diff options
| author | Andrew Geissler <geissonator@yahoo.com> | 2023-09-11 15:36:15 +0300 |
|---|---|---|
| committer | Andrew Geissler <geissonator@yahoo.com> | 2023-09-11 15:36:15 +0300 |
| commit | 80d41842d41c701edac5b2c768da574f260fa6a3 (patch) | |
| tree | 7d58015c844bd241f3c1737b1af0d4b53dfe8c67 /meta-security/recipes-compliance | |
| parent | fc7e7973f3119e2bad511209aa336537dc5ffbed (diff) | |
| download | openbmc-80d41842d41c701edac5b2c768da574f260fa6a3.tar.xz | |
Revert "subtree updates"
Needs to go through CI
This reverts commit fc7e7973f3119e2bad511209aa336537dc5ffbed.
Diffstat (limited to 'meta-security/recipes-compliance')
| -rw-r--r-- | meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch | 388 | ||||
| -rw-r--r-- | meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb (renamed from meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb) | 10 |
2 files changed, 391 insertions, 7 deletions
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch new file mode 100644 index 0000000000..0db2b1203c --- /dev/null +++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch @@ -0,0 +1,388 @@ +From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Wed, 14 Jun 2023 07:46:55 -0400 +Subject: [PATCH 1/2] scap-security-guide: add openembedded distro support + +includes a standard profile for out-of-the-box checks + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Upstream-Status: Pending +https://github.com/ComplianceAsCode/content/pull/10793 +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + CMakeLists.txt | 5 + + build_product | 1 + + products/openembedded/CMakeLists.txt | 6 + + products/openembedded/product.yml | 19 ++ + .../openembedded/profiles/standard.profile | 166 ++++++++++++++++++ + .../openembedded/transforms/constants.xslt | 10 ++ + .../oval/installed_OS_is_openembedded.xml | 33 ++++ + .../oval/sysctl_kernel_ipv6_disable.xml | 1 + + ssg/constants.py | 5 +- + 9 files changed, 245 insertions(+), 1 deletion(-) + create mode 100644 products/openembedded/CMakeLists.txt + create mode 100644 products/openembedded/product.yml + create mode 100644 products/openembedded/profiles/standard.profile + create mode 100644 products/openembedded/transforms/constants.xslt + create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 6b1ac00ff9..e4191f2cef 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be + option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) ++option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + + + option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) +@@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") + message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") + message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}") + message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}") ++message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}") + + + message(STATUS " ") +@@ -409,6 +411,9 @@ endif() + if(SSG_PRODUCT_UOS20) + add_subdirectory("products/uos20" "uos20") + endif() ++if (SSG_PRODUCT_OE) ++ add_subdirectory("products/openembedded" "openembedded") ++endif() + + # ZIP only contains source datastreams and kickstarts, people who + # want sources to build from should get the tarball instead. +diff --git a/build_product b/build_product +index fc793cbe70..7bdc03edfe 100755 +--- a/build_product ++++ b/build_product +@@ -333,6 +333,7 @@ all_cmake_products=( + UBUNTU2204 + UOS20 + MACOS1015 ++ OPENEMBEDDED + ) + + DEFAULT_OVAL_MAJOR_VERSION=5 +diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt +new file mode 100644 +index 0000000000..1981adf53e +--- /dev/null ++++ b/products/openembedded/CMakeLists.txt +@@ -0,0 +1,6 @@ ++# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way. ++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") ++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") ++endif() ++ ++ssg_build_product("openembedded") +diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml +new file mode 100644 +index 0000000000..debf6870ef +--- /dev/null ++++ b/products/openembedded/product.yml +@@ -0,0 +1,19 @@ ++product: openembedded ++full_name: OpemEmbedded ++type: platform ++ ++benchmark_id: OPENEMBEDDED ++benchmark_root: "../../linux_os/guide" ++ ++profiles_root: "./profiles" ++ ++pkg_manager: "dnf" ++ ++init_system: "systemd" ++ ++cpes_root: "../../shared/applicability" ++cpes: ++ - openembedded: ++ name: "cpe:/o:openembedded:nodistro:" ++ title: "OpenEmbedded nodistro" ++ check_id: installed_OS_is_openembedded +diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile +new file mode 100644 +index 0000000000..fcb9e0e5c2 +--- /dev/null ++++ b/products/openembedded/profiles/standard.profile +@@ -0,0 +1,166 @@ ++documentation_complete: true ++ ++title: 'Sample Security Profile for OpenEmbedded Distros' ++ ++description: |- ++ This profile is an sample for use in documentation and example content. ++ The selected rules are standard and should pass quickly on most systems. ++ ++selections: ++ - file_owner_etc_passwd ++ - file_groupowner_etc_passwd ++ - service_crond_enabled ++ - file_groupowner_crontab ++ - file_owner_crontab ++ - file_permissions_crontab ++ - file_groupowner_cron_hourly ++ - file_owner_cron_hourly ++ - file_permissions_cron_hourly ++ - file_groupowner_cron_daily ++ - file_owner_cron_daily ++ - file_permissions_cron_daily ++ - file_groupowner_cron_weekly ++ - file_owner_cron_weekly ++ - file_permissions_cron_weekly ++ - file_groupowner_cron_monthly ++ - file_owner_cron_monthly ++ - file_permissions_cron_monthly ++ - file_groupowner_cron_d ++ - file_owner_cron_d ++ - file_permissions_cron_d ++ - file_groupowner_cron_allow ++ - file_owner_cron_allow ++ - file_cron_deny_not_exist ++ - file_groupowner_at_allow ++ - file_owner_at_allow ++ - file_at_deny_not_exist ++ - file_permissions_at_allow ++ - file_permissions_cron_allow ++ - file_groupowner_sshd_config ++ - file_owner_sshd_config ++ - file_permissions_sshd_config ++ - file_permissions_sshd_private_key ++ - file_permissions_sshd_pub_key ++ - sshd_set_loglevel_verbose ++ - sshd_set_loglevel_info ++ - sshd_max_auth_tries_value=4 ++ - sshd_set_max_auth_tries ++ - sshd_disable_rhosts ++ - disable_host_auth ++ - sshd_disable_root_login ++ - sshd_disable_empty_passwords ++ - sshd_do_not_permit_user_env ++ - sshd_idle_timeout_value=15_minutes ++ - sshd_set_idle_timeout ++ - sshd_set_keepalive ++ - var_sshd_set_keepalive=0 ++ - sshd_set_login_grace_time ++ - var_sshd_set_login_grace_time=60 ++ - sshd_enable_warning_banner ++ - sshd_enable_pam ++ - sshd_set_maxstartups ++ - var_sshd_set_maxstartups=10:30:60 ++ - sshd_set_max_sessions ++ - var_sshd_max_sessions=10 ++ - accounts_password_pam_minclass ++ - accounts_password_pam_minlen ++ - accounts_password_pam_retry ++ - var_password_pam_minclass=4 ++ - var_password_pam_minlen=14 ++ - locking_out_password_attempts ++ - accounts_password_pam_pwhistory_remember_password_auth ++ - accounts_password_pam_pwhistory_remember_system_auth ++ - var_password_pam_remember_control_flag=required ++ - var_password_pam_remember=5 ++ - set_password_hashing_algorithm_systemauth ++ - var_accounts_maximum_age_login_defs=365 ++ - accounts_password_set_max_life_existing ++ - var_accounts_minimum_age_login_defs=7 ++ - accounts_password_set_min_life_existing ++ - var_accounts_password_warn_age_login_defs=7 ++ - account_disable_post_pw_expiration ++ - var_account_disable_post_pw_expiration=30 ++ - no_shelllogin_for_systemaccounts ++ - accounts_tmout ++ - var_accounts_tmout=15_min ++ - accounts_root_gid_zero ++ - accounts_umask_etc_bashrc ++ - use_pam_wheel_for_su ++ - sshd_allow_only_protocol2 ++ - journald_forward_to_syslog ++ - journald_compress ++ - journald_storage ++ - service_auditd_enabled ++ - service_httpd_disabled ++ - service_vsftpd_disabled ++ - service_named_disabled ++ - service_nfs_disabled ++ - service_rpcbind_disabled ++ - service_slapd_disabled ++ - service_dhcpd_disabled ++ - service_cups_disabled ++ - service_ypserv_disabled ++ - service_rsyncd_disabled ++ - service_avahi-daemon_disabled ++ - service_snmpd_disabled ++ - service_squid_disabled ++ - service_smb_disabled ++ - service_dovecot_disabled ++ - banner_etc_motd ++ - login_banner_text=cis_banners ++ - banner_etc_issue ++ - login_banner_text=cis_banners ++ - file_groupowner_etc_motd ++ - file_owner_etc_motd ++ - file_permissions_etc_motd ++ - file_groupowner_etc_issue ++ - file_owner_etc_issue ++ - file_permissions_etc_issue ++ - ensure_gpgcheck_globally_activated ++ - package_aide_installed ++ - aide_periodic_cron_checking ++ - grub2_password ++ - file_groupowner_grub2_cfg ++ - file_owner_grub2_cfg ++ - file_permissions_grub2_cfg ++ - require_singleuser_auth ++ - require_emergency_target_auth ++ - disable_users_coredumps ++ - configure_crypto_policy ++ - var_system_crypto_policy=default_policy ++ - dir_perms_world_writable_sticky_bits ++ - file_permissions_etc_passwd ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_groupowner_etc_group ++ - file_owner_etc_group ++ - file_permissions_etc_group ++ - file_groupowner_etc_gshadow ++ - file_owner_etc_gshadow ++ - file_groupowner_backup_etc_passwd ++ - file_owner_backup_etc_passwd ++ - file_permissions_backup_etc_passwd ++ - file_groupowner_backup_etc_shadow ++ - file_owner_backup_etc_shadow ++ - file_permissions_backup_etc_shadow ++ - file_groupowner_backup_etc_group ++ - file_owner_backup_etc_group ++ - file_permissions_backup_etc_group ++ - file_groupowner_backup_etc_gshadow ++ - file_owner_backup_etc_gshadow ++ - file_permissions_unauthorized_world_writable ++ - file_permissions_ungroupowned ++ - accounts_root_path_dirs_no_write ++ - root_path_no_dot ++ - accounts_no_uid_except_zero ++ - file_ownership_home_directories ++ - file_groupownership_home_directories ++ - no_netrc_files ++ - no_rsh_trust_files ++ - account_unique_id ++ - group_unique_id ++ - group_unique_name ++ - wireless_disable_interfaces ++ - package_firewalld_installed ++ - service_firewalld_enabled ++ - package_iptables_installed +diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt +new file mode 100644 +index 0000000000..152571e8bb +--- /dev/null ++++ b/products/openembedded/transforms/constants.xslt +@@ -0,0 +1,10 @@ ++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> ++ ++<xsl:include href="../../../shared/transforms/shared_constants.xslt"/> ++ ++<xsl:variable name="product_long_name">OpenEmbedded</xsl:variable> ++<xsl:variable name="product_short_name">openembedded</xsl:variable> ++<xsl:variable name="product_stig_id_name">empty</xsl:variable> ++<xsl:variable name="prod_type">openembedded</xsl:variable> ++ ++</xsl:stylesheet> +diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml +new file mode 100644 +index 0000000000..11ebdca913 +--- /dev/null ++++ b/shared/checks/oval/installed_OS_is_openembedded.xml +@@ -0,0 +1,33 @@ ++<def-group> ++ <definition class="inventory" id="installed_OS_is_openembedded" version="1"> ++ <metadata> ++ <title>OpenEmbedded</title> ++ <affected family="unix"> ++ <platform>multi_platform_all</platform> ++ </affected> ++ <description>The operating system installed is an OpenEmbedded based system</description> ++ </metadata> ++ <criteria comment="System is OpenEmbedded based" operator="AND"> ++ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> ++ <criterion comment="OpenEmbedded distro" test_ref="test_os_openembedded" /> ++ <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" /> ++ </criteria> ++ </definition> ++ ++ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_openembedded" version="1"> ++ <unix:object object_ref="obj_os_openembedded" /> ++ </unix:file_test> ++ <unix:file_object comment="check /etc/os-release file" id="obj_os_openembedded" version="1"> ++ <unix:filepath>/etc/os-release</unix:filepath> ++ </unix:file_object> ++ ++ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_openembedded" version="1"> ++ <ind:object object_ref="obj_openembedded" /> ++ </ind:textfilecontent54_test> ++ <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded"> ++ <ind:filepath>/etc/os-release</ind:filepath> ++ <ind:pattern operation="pattern match">^ID=nodistro$</ind:pattern> ++ <ind:instance datatype="int">1</ind:instance> ++ </ind:textfilecontent54_object> ++ ++</def-group> +diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +index affb9770cb..4f22df262c 100644 +--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml ++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +@@ -8,6 +8,7 @@ + <platform>multi_platform_debian</platform> + <platform>multi_platform_example</platform> + <platform>multi_platform_fedora</platform> ++ <platform>multi_platform_openembedded</platform> + <platform>multi_platform_opensuse</platform> + <platform>multi_platform_ol</platform> + <platform>multi_platform_rhcos</platform> +diff --git a/ssg/constants.py b/ssg/constants.py +index f66ba008fa..630fbdfcb9 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -219,6 +219,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = { + "Ubuntu 20.04": "ubuntu2004", + "Ubuntu 22.04": "ubuntu2204", + "UnionTech OS Server 20": "uos20", ++ "OpenEmbedded": "openembedded", + "Not Applicable" : "example" + } + +@@ -267,7 +268,7 @@ REFERENCES = dict( + + MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", + "opensuse", "sle", "ol", "ocp", "rhcos", +- "example", "eks", "alinux", "uos", "anolis"] ++ "example", "eks", "alinux", "uos", "anolis", "openembedded"] + + MULTI_PLATFORM_MAPPING = { + "multi_platform_alinux": ["alinux2", "alinux3"], +@@ -285,6 +286,7 @@ MULTI_PLATFORM_MAPPING = { + "multi_platform_sle": ["sle12", "sle15"], + "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"], + "multi_platform_uos": ["uos20"], ++ "multi_platform_openembedded": ["openembedded"], + } + + RHEL_CENTOS_CPE_MAPPING = { +@@ -454,6 +456,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = { + 'ocp': 'Red Hat OpenShift Container Platform', + 'rhcos': 'Red Hat Enterprise Linux CoreOS', + 'eks': 'Amazon Elastic Kubernetes Service', ++ 'openembedded': 'OpenEmbedded', + } + + # References that can not be used with product-qualifiers +-- +2.34.1 + diff --git a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb index ac839dee44..988e48bd81 100644 --- a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb +++ b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb @@ -6,10 +6,11 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820" LICENSE = "BSD-3-Clause" -SRCREV = "d09e81ae00509a9be4b01359166cfbece06e47f4" +SRCREV = "3a1012bc9ec2b01b3b71c6feefd3cff0f52bd64d" SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \ file://run_eval.sh \ file://run-ptest \ + file://0001-scap-security-guide-add-openembedded-distro-support.patch \ file://0002-scap-security-guide-Add-Poky-support.patch \ " @@ -21,14 +22,9 @@ B = "${S}/build" inherit cmake pkgconfig python3native python3targetconfig ptest -STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" -export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe" -export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas" -export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl" - OECMAKE_GENERATOR = "Unix Makefiles" -EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OPENEMBEDDED=ON" +EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OE=ON" do_configure[depends] += "openscap-native:do_install" |