROOTED.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:20" version="1" comment="The match of ^DHCPD_RUN_AS.*dhcpd">
<ind-def:subexpression operation="pattern match">^DHCPD_RUN_AS.*dhcpd</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:21" version="1" comment="The match of ^DHCPD6_RUN_CHROOTED.*yes">
<ind-def:subexpression operation="pattern match">^DHCPD6_RUN_CHROOTED.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:22" version="1" comment="The match of ^DHCPD6_RUN_AS.*dhcpd">
<ind-def:subexpression operation="pattern match">^DHCPD6_RUN_AS.*dhcpd</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:23" version="1" comment="The match of ^DISPLAYMANAGER_REMOTE_ACCESS.*no">
<ind-def:subexpression operation="pattern match">^DISPLAYMANAGER_REMOTE_ACCESS.*no</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:24" version="1" comment="The match of ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no">
<ind-def:subexpression operation="pattern match">^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:25" version="1" comment="The match of ^CHECK_PERMISSIONS.*set">
<ind-def:subexpression operation="pattern match">^CHECK_PERMISSIONS.*set</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:26" version="1" comment="The match of ^CHECK_SIGNATURES.*yes">
<ind-def:subexpression operation="pattern match">^CHECK_SIGNATURES.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:27" version="1" comment="The match of ^DISABLE_RESTART_ON_UPDATE.*yes">
<ind-def:subexpression operation="pattern match">^DISABLE_RESTART_ON_UPDATE.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:28" version="1" comment="The match of ^DISABLE_STOP_ON_REMOVAL.*yes">
<ind-def:subexpression operation="pattern match">^DISABLE_STOP_ON_REMOVAL.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<!-- @@GENOVAL END STATES -->
</states>
<!--
<variables>
-->
<!-- @@GENOVAL START VARIABLES -->
<!-- @@GENOVAL END VARIABLES -->
<!--
<local_variable id="oval:de.suse.suse121.genoval:var:1" version="1" datatype="string" comment="Location where the helper scripts output is stored">
<object_component item_field="value" object_ref="oval:de.suse.suse121.genoval:obj:1"/>
</local_variable>
</variables>
-->
</oval_definitions>

319
scap-yast2sec-xccdf.xml Normal file
View File

@ -0,0 +1,319 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="SUSE-Security-Benchmark-YaST2" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="0">
<status date="2012-07-24">draft</status>
<title>Hardening Linux Kernel</title>
<description>
The Linux kernel is at the heart of every Linux system. With its extensive configuration
options, it comes to no surprise that specific settings can be enabled to further harden
your system.
<h:br />
<h:br />
In this guide, we focus on Linux kernel configuration entries that support additional
hardening of your system, as well as the configuration through the <h:em>syctl</h:em>
settings.
</description>
<version>1</version>
<model system="urn:xccdf:scoring:default"/>
<model system="urn:xccdf:scoring:flat"/>
<Profile id="Default">
<title>Default vanilla kernel hardening</title>
<description>
Profile matching all standard (vanilla-kernel) hardening rules
</description>
<select idref="rule-sysctl-ipv4-forward" selected="true" />
<select idref="rule-sysctl-ipv4-tcpsyncookies" selected="true" />
<select idref="rule-sysctl-ipv6-all-forward" selected="true" />
<select idref="rule-sysctl-ipv6-default-forward" selected="true" />
<select idref="rule-kernel-syncookies" selected="true" />
<select idref="rule-pwd-maxdays" selected="true" />
<select idref="rule-pwd-mindays" selected="true" />
<select idref="rule-pwd-warnage" selected="true" />
<select idref="rule-pwd-minlen" selected="true" />
<select idref="rule-pwd-remember" selected="true" />
<select idref="rule-authc-faildelay" selected="true" />
<select idref="rule-authc-faildelayexist" selected="true" />
<select idref="rule-authc-xdmcp-remote" selected="true" />
<select idref="rule-authc-xdmcp-root" selected="true" />
<select idref="rule-usermgmt-uidmin" selected="true" />
<select idref="rule-usermgmt-uidmax" selected="true" />
<select idref="rule-usermgmt-gidmin" selected="true" />
<select idref="rule-usermgmt-gidmax" selected="true" />
<select idref="rule-misc-sysrq" selected="true" />
<select idref="rule-misc-hashalgo_md5" selected="true" />
<select idref="rule-misc-hashalgo_des" selected="true" />
<select idref="rule-misc-perm-check" selected="true" />
<select idref="rule-misc-sig-check" selected="true" />
<select idref="rule-srvc-dhcpd-chroot" selected="true" />
<select idref="rule-srvc-dhcpd-uid" selected="true" />
<select idref="rule-srvc-dhcpd6-chroot" selected="true" />
<select idref="rule-srvc-dhcpd6-uid" selected="true" />
<select idref="rule-srvc-update-restart" selected="true" />
<select idref="rule-srvc-remove-stop" selected="true" />
</Profile>
<!-- @@GEN START rule-sysctl-ipv4-forward -->
<Rule id="rule-sysctl-ipv4-forward" selected="false">
<title>sysctl net.ipv4.ip_forward must be 0</title>
<description>sysctl net.ipv4.ip_forward must be 0</description>
<fix>echo 0 &gt; /proc/sys/net/ipv4/ip_forward</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:2" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv4-forward -->
<!-- @@GEN START rule-sysctl-ipv4-tcpsyncookies -->
<Rule id="rule-sysctl-ipv4-tcpsyncookies" selected="false">
<title>sysctl net.ipv4.tcp_syncookies must be 1</title>
<description>sysctl net.ipv4.tcp_syncookies must be 1</description>
<fix>echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:3" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv4-tcpsyncookies -->
<!-- @@GEN START rule-sysctl-ipv6-all-forward -->
<Rule id="rule-sysctl-ipv6-all-forward" selected="false">
<title>sysctl net.ipv6.conf.all.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.all.forwarding must be 0</description>
<fix>echo 0 &gt; /proc/sys/net/ipv6/conf/all/forwarding</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:4" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv6-all-forward -->
<!-- @@GEN START rule-sysctl-ipv6-default-forward -->
<Rule id="rule-sysctl-ipv6-default-forward" selected="false">
<title>sysctl net.ipv6.conf.default.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.default.forwarding must be 0</description>
<fix>echo 0 &gt; /proc/sys/net/ipv6/conf/default/forwarding</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:5" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv6-default-forward -->
<!-- @@GEN START rule-kernel-syncookies -->
<Rule id="rule-kernel-syncookies" selected="false">
<title>kernel config CONFIG_SYN_COOKIES must be y</title>
<description>kernel config CONFIG_SYN_COOKIES must be y</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:6" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-kernel-syncookies -->
<!-- @@GEN START rule-pwd-maxdays -->
<Rule id="rule-pwd-maxdays" selected="false">
<title>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:9" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-maxdays -->
<!-- @@GEN START rule-pwd-mindays -->
<Rule id="rule-pwd-mindays" selected="false">
<title>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:10" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-mindays -->
<!-- @@GEN START rule-pwd-warnage -->
<Rule id="rule-pwd-warnage" selected="false">
<title>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</title>
<description>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:11" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-warnage -->
<!-- @@GEN START rule-pwd-minlen -->
<Rule id="rule-pwd-minlen" selected="false">
<title>file /etc/pam.d/common-password must have a line that matches minlen=6</title>
<description>file /etc/pam.d/common-password must have a line that matches minlen=6</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:12" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-minlen -->
<!-- @@GEN START rule-pwd-remember -->
<Rule id="rule-pwd-remember" selected="false">
<title>file /etc/pam.d/common-password must have a line that matches remember=</title>
<description>file /etc/pam.d/common-password must have a line that matches remember=</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:13" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-remember -->
<!-- @@GEN START rule-authc-faildelay -->
<Rule id="rule-authc-faildelay" selected="false">
<title>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</title>
<description>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:16" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-faildelay -->
<!-- @@GEN START rule-authc-faildelayexist -->
<Rule id="rule-authc-faildelayexist" selected="false">
<title>file /etc/login.defs must have a line that matches ^FAIL_DELAY</title>
<description>file /etc/login.defs must have a line that matches ^FAIL_DELAY</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:17" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-faildelayexist -->
<!-- @@GEN START rule-authc-xdmcp-remote -->
<Rule id="rule-authc-xdmcp-remote" selected="false">
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:18" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-xdmcp-remote -->
<!-- @@GEN START rule-authc-xdmcp-root -->
<Rule id="rule-authc-xdmcp-root" selected="false">
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:19" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-xdmcp-root -->
<!-- @@GEN START rule-usermgmt-uidmin -->
<Rule id="rule-usermgmt-uidmin" selected="false">
<title>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:22" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-uidmin -->
<!-- @@GEN START rule-usermgmt-uidmax -->
<Rule id="rule-usermgmt-uidmax" selected="false">
<title>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:23" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-uidmax -->
<!-- @@GEN START rule-usermgmt-gidmin -->
<Rule id="rule-usermgmt-gidmin" selected="false">
<title>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:24" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-gidmin -->
<!-- @@GEN START rule-usermgmt-gidmax -->
<Rule id="rule-usermgmt-gidmax" selected="false">
<title>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:25" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-gidmax -->
<!-- @@GEN START rule-misc-sysrq -->
<Rule id="rule-misc-sysrq" selected="false">
<title>sysctl kernel.sysrq must be 0</title>
<description>sysctl kernel.sysrq must be 0</description>
<fix>echo 0 &gt; /proc/sys/kernel/sysrq</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:29" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-sysrq -->
<!-- @@GEN START rule-misc-hashalgo_md5 -->
<Rule id="rule-misc-hashalgo_md5" selected="false">
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:30" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-hashalgo_md5 -->
<!-- @@GEN START rule-misc-hashalgo_des -->
<Rule id="rule-misc-hashalgo_des" selected="false">
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:31" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-hashalgo_des -->
<!-- @@GEN START rule-misc-perm-check -->
<Rule id="rule-misc-perm-check" selected="false">
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:32" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-perm-check -->
<!-- @@GEN START rule-misc-sig-check -->
<Rule id="rule-misc-sig-check" selected="false">
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:33" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-sig-check -->
<!-- @@GEN START rule-srvc-dhcpd-chroot -->
<Rule id="rule-srvc-dhcpd-chroot" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:38" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd-chroot -->
<!-- @@GEN START rule-srvc-dhcpd-uid -->
<Rule id="rule-srvc-dhcpd-uid" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:39" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd-uid -->
<!-- @@GEN START rule-srvc-dhcpd6-chroot -->
<Rule id="rule-srvc-dhcpd6-chroot" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:40" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd6-chroot -->
<!-- @@GEN START rule-srvc-dhcpd6-uid -->
<Rule id="rule-srvc-dhcpd6-uid" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:41" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd6-uid -->
<!-- @@GEN START rule-srvc-update-restart -->
<Rule id="rule-srvc-update-restart" selected="false">
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:42" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-update-restart -->
<!-- @@GEN START rule-srvc-remove-stop -->
<Rule id="rule-srvc-remove-stop" selected="false">
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:43" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-remove-stop -->
</Benchmark>

11
sysconfig.oscap-scan Normal file
View File

@ -0,0 +1,11 @@
## Path: System/Security
## Description: oscap-scan command line options
## Type: string
## Default: ""
## ServiceRestart: oscap-scan
#
# oscap-scan command line options
# Example: OPTIONS="-q xccdf eval --profile F14-Desktop --report /var/log/oscap-scan-log.html --results /var/log/oscap-scan-log.xml /usr/share/openscap/scap-xccdf.xml"
#
OPTIONS=""