packages/security-tool
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:2d90e82318be916708ec8dd2792d32f42b25b9f5
Branches Tags
packages:main
...
compare: packages:219e6ace1e1996b3a46c475584dc614a386d407e
Branches Tags
packages:main

10 Commits
2d90e82318 ... 219e6ace1e

Author SHA1 Message Date
openeuler-ci-bot
219e6ace1e
!106 [sync] PR-101: 添加grub2密码后,更新/boot/grub2/grub.cfg路径 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-11-27 02:53:57 +00:00
yueyuankun
37ba5ad8d2 add grub2 password for legacy 
(cherry picked from commit c3483fc79aade3dab9a3f8536645cd82ee1a6ef1)
 2023-11-27 10:16:56 +08:00
openeuler-ci-bot
9cba235093
!96 [sync] PR-93: 在sshd的默认配置项中删除已弃用的选项RSAAuthentication和RhostsRSAAuthentication选项 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-01-10 07:47:53 +00:00
renmingshuai@huawei.com
02334b67c3 delete deprecated option RSAAuthentication and RhostsRSAAuthentication 
(cherry picked from commit fc248551edc364fa69598ab8cd3ff17a39d7b617)
 2023-01-10 14:59:15 +08:00
openeuler-ci-bot
02483c82ff
!91 [sync] PR-90: 在源码中避免使用硬编码vendor name 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-01-09 01:30:54 +00:00
Chenxi Mao
ee9a54a0f2 Do not hard code vendor name in source code 
1. Rename file name from openeuler-xx to custom-xx.
2. Mofify all openeuler string to @VENDOR@ and define
it during building RPM.

Change-Id: Ia55ce06194986bc86ed2c4f5328cf3c965ea9d04
Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
(cherry picked from commit 1889cc183b9c0497850337a3520f5b660ff87b2d)
 2023-01-07 16:56:27 +08:00
openeuler-ci-bot
0e4b187c9c
!87 replace openEuler to vendor 
From: @zhengxiaoxiaoGitee 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2022-11-29 02:22:11 +00:00
zhengxiaoxiao
e6b7496327
replace openEuler to vendor 
Signed-off-by: zhengxiaoxiao <zhengxiaoxiao2@huawei.com>
 2022-11-26 10:04:32 +00:00
openeuler-ci-bot
57065c120d
!83 重新上传源码包 
From: @zhengxiaoxiaoGitee 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2022-11-17 12:53:26 +00:00
zhengxiaoxiao
25495f15a8 replace tar.gz 2022-11-17 20:23:16 +08:00
5 changed files with 134 additions and 17 deletions
Show Stats Expand all files Collapse all files

41
Do-not-hard-code-vendor-name-in-source-code.patch Normal file
View File

@ -0,0 +1,41 @@
From d9e61c144ba0988c4931d516f754673678a0b026 Mon Sep 17 00:00:00 2001
From: Chenxi Mao <chenxi.mao@suse.com>
Date: Fri, 6 Jan 2023 15:04:13 +0800
Subject: [PATCH 1/1] Do not hard code vendor name in source code
Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
---
openEuler-security.service => custom-security.service | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
rename openEuler-security.service => custom-security.service (81%)
diff --git a/openEuler-security.service b/custom-security.service
similarity index 81%
rename from openEuler-security.service
rename to custom-security.service
index ab60920..0e15e5f 100644
--- a/openEuler-security.service
+++ b/custom-security.service
@@ -14,7 +14,7 @@
#######################################################################################
[Unit]
-Description=OpenEuler Security Tool
+Description=@VENDOR@ Security Tool
After=network.target sshd.service auditd.service crond.service tuned.service NetworkManager.service
Wants=sshd.service auditd.service rsyslog.service tuned.service NetworkManager.service
ConditionFileIsExecutable=/usr/sbin/security-tool.sh
@@ -22,8 +22,8 @@ ConditionFileIsExecutable=/usr/sbin/security-tool.sh
[Service]
Type=oneshot
RemainAfterExit=yes
-EnvironmentFile=/etc/openEuler_security/security
-ExecStart=/usr/sbin/security-tool.sh -d / -c /etc/openEuler_security/security.conf -u /etc/openEuler_security/usr-security.conf -l /var/log/openEuler-security.log -s
+EnvironmentFile=/etc/@VENDOR@_security/security
+ExecStart=/usr/sbin/security-tool.sh -d / -c /etc/@VENDOR@_security/security.conf -u /etc/@VENDOR@_security/usr-security.conf -l /var/log/@VENDOR@-security.log -s
TimeoutSec=0
[Install]
--
2.33.0

25
security-tool-add-grub2-password-for-legacy.patch Normal file
View File

@ -0,0 +1,25 @@
From 28be480fbcfe18f008948642493cbba612c8c685 Mon Sep 17 00:00:00 2001
From: yueyuankun <yueyuankun@kylinos.cn>
Date: Fri, 9 Jun 2023 17:17:17 +0800
Subject: [PATCH] add grub2 password for legacy
---
security-tool.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security-tool.sh b/security-tool.sh
index 0877081..5939f44 100644
--- a/security-tool.sh
+++ b/security-tool.sh
@@ -948,6 +948,8 @@ function fn_harden_grub2()
echo -e "cat <<EOF\nset superusers="root"\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08\nEOF\n" >> /etc/grub.d/00_header
if [ -d /boot/efi/EFI/openEuler -a -d /sys/firmware/efi ]; then
grub2-mkconfig -o /boot/efi/EFI/openEuler/grub.cfg
+ else
+ grub2-mkconfig -o /boot/grub2/grub.cfg
fi
}
# Function Name: fn_harden_sysctl
--
2.33.0

57
security-tool.spec
View File

@ -1,7 +1,8 @@
%global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
Summary: openEuler Security Tool Summary: openEuler Security Tool
Name : security-tool Name : security-tool
Version: 2.0 Version: 2.0
Release: 1.83 Release: 1.88
Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz
License: MulanPSL-2.0 License: MulanPSL-2.0
URL: https://gitee.com/openeuler/security-tool URL: https://gitee.com/openeuler/security-tool
@ -18,14 +19,18 @@ Patch1: do-not-create-allow-file-while-the-command-does-not-.patch
Patch2: remove-sha1-in-sshd-config.patch Patch2: remove-sha1-in-sshd-config.patch
Patch3: fix-function-allow-rpm-q.patch Patch3: fix-function-allow-rpm-q.patch
Patch4: add-secure-hostKey-algorithms.patch Patch4: add-secure-hostKey-algorithms.patch
Patch5: Do-not-hard-code-vendor-name-in-source-code.patch
Patch6: sshd-delete-deprecated-option-RSAAuthentication-and-Rhost.patch
Patch7: security-tool-add-grub2-password-for-legacy.patch
%description %description
openEuler Security Tool %{vendor} Security Tool
%global debug_package %{nil} %global debug_package %{nil}
%prep %prep
%autosetup -n security-tool -p1 %autosetup -n security-tool-v%{version} -p1
sed -i 's|@VENDOR@|%{vendor}|g' custom-security.service
%build %build
@ -33,12 +38,12 @@ openEuler Security Tool
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
install -d -m0700 $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security install -d -m0700 $RPM_BUILD_ROOT%{_sysconfdir}/%{vendor}_security
install -m0600 security $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/security install -m0600 security $RPM_BUILD_ROOT%{_sysconfdir}/%{vendor}_security/security
install -m0400 security.conf $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/security.conf install -m0400 security.conf $RPM_BUILD_ROOT%{_sysconfdir}/%{vendor}_security/security.conf
install -m0600 usr-security.conf $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/usr-security.conf install -m0600 usr-security.conf $RPM_BUILD_ROOT%{_sysconfdir}/%{vendor}_security/usr-security.conf
install -d -m0755 $RPM_BUILD_ROOT/%{_unitdir} install -d -m0755 $RPM_BUILD_ROOT/%{_unitdir}
install -m0644 openEuler-security.service $RPM_BUILD_ROOT/%{_unitdir}/openEuler-security.service install -m0644 custom-security.service $RPM_BUILD_ROOT/%{_unitdir}/%{vendor}-security.service
install -d -m0755 $RPM_BUILD_ROOT/%{_sbindir} install -d -m0755 $RPM_BUILD_ROOT/%{_sbindir}
install -m0500 security-tool.sh $RPM_BUILD_ROOT/%{_sbindir}/security-tool.sh install -m0500 security-tool.sh $RPM_BUILD_ROOT/%{_sbindir}/security-tool.sh
install -m0644 security-tool-%{version}/csh.precmd $RPM_BUILD_ROOT%{_sysconfdir}/csh.precmd install -m0644 security-tool-%{version}/csh.precmd $RPM_BUILD_ROOT%{_sysconfdir}/csh.precmd
@ -69,18 +74,18 @@ else
fi fi
ln -s /etc/pam.d/su-local /etc/pam.d/su ln -s /etc/pam.d/su-local /etc/pam.d/su
%systemd_post openEuler-security.service %systemd_post %{vendor}-security.service
systemctl enable openEuler-security.service systemctl enable %{vendor}-security.service
%preun %preun
%systemd_preun openEuler-security.service %systemd_preun %{vendor}-security.service
if [ $1 -eq 0 ] if [ $1 -eq 0 ]
then then
sed -i 's/password-auth-crond$/system-auth/g' /etc/pam.d/crond sed -i 's/password-auth-crond$/system-auth/g' /etc/pam.d/crond
fi fi
%postun %postun
%systemd_postun_with_restart openEuler-security.service %systemd_postun_with_restart %{vendor}-security.service
if [ $1 -eq 0 ] if [ $1 -eq 0 ]
then then
@ -111,17 +116,35 @@ fi
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%attr(0700,root,root) %dir %{_sysconfdir}/openEuler_security %attr(0700,root,root) %dir %{_sysconfdir}/%{vendor}_security
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/openEuler_security/security %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/%{vendor}_security/security
%attr(0400,root,root) %config %{_sysconfdir}/openEuler_security/security.conf %attr(0400,root,root) %config %{_sysconfdir}/%{vendor}_security/security.conf
%attr(0600,root,root) %config %{_sysconfdir}/openEuler_security/usr-security.conf %attr(0600,root,root) %config %{_sysconfdir}/%{vendor}_security/usr-security.conf
%attr(0644,root,root) %{_sysconfdir}/csh.precmd %attr(0644,root,root) %{_sysconfdir}/csh.precmd
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/password-auth-crond %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/password-auth-crond
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/su-local %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/su-local
%attr(0644,root,root) %{_unitdir}/openEuler-security.service %attr(0644,root,root) %{_unitdir}/%{vendor}-security.service
%attr(0500,root,root) %{_sbindir}/security-tool.sh %attr(0500,root,root) %{_sbindir}/security-tool.sh
%changelog %changelog
* Fri Jun 09 2023 yueyuankun <yueyuankun@kylinos.cn> - 2.0-1.88
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:security-tool-add-grub2-password-for-legacy.patch
* Tue Jan 10 2023 renmingshuai <renmingshuai@huawei.com> - 2.0-1.87
- delete deprecated option RSAAuthentication and RhostsRSAAuthentication
* Fri Jan 6 2023 Chenxi Mao <chenxi.mao@suse.com> - 2.0-1.86
- Do not hard code vendor name in source code
* Sat Nov 26 2022 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2.0-1.85
- replace openEuler to vendor
* Thu Nov 17 2022 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2.0-1.84
- replace tar.gz
* Sun Oct 09 2022 fushanqing <fushanqing@kylinos.cn> - 2.0-1.83 * Sun Oct 09 2022 fushanqing <fushanqing@kylinos.cn> - 2.0-1.83
- Unified license name specification - Unified license name specification

28
sshd-delete-deprecated-option-RSAAuthentication-and-Rhost.patch Normal file
View File

@ -0,0 +1,28 @@
From b72601eb4904923100e3254f490def46633db322 Mon Sep 17 00:00:00 2001
From: "renmingshuai@huawei.com" <renmingshuai@huawei.com>
Date: Tue, 10 Jan 2023 11:10:33 +0800
Subject: [PATCH] delete deprecated option RSAAuthentication and
RhostsRSAAuthentication
---
security.conf | 2 --
1 file changed, 2 deletions(-)
diff --git a/security.conf b/security.conf
index f52a19d..70674b9 100644
--- a/security.conf
+++ b/security.conf
@@ -53,10 +53,8 @@
103@m@/etc/ssh/sshd_config@X11Forwarding @no
105@m@/etc/ssh/sshd_config@PubkeyAuthentication @yes
-105@m@/etc/ssh/sshd_config@RSAAuthentication @yes
# Don't read the user's ~/.rhosts and ~/.shosts files
105@m@/etc/ssh/sshd_config@IgnoreRhosts @yes
-105@m@/etc/ssh/sshd_config@RhostsRSAAuthentication @no
# To disable host authentication
106@m@/etc/ssh/sshd_config@HostbasedAuthentication @no
--
2.23.0

BIN
v2.0.tar.gz
View File

Binary file not shown.