From be290f3b8fc4a9d91925a43a56cb37c3ae27cc07 Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Tue, 9 May 2023 10:50:52 +0800
Subject: [PATCH] init openEuler ssg project

---
 CMakeLists.txt                                |  5 ++++
 .../telnet/package_telnet_removed/rule.yml    |  4 +--
 openeuler2203/CMakeLists.txt                  |  6 ++++
 .../cpe/openeuler2203-cpe-dictionary.xml      | 10 +++++++
 openeuler2203/product.yml                     | 11 ++++++++
 openeuler2203/profiles/standard.profile       | 11 ++++++++
 openeuler2203/transforms/constants.xslt       | 15 ++++++++++
 openeuler2203/transforms/shorthand2xccdf.xslt |  8 ++++++
 .../xccdf2table-profilecisrefs.xslt           |  9 ++++++
 .../checks/oval/installed_OS_is_openeuler.xml | 27 ++++++++++++++++++
 .../oval/installed_OS_is_openeuler2203.xml    | 28 +++++++++++++++++++
 ssg/constants.py                              |  9 +++++-
 12 files changed, 140 insertions(+), 3 deletions(-)
 create mode 100644 openeuler2203/CMakeLists.txt
 create mode 100644 openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
 create mode 100644 openeuler2203/product.yml
 create mode 100644 openeuler2203/profiles/standard.profile
 create mode 100644 openeuler2203/transforms/constants.xslt
 create mode 100644 openeuler2203/transforms/shorthand2xccdf.xslt
 create mode 100644 openeuler2203/transforms/xccdf2table-profilecisrefs.xslt
 create mode 100644 shared/checks/oval/installed_OS_is_openeuler.xml
 create mode 100644 shared/checks/oval/installed_OS_is_openeuler2203.xml

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 82488f7..e594299 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -74,6 +74,7 @@ option(SSG_PRODUCT_OCP3 "If enabled, the OCP3 SCAP content will be built" ${SSG_
 option(SSG_PRODUCT_OCP4 "If enabled, the OCP4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL6 "If enabled, the RHEL6 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -242,6 +243,7 @@ message(STATUS "OCP3: ${SSG_PRODUCT_OCP3}")
 message(STATUS "OCP4: ${SSG_PRODUCT_OCP4}")
 message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}")
 message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}")
+message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}")
 message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
 message(STATUS "RHEL 6: ${SSG_PRODUCT_RHEL6}")
 message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
@@ -329,6 +331,9 @@ endif()
 if (SSG_PRODUCT_OL8)
     add_subdirectory("ol8")
 endif()
+if (SSG_PRODUCT_OPENEULER2203)
+    add_subdirectory("openeuler2203")
+endif()
 if (SSG_PRODUCT_OPENSUSE)
     add_subdirectory("opensuse")
 endif()
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
index 28cbf10..b3e3f2d 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4
+prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
 
 title: 'Remove telnet Clients'
 
@@ -14,7 +14,7 @@ rationale: |-
     to steal credentials. The <tt>ssh</tt> package provides an
     encrypted session and stronger security and is included in {{{ full_name }}}.
 
-severity: low
+severity: high
 
 identifiers:
     cce@rhel6: 27428-2
diff --git a/openeuler2203/CMakeLists.txt b/openeuler2203/CMakeLists.txt
new file mode 100644
index 0000000..da8fe4b
--- /dev/null
+++ b/openeuler2203/CMakeLists.txt
@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd openeuler2203; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the developer_guide.adoc for more details!")
+endif()
+
+ssg_build_product("openeuler2203")
diff --git a/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
new file mode 100644
index 0000000..986a804
--- /dev/null
+++ b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
+      <cpe-item name="cpe:/o:openEuler:openEuler:22.03LTS:ga:server">
+            <title xml:lang="en-us">openEuler 22.03 LTS</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_openeuler2203</check>
+      </cpe-item>
+</cpe-list>
diff --git a/openeuler2203/product.yml b/openeuler2203/product.yml
new file mode 100644
index 0000000..864a057
--- /dev/null
+++ b/openeuler2203/product.yml
@@ -0,0 +1,11 @@
+product: openeuler2203
+full_name: openEuler 22.03 LTS
+type: platform
+
+benchmark_root: "../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
new file mode 100644
index 0000000..6fd9707
--- /dev/null
+++ b/openeuler2203/profiles/standard.profile
@@ -0,0 +1,11 @@
+documentation_complete: true
+
+title: 'Standard System Security Profile for openEuler 22.03 LTS'
+
+description: |-
+    This profile contains rules to ensure standard security baseline
+    of an openEuler system. Regardless of your system's workload
+    all of these checks should pass.
+
+selections:
+    - package_telnet_removed
diff --git a/openeuler2203/transforms/constants.xslt b/openeuler2203/transforms/constants.xslt
new file mode 100644
index 0000000..a168e75
--- /dev/null
+++ b/openeuler2203/transforms/constants.xslt
@@ -0,0 +1,15 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">openEuler 22.03 LTS</xsl:variable>
+<xsl:variable name="product_short_name">openEuler 22.03</xsl:variable>
+<xsl:variable name="product_stig_id_name">empty</xsl:variable>
+<xsl:variable name="product_guide_id_name">OPENEULER_2203_LTS</xsl:variable>
+<xsl:variable name="prod_type">openeuler2203</xsl:variable>
+
+<xsl:variable name="cisuri">empty</xsl:variable>
+<xsl:variable name="disa-stigs-uri" select="$disa-stigs-os-unix-linux-uri"/>
+<xsl:variable name="os-stigid-concat" />
+
+</xsl:stylesheet>
diff --git a/openeuler2203/transforms/shorthand2xccdf.xslt b/openeuler2203/transforms/shorthand2xccdf.xslt
new file mode 100644
index 0000000..e017cf6
--- /dev/null
+++ b/openeuler2203/transforms/shorthand2xccdf.xslt
@@ -0,0 +1,8 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../shared/transforms/shared_shorthand2xccdf.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:param name="ssg_version">unknown</xsl:param>
+
+</xsl:stylesheet>
diff --git a/openeuler2203/transforms/xccdf2table-profilecisrefs.xslt b/openeuler2203/transforms/xccdf2table-profilecisrefs.xslt
new file mode 100644
index 0000000..92cbdf9
--- /dev/null
+++ b/openeuler2203/transforms/xccdf2table-profilecisrefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilecisrefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/shared/checks/oval/installed_OS_is_openeuler.xml b/shared/checks/oval/installed_OS_is_openeuler.xml
new file mode 100644
index 0000000..f356806
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_openeuler.xml
@@ -0,0 +1,27 @@
+<def-group>
+  <definition class="inventory" id="installed_OS_is_openeuler" version="1">
+    <metadata>
+      <title>openEuler</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>The operating system installed on the system is openEuler.</description>
+    </metadata>
+    <criteria operator="AND">
+      <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
+      <criterion comment="openEuler is installed" test_ref="test_openeuler_installed" />
+    </criteria>
+  </definition>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openEuler is installed" id="test_openeuler_installed" version="1">
+    <linux:object object_ref="obj_openeuler_installed" />
+    <linux:state state_ref="state_openeuler_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_openeuler_installed" version="1">
+    <linux:name operation="pattern match">openEuler-release</linux:name>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_openeuler_installed" version="1">
+    <linux:name>openEuler-release</linux:name>
+  </linux:rpminfo_object>
+
+</def-group>
diff --git a/shared/checks/oval/installed_OS_is_openeuler2203.xml b/shared/checks/oval/installed_OS_is_openeuler2203.xml
new file mode 100644
index 0000000..d819ab6
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_openeuler2203.xml
@@ -0,0 +1,28 @@
+<def-group>
+  <definition class="inventory" id="installed_OS_is_openeuler2203" version="1">
+    <metadata>
+      <title>openEuler 22.03 LTS</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:openEuler:openEuler:22.03LTS:ga:server" source="CPE" />
+      <description>The operating system installed on the system is openEuler 22.03 LTS.</description>
+    </metadata>
+    <criteria operator="AND">
+      <extend_definition comment="openEuler is installed" definition_ref="installed_OS_is_openeuler" />
+      <criterion comment="openEuler 22.03 LTS is installed" test_ref="test_openeuler2203_installed" />
+    </criteria>
+  </definition>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openEuler 22.03 LTS is installed" id="test_openeuler2203_installed" version="1">
+    <linux:object object_ref="obj_openeuler2203_installed" />
+    <linux:state state_ref="state_openeuler2203_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_openeuler2203_installed" version="1">
+    <linux:version operation="pattern match">^22\.03.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_openeuler2203_installed" version="1">
+    <linux:name>openEuler-release</linux:name>
+  </linux:rpminfo_object>
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index 813e529..401c60d 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -15,6 +15,7 @@ product_directories = [
     'jre',
     'ocp3', 'ocp4',
     'ol7', 'ol8',
+    'openeuler2203',
     'opensuse',
     'rhel6', 'rhel7', 'rhel8',
     'rhosp10', 'rhosp13',
@@ -119,6 +120,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
     "Red Hat OpenShift Container Platform 4": "ocp4",
     "Oracle Linux 7": "ol7",
     "Oracle Linux 8": "ol8",
+    "openEuler 22.03 LTS": "openeuler2203",
     "openSUSE": "opensuse",
     "Red Hat Enterprise Linux 6": "rhel6",
     "Red Hat Enterprise Linux 7": "rhel7",
@@ -220,6 +222,9 @@ PRODUCT_TO_CPE_MAPPING = {
     "ol8": [
         "cpe:/o:oracle:linux:8",
     ],
+    "openeuler2203": [
+        "cpe:/o:openEuler:openEuler:22.03LTS:ga:server",
+    ],
     "opensuse": [
         "cpe:/o:opensuse:leap:42.1",
         "cpe:/o:opensuse:leap:42.2",
@@ -290,12 +295,13 @@ REF_PREFIX_MAP = {
 }
 
 MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
-                       "wrlinux", "opensuse", "sle", "ol", "ocp", "example"]
+                       "wrlinux", "openeuler","opensuse", "sle", "ol", "ocp", "example"]
 
 MULTI_PLATFORM_MAPPING = {
     "multi_platform_debian": ["debian8", "debian9", "debian10"],
     "multi_platform_example": ["example"],
     "multi_platform_fedora": ["fedora"],
+    "multi_platform_openeuler": ["openeuler2203"],
     "multi_platform_opensuse": ["opensuse"],
     "multi_platform_ol": ["ol7", "ol8"],
     "multi_platform_ocp": ["ocp3", "ocp4"],
@@ -462,6 +468,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
     'ubuntu': 'Ubuntu',
     'eap': 'JBoss Enterprise Application Platform',
     'fuse': 'JBoss Fuse',
+    'openeuler': 'openEuler',
     'opensuse': 'openSUSE',
     'sle': 'SUSE Linux Enterprise',
     'wrlinux': 'WRLinux',
-- 
2.21.0.windows.1