!13 fix issue

From: @flysubmarine Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
2023-06-07 08:21:05 +00:00 · 2023-06-07 08:21:05 +00:00 · 5e0f09b08a
commit 5e0f09b08a
parent fce4bad81a 8da5d0956f
2 changed files with 62 additions and 5 deletions
--- a/enable-76-rules-for-openEuler.patch
+++ b/enable-76-rules-for-openEuler.patch
@ -1,6 +1,6 @@
-From b651d038a07d02cc4386a472a3f72886d8c0c31e Mon Sep 17 00:00:00 2001
+From a2fde1d192ec8fa8e1bdaed9daf68156b77e7ca4 Mon Sep 17 00:00:00 2001
 From: "steven.y.gui" <steven_ygui@163.com>
-Date: Thu, 18 May 2023 17:41:54 +0800
+Date: Tue, 6 Jun 2023 21:03:36 +0800
 Subject: [PATCH] enable 76 rules for openEuler
 ---
@ -48,6 +48,7 @@ Subject: [PATCH] enable 76 rules for openEuler
 .../rule.yml                                  |  2 +-
 .../verify_owner_password/oval/shared.xml     | 60 +++++++++++++
 .../verify_owner_password/rule.yml            | 12 +++
 .../require_singleuser_auth/oval/shared.xml   | 21 ++++-
 .../require_singleuser_auth/rule.yml          |  2 +-
 .../account_unique_group_id/oval/shared.xml   | 51 +++++++++++
 .../account_unique_group_id/rule.yml          | 11 +++
@ -102,7 +103,7 @@ Subject: [PATCH] enable 76 rules for openEuler
 shared/macros-oval.jinja                      | 73 ++++++++++++++++
 shared/templates/template_OVAL_sysctl         |  4 +
 ssg/constants.py                              |  4 +-
- 98 files changed, 1462 insertions(+), 34 deletions(-)
+ 99 files changed, 1481 insertions(+), 36 deletions(-)
 create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
 create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
@ -1097,6 +1098,59 @@ index 0000000..b03948a
 +    Anyone can change the password if no verifying.
 +
 +severity: high
 diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
 index 827129d..9dd6b89 100644
 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
 +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
@@ -11,8 +11,12 @@
       <criterion comment="Conditions are satisfied"
       test_ref="test_require_rescue_service" />
       <criterion test_ref="test_require_rescue_service_runlevel1" />
 +      {{%- if product in ["openeuler2203"] -%}}
 +      <criterion test_ref="test_require_emergency_service" />
 +      {{%- else -%}}
       <criterion test_ref="test_no_custom_runlevel1_target" negate="true"/>
       <criterion test_ref="test_no_custom_rescue_service" negate="true"/>
 +      {{%- endif -%}}
     </criteria>
     {{%- else -%}}
     <criteria>
@@ -24,7 +28,7 @@
   {{%- if init_system == "systemd" -%}}
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
     comment="Tests that
 -    {{% if product in ["fedora", "rhel8"] -%}}
 +    {{% if product in ["fedora", "rhel8", "openeuler2203"] -%}}
     /usr/lib/systemd/systemd-sulogin-shell
     {{%- else -%}}
     /sbin/sulogin
@@ -36,7 +40,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_require_rescue_service" version="1">
     <ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
 -    {{%- if product in ["fedora", "rhel8"] -%}}
 +    {{%- if product in ["fedora", "rhel8", "openeuler2203"] -%}}
     <ind:pattern operation="pattern match">^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue</ind:pattern>
     {{%- else -%}}
     <ind:pattern operation="pattern match">^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"</ind:pattern>
@@ -90,4 +94,17 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
   {{%- endif -%}}
 +
 +  {{%- if product in ["openeuler2203"] -%}}
 +  <ind:textfilecontent54_test check="all" check_existence="all_exist"
 +    comment="Tests that the systemd-sulogin-shell is in the emergency.service"
 +    id="test_require_emergency_service" version="1">
 +    <ind:object object_ref="obj_require_emergency_service" />
 +  </ind:textfilecontent54_test>
 +  <ind:textfilecontent54_object id="obj_require_emergency_service" version="1">
 +    <ind:filepath>/usr/lib/systemd/system/emergency.service</ind:filepath>
 +    <ind:pattern operation="pattern match">^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+emergency</ind:pattern>
 +    <ind:instance datatype="int">1</ind:instance>
 +  </ind:textfilecontent54_object>
 +  {{%- endif -%}}
 </def-group>
 diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
 index c81e8cc..568163e 100644
 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@ -1111,7 +1165,7 @@ index c81e8cc..568163e 100644
 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
 new file mode 100644
-index 0000000..011d03b
+index 0000000..8d31f9a
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
@@ -0,0 +1,51 @@
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.49
-Release:	4
+Release:	5
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@ -67,6 +67,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 %changelog
 * Tue Jun 6 2023 steven <steven_ygui@163.com> - 0.1.49-5
 - fix bug of rule "require_signleuser_auth"
 * Thu May 18 2023 steven <steven_ygui@163.com> - 0.1.49-4
 - enable 76 rules for openEuler