From a6fa41bece0c3e61441f809358ffd7f10a1070c3 Mon Sep 17 00:00:00 2001
From: Yuqing Yang <yyq01323329@alibaba-inc.com>
Date: Mon, 20 Nov 2023 14:14:26 +0800
Subject: [PATCH] 4.11 Rule Add UEFI file scanner and remediation-kit. Update
 path with variable instead of 'anolis'.

Signed-off-by: Yuqing Yang <yyq01323329@alibaba-inc.com>
---
 ...nsure-permissions-on-bootloader-config-are-configured.md | 4 ++--
 ...nsure-permissions-on-bootloader-config-are-configured.sh | 6 +++++-
 ...nsure-permissions-on-bootloader-config-are-configured.sh | 3 +++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/benchmarks/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.md b/benchmarks/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.md
index 21119b5..61b46d5 100644
--- a/benchmarks/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.md
+++ b/benchmarks/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.md
@@ -25,8 +25,8 @@ grub 文件包含启动信息和 bootloader 密码信息。grub2 的配置通常
 # [ -f /boot/grub2/grubenv ] && chmod og-rwx /boot/grub2/grubenv
 # [ -f /boot/grub2/user.cfg ] && chown root:root /boot/grub2/user.cfg
 # [ -f /boot/grub2/user.cfg ] && chmod og-rwx /boot/grub2/user.cfg
-# [ -f /boot/efi/EFI/anolis/grubenv ] && chown root:root /boot/efi/EFI/anolis/grubenv
-# [ -f /boot/efi/EFI/anolis/grubenv ] && chmod og-rwx /boot/efi/EFI/anolis/grubenv
+# osID=$(cat /etc/os-release | grep -Pi "^ID=" | cut -f2 -d= | sed -rn "s/\"//gp") ; [ -f /boot/efi/EFI/$osID/grubenv ] && chown root:root /boot/efi/EFI/$osID/grubenv
+# osID=$(cat /etc/os-release | grep -Pi "^ID=" | cut -f2 -d= | sed -rn "s/\"//gp") ; [ -f /boot/efi/EFI/$osID/grubenv ] && chmod og-rwx /boot/efi/EFI/$osID/grubenv
 ```
 
 2. 如为 UEFI 模式，则需编辑`/etc/fstab`文件，添加以下参数：
diff --git a/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh b/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh
index 0689338..fb2091f 100644
--- a/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh
+++ b/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh
@@ -1,6 +1,10 @@
+osID=$(cat /etc/os-release | grep -Pi "^ID=" | cut -f2 -d= | sed -rn "s/\"//gp")
+
 [ -f /boot/grub2/grub.cfg ] && chown root:root /boot/grub2/grub.cfg;
 [ -f /boot/grub2/grub.cfg ] && chmod og-rwx /boot/grub2/grub.cfg;
 [ -f /boot/grub2/grubenv ] && chown root:root /boot/grub2/grubenv;
 [ -f /boot/grub2/grubenv ] && chmod og-rwx /boot/grub2/grubenv;
 [ -f /boot/grub2/user.cfg ] && chown root:root /boot/grub2/user.cfg;
-[ -f /boot/grub2/user.cfg ] && chmod og-rwx /boot/grub2/user.cfg;
\ No newline at end of file
+[ -f /boot/grub2/user.cfg ] && chmod og-rwx /boot/grub2/user.cfg;
+[ -f /boot/efi/EFI/$osID/grubenv ] && chown root:root /boot/efi/EFI/$osID/grubenv
+[ -f /boot/efi/EFI/$osID/grubenv ] && chmod og-rwx /boot/efi/EFI/$osID/grubenv
\ No newline at end of file
diff --git a/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh b/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh
index 201de14..9d6a13c 100644
--- a/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh
+++ b/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh
@@ -1,7 +1,10 @@
 #!/usr/bin/env bash
+osID=$(cat /etc/os-release | grep -Pi "^ID=" | cut -f2 -d= | sed -rn "s/\"//gp")
+
 [[ -f /boot/grub2/grub.cfg ]] && file_path='/boot/grub2/grub.cfg'
 [[ -f /boot/grub2/grubenv ]] && file_path=$file_path' /boot/grub2/grubenv'
 [[ -f /boot/grub2/user.cfg ]] && file_path=$file_path' /boot/grub2/user.cfg'
+[[ -f /boot/efi/EFI/$osID/grubenv ]] && file_path=$file_path" /boot/efi/EFI/$osID/grubenv"
 result=0
 
 if [[ -n $file_path ]] ; then
-- 
Gitee