From 8da5d0956fd0e238c8e274b62705514e9504d247 Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Tue, 6 Jun 2023 21:06:15 +0800
Subject: [PATCH] fix issue of rule require singleuser auth

---
 enable-76-rules-for-openEuler.patch | 62 +++++++++++++++++++++++++++--
 scap-security-guide.spec            |  5 ++-
 2 files changed, 62 insertions(+), 5 deletions(-)

diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch
index e2598ee..1551e35 100644
--- a/enable-76-rules-for-openEuler.patch
+++ b/enable-76-rules-for-openEuler.patch
@@ -1,6 +1,6 @@
-From b651d038a07d02cc4386a472a3f72886d8c0c31e Mon Sep 17 00:00:00 2001
+From a2fde1d192ec8fa8e1bdaed9daf68156b77e7ca4 Mon Sep 17 00:00:00 2001
 From: "steven.y.gui" <steven_ygui@163.com>
-Date: Thu, 18 May 2023 17:41:54 +0800
+Date: Tue, 6 Jun 2023 21:03:36 +0800
 Subject: [PATCH] enable 76 rules for openEuler
 
 ---
@@ -48,6 +48,7 @@ Subject: [PATCH] enable 76 rules for openEuler
  .../rule.yml                                  |  2 +-
  .../verify_owner_password/oval/shared.xml     | 60 +++++++++++++
  .../verify_owner_password/rule.yml            | 12 +++
+ .../require_singleuser_auth/oval/shared.xml   | 21 ++++-
  .../require_singleuser_auth/rule.yml          |  2 +-
  .../account_unique_group_id/oval/shared.xml   | 51 +++++++++++
  .../account_unique_group_id/rule.yml          | 11 +++
@@ -102,7 +103,7 @@ Subject: [PATCH] enable 76 rules for openEuler
  shared/macros-oval.jinja                      | 73 ++++++++++++++++
  shared/templates/template_OVAL_sysctl         |  4 +
  ssg/constants.py                              |  4 +-
- 98 files changed, 1462 insertions(+), 34 deletions(-)
+ 99 files changed, 1481 insertions(+), 36 deletions(-)
  create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
  create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
  create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
@@ -1097,6 +1098,59 @@ index 0000000..b03948a
 +    Anyone can change the password if no verifying.
 +
 +severity: high
+diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
+index 827129d..9dd6b89 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
+@@ -11,8 +11,12 @@
+       <criterion comment="Conditions are satisfied"
+       test_ref="test_require_rescue_service" />
+       <criterion test_ref="test_require_rescue_service_runlevel1" />
++      {{%- if product in ["openeuler2203"] -%}}
++      <criterion test_ref="test_require_emergency_service" />
++      {{%- else -%}}
+       <criterion test_ref="test_no_custom_runlevel1_target" negate="true"/>
+       <criterion test_ref="test_no_custom_rescue_service" negate="true"/>
++      {{%- endif -%}}
+     </criteria>
+     {{%- else -%}}
+     <criteria>
+@@ -24,7 +28,7 @@
+   {{%- if init_system == "systemd" -%}}
+   <ind:textfilecontent54_test check="all" check_existence="all_exist"
+     comment="Tests that
+-    {{% if product in ["fedora", "rhel8"] -%}}
++    {{% if product in ["fedora", "rhel8", "openeuler2203"] -%}}
+     /usr/lib/systemd/systemd-sulogin-shell
+     {{%- else -%}}
+     /sbin/sulogin
+@@ -36,7 +40,7 @@
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="obj_require_rescue_service" version="1">
+     <ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
+-    {{%- if product in ["fedora", "rhel8"] -%}}
++    {{%- if product in ["fedora", "rhel8", "openeuler2203"] -%}}
+     <ind:pattern operation="pattern match">^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue</ind:pattern>
+     {{%- else -%}}
+     <ind:pattern operation="pattern match">^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"</ind:pattern>
+@@ -90,4 +94,17 @@
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+   {{%- endif -%}}
++
++  {{%- if product in ["openeuler2203"] -%}}
++  <ind:textfilecontent54_test check="all" check_existence="all_exist"
++    comment="Tests that the systemd-sulogin-shell is in the emergency.service"
++    id="test_require_emergency_service" version="1">
++    <ind:object object_ref="obj_require_emergency_service" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="obj_require_emergency_service" version="1">
++    <ind:filepath>/usr/lib/systemd/system/emergency.service</ind:filepath>
++    <ind:pattern operation="pattern match">^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+emergency</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++  {{%- endif -%}}
+ </def-group>
 diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
 index c81e8cc..568163e 100644
 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -1111,7 +1165,7 @@ index c81e8cc..568163e 100644
  
 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
 new file mode 100644
-index 0000000..011d03b
+index 0000000..8d31f9a
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
 @@ -0,0 +1,51 @@
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 8a96bd2..644b43d 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.49
-Release:	4
+Release:	5
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -67,6 +67,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Tue Jun 6 2023 steven <steven_ygui@163.com> - 0.1.49-5
+- fix bug of rule "require_signleuser_auth"
+
 * Thu May 18 2023 steven <steven_ygui@163.com> - 0.1.49-4
 - enable 76 rules for openEuler
 
-- 
Gitee