!106 [sync] PR-101: 添加grub2密码后，更新/boot/grub2/grub.cfg路径

From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

Do-not-hard-code-vendor-name-in-source-code.patch

@@ -0,0 +1,41 @@
+From d9e61c144ba0988c4931d516f754673678a0b026 Mon Sep 17 00:00:00 2001
+From: Chenxi Mao <chenxi.mao@suse.com>
+Date: Fri, 6 Jan 2023 15:04:13 +0800
+Subject: [PATCH 1/1] Do not hard code vendor name in source code
+
+Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
+---
+ openEuler-security.service => custom-security.service | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+ rename openEuler-security.service => custom-security.service (81%)
+
+diff --git a/openEuler-security.service b/custom-security.service
+similarity index 81%
+rename from openEuler-security.service
+rename to custom-security.service
+index ab60920..0e15e5f 100644
+--- a/openEuler-security.service
++++ b/custom-security.service
+@@ -14,7 +14,7 @@
+ #######################################################################################
+ 
+ [Unit]
+-Description=OpenEuler Security Tool
++Description=@VENDOR@ Security Tool
+ After=network.target sshd.service auditd.service crond.service tuned.service NetworkManager.service
+ Wants=sshd.service auditd.service rsyslog.service tuned.service NetworkManager.service
+ ConditionFileIsExecutable=/usr/sbin/security-tool.sh
+@@ -22,8 +22,8 @@ ConditionFileIsExecutable=/usr/sbin/security-tool.sh
+ [Service]
+ Type=oneshot
+ RemainAfterExit=yes
+-EnvironmentFile=/etc/openEuler_security/security
+-ExecStart=/usr/sbin/security-tool.sh -d / -c /etc/openEuler_security/security.conf -u /etc/openEuler_security/usr-security.conf -l /var/log/openEuler-security.log -s
++EnvironmentFile=/etc/@VENDOR@_security/security
++ExecStart=/usr/sbin/security-tool.sh -d / -c /etc/@VENDOR@_security/security.conf -u /etc/@VENDOR@_security/usr-security.conf -l /var/log/@VENDOR@-security.log -s
+ TimeoutSec=0
+ 
+ [Install]
+-- 
+2.33.0
+

security-tool-add-grub2-password-for-legacy.patch

@@ -0,0 +1,25 @@
+From 28be480fbcfe18f008948642493cbba612c8c685 Mon Sep 17 00:00:00 2001
+From: yueyuankun <yueyuankun@kylinos.cn>
+Date: Fri, 9 Jun 2023 17:17:17 +0800
+Subject: [PATCH] add grub2 password for legacy
+
+---
+ security-tool.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/security-tool.sh b/security-tool.sh
+index 0877081..5939f44 100644
+--- a/security-tool.sh
++++ b/security-tool.sh
+@@ -948,6 +948,8 @@ function fn_harden_grub2()
+     echo -e "cat <<EOF\nset superusers="root"\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08\nEOF\n" >> /etc/grub.d/00_header
+     if [ -d /boot/efi/EFI/openEuler -a -d /sys/firmware/efi ]; then
+         grub2-mkconfig -o /boot/efi/EFI/openEuler/grub.cfg
++    else
++        grub2-mkconfig -o /boot/grub2/grub.cfg
+     fi
+ }
+ # Function Name: fn_harden_sysctl
+-- 
+2.33.0
+

security-tool.spec

@@ -1,7 +1,8 @@
+%global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
 Summary: openEuler Security Tool
 Name   : security-tool
 Version: 2.0
-Release: 1.83
+Release: 1.88
 Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz
 License: MulanPSL-2.0
 URL: https://gitee.com/openeuler/security-tool
@@ -18,14 +19,18 @@ Patch1: do-not-create-allow-file-while-the-command-does-not-.patch
 Patch2: remove-sha1-in-sshd-config.patch
 Patch3: fix-function-allow-rpm-q.patch
 Patch4: add-secure-hostKey-algorithms.patch
+Patch5: Do-not-hard-code-vendor-name-in-source-code.patch
+Patch6: sshd-delete-deprecated-option-RSAAuthentication-and-Rhost.patch
+Patch7: security-tool-add-grub2-password-for-legacy.patch
 
 %description
-openEuler Security Tool
+%{vendor} Security Tool
 
 %global debug_package %{nil}
 
 %prep
-%autosetup -n security-tool -p1
+%autosetup -n security-tool-v%{version} -p1
+sed -i 's|@VENDOR@|%{vendor}|g' custom-security.service
 
 %build
 
@@ -33,12 +38,12 @@ openEuler Security Tool
 
 %install
 rm -rf $RPM_BUILD_ROOT
-install -d -m0700 $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security
-install -m0600 security $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/security
-install -m0400 security.conf $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/security.conf
-install -m0600 usr-security.conf $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/usr-security.conf
+install -d -m0700 $RPM_BUILD_ROOT%{_sysconfdir}/%{vendor}_security
+install -m0600 security $RPM_BUILD_ROOT%{_sysconfdir}/%{vendor}_security/security
+install -m0400 security.conf $RPM_BUILD_ROOT%{_sysconfdir}/%{vendor}_security/security.conf
+install -m0600 usr-security.conf $RPM_BUILD_ROOT%{_sysconfdir}/%{vendor}_security/usr-security.conf
 install -d -m0755 $RPM_BUILD_ROOT/%{_unitdir}
-install -m0644 openEuler-security.service $RPM_BUILD_ROOT/%{_unitdir}/openEuler-security.service
+install -m0644 custom-security.service $RPM_BUILD_ROOT/%{_unitdir}/%{vendor}-security.service
 install -d -m0755 $RPM_BUILD_ROOT/%{_sbindir}
 install -m0500 security-tool.sh $RPM_BUILD_ROOT/%{_sbindir}/security-tool.sh
 install -m0644 security-tool-%{version}/csh.precmd $RPM_BUILD_ROOT%{_sysconfdir}/csh.precmd
@@ -69,18 +74,18 @@ else
 fi
 ln -s /etc/pam.d/su-local /etc/pam.d/su
 
-%systemd_post openEuler-security.service
-systemctl enable openEuler-security.service
+%systemd_post %{vendor}-security.service
+systemctl enable %{vendor}-security.service
 
 %preun
-%systemd_preun openEuler-security.service
+%systemd_preun %{vendor}-security.service
 if [ $1 -eq 0 ]
 then
     sed -i 's/password-auth-crond$/system-auth/g' /etc/pam.d/crond
 fi
 
 %postun
-%systemd_postun_with_restart openEuler-security.service
+%systemd_postun_with_restart %{vendor}-security.service
 
 if [ $1 -eq 0 ]
 then
@@ -111,17 +116,35 @@ fi
 
 %files
 %defattr(-,root,root)
-%attr(0700,root,root) %dir %{_sysconfdir}/openEuler_security
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/openEuler_security/security
-%attr(0400,root,root) %config %{_sysconfdir}/openEuler_security/security.conf
-%attr(0600,root,root) %config %{_sysconfdir}/openEuler_security/usr-security.conf
+%attr(0700,root,root) %dir %{_sysconfdir}/%{vendor}_security
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/%{vendor}_security/security
+%attr(0400,root,root) %config %{_sysconfdir}/%{vendor}_security/security.conf
+%attr(0600,root,root) %config %{_sysconfdir}/%{vendor}_security/usr-security.conf
 %attr(0644,root,root) %{_sysconfdir}/csh.precmd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/password-auth-crond
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/su-local
-%attr(0644,root,root) %{_unitdir}/openEuler-security.service
+%attr(0644,root,root) %{_unitdir}/%{vendor}-security.service
 %attr(0500,root,root) %{_sbindir}/security-tool.sh
 
 %changelog
+* Fri Jun 09 2023 yueyuankun <yueyuankun@kylinos.cn> - 2.0-1.88
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:security-tool-add-grub2-password-for-legacy.patch
+
+* Tue Jan 10 2023 renmingshuai <renmingshuai@huawei.com> - 2.0-1.87
+- delete deprecated option RSAAuthentication and RhostsRSAAuthentication
+
+* Fri Jan 6 2023 Chenxi Mao <chenxi.mao@suse.com> - 2.0-1.86
+- Do not hard code vendor name in source code
+
+* Sat Nov 26 2022 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2.0-1.85
+- replace openEuler to vendor
+
+* Thu Nov 17 2022 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2.0-1.84
+- replace tar.gz
+
 * Sun Oct 09 2022 fushanqing <fushanqing@kylinos.cn> - 2.0-1.83
 - Unified license name specification
 

sshd-delete-deprecated-option-RSAAuthentication-and-Rhost.patch

@@ -0,0 +1,28 @@
+From b72601eb4904923100e3254f490def46633db322 Mon Sep 17 00:00:00 2001
+From: "renmingshuai@huawei.com" <renmingshuai@huawei.com>
+Date: Tue, 10 Jan 2023 11:10:33 +0800
+Subject: [PATCH] delete deprecated option RSAAuthentication and
+ RhostsRSAAuthentication
+
+---
+ security.conf | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/security.conf b/security.conf
+index f52a19d..70674b9 100644
+--- a/security.conf
++++ b/security.conf
+@@ -53,10 +53,8 @@
+ 103@m@/etc/ssh/sshd_config@X11Forwarding @no
+ 
+ 105@m@/etc/ssh/sshd_config@PubkeyAuthentication @yes
+-105@m@/etc/ssh/sshd_config@RSAAuthentication @yes
+ # Don't read the user's ~/.rhosts and ~/.shosts files
+ 105@m@/etc/ssh/sshd_config@IgnoreRhosts @yes
+-105@m@/etc/ssh/sshd_config@RhostsRSAAuthentication @no
+ 
+ # To disable host authentication
+ 106@m@/etc/ssh/sshd_config@HostbasedAuthentication @no
+-- 
+2.23.0
+