From f6f21544f77d4b885fca4b5831db43cf4077b242 Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Thu, 18 May 2023 19:11:05 +0800
Subject: [PATCH 1/6] enable 76 rules for openEuler

---
 enable-76-rules-for-openEuler.patch | 2525 +++++++++++++++++++++++++++
 scap-security-guide.spec            |    6 +-
 2 files changed, 2530 insertions(+), 1 deletion(-)
 create mode 100644 enable-76-rules-for-openEuler.patch

diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch
new file mode 100644
index 0000000..e2598ee
--- /dev/null
+++ b/enable-76-rules-for-openEuler.patch
@@ -0,0 +1,2525 @@
+From b651d038a07d02cc4386a472a3f72886d8c0c31e Mon Sep 17 00:00:00 2001
+From: "steven.y.gui" <steven_ygui@163.com>
+Date: Thu, 18 May 2023 17:41:54 +0800
+Subject: [PATCH] enable 76 rules for openEuler
+
+---
+ .../rule.yml                                  | 30 +++++++
+ .../services/ftp/package_ftp_removed/rule.yml | 22 +++++
+ .../tftp/package_tftp-server_removed/rule.yml |  2 +-
+ .../tftp/package_tftp_removed/rule.yml        |  2 +-
+ .../package_net-snmp_removed/rule.yml         |  2 +-
+ .../disable_host_auth/oval/shared.xml         | 20 +++++
+ .../sshd_allow_only_protocol2/oval/shared.xml | 20 +++++
+ .../oval/shared.xml                           | 20 +++++
+ .../sshd_disable_rhosts/oval/shared.xml       | 20 +++++
+ .../sshd_enable_pam/policy/stig/shared.yml    | 26 ++++++
+ .../ssh/ssh_server/sshd_enable_pam/rule.yml   | 26 ++++++
+ .../sshd_use_strong_ciphers/rule.yml          |  2 +-
+ .../sshd_use_strong_kex/oval/shared.xml       | 73 ++++++++++++++++
+ .../ssh_server/sshd_use_strong_kex/rule.yml   | 17 ++++
+ .../ssh_server/sshd_use_strong_macs/rule.yml  |  2 +-
+ .../sshd_use_strong_pubkey/oval/shared.xml    |  1 +
+ .../sshd_use_strong_pubkey/rule.yml           | 13 +++
+ .../guide/services/ssh/sshd_strong_kex.var    | 19 +++++
+ .../oval/shared.xml                           |  1 +
+ .../rule.yml                                  |  2 +-
+ .../oval/shared.xml                           | 12 ++-
+ .../rule.yml                                  |  2 +-
+ .../oval/shared.xml                           | 13 ++-
+ .../rule.yml                                  |  2 +-
+ .../oval/shared.xml                           |  1 +
+ .../rule.yml                                  |  2 +-
+ ...nts_passwords_pam_faillock_unlock_time.var |  1 +
+ .../oval/shared.xml                           | 32 +++++++
+ .../no_name_contained_in_password/rule.yml    | 12 +++
+ .../accounts_password_pam_dcredit/rule.yml    |  2 +-
+ .../oval/shared.xml                           | 27 ++++++
+ .../accounts_password_pam_dictcheck/rule.yml  | 23 +++++
+ .../accounts_password_pam_lcredit/rule.yml    |  2 +-
+ .../accounts_password_pam_minclass/rule.yml   |  2 +-
+ .../accounts_password_pam_minlen/rule.yml     |  2 +-
+ .../accounts_password_pam_ocredit/rule.yml    |  2 +-
+ .../oval/shared.xml                           |  1 +
+ .../accounts_password_pam_retry/rule.yml      |  2 +-
+ .../accounts_password_pam_ucredit/rule.yml    |  2 +-
+ .../var_password_pam_dictcheck.var            | 16 ++++
+ .../oval/shared.xml                           |  1 +
+ .../rule.yml                                  |  2 +-
+ .../verify_owner_password/oval/shared.xml     | 60 +++++++++++++
+ .../verify_owner_password/rule.yml            | 12 +++
+ .../require_singleuser_auth/rule.yml          |  2 +-
+ .../account_unique_group_id/oval/shared.xml   | 51 +++++++++++
+ .../account_unique_group_id/rule.yml          | 11 +++
+ .../account_unique_id/oval/shared.xml         | 51 +++++++++++
+ .../account_unique_id/policy/stig/shared.yml  | 15 ++++
+ .../account_unique_id/rule.yml                | 11 +++
+ .../tests/correct_value.pass.sh               |  2 +
+ .../tests/wrong_value.fail.sh                 |  5 ++
+ .../accounts_are_necessary/oval/shared.xml    | 25 ++++++
+ .../accounts_are_necessary/rule.yml           | 20 +++++
+ .../group_unique_id/oval/shared.xml           | 50 +++++++++++
+ .../group_unique_id/policy/stig/shared.yml    | 15 ++++
+ .../group_unique_id/rule.yml                  | 12 +++
+ .../tests/correct_value.pass.sh               |  4 +
+ .../group_unique_id/tests/wrong_value.fail.sh |  5 ++
+ .../group_unique_name/oval/shared.xml         | 50 +++++++++++
+ .../group_unique_name/rule.yml                | 12 +++
+ .../tests/correct_value.pass.sh               |  4 +
+ .../tests/wrong_value.fail.sh                 |  5 ++
+ .../oval/shared.xml                           | 30 +++++++
+ .../login_accounts_are_necessary/rule.yml     | 31 +++++++
+ .../gid_passwd_group_same/oval/shared.xml     |  3 +-
+ .../accounts_tmout/oval/shared.xml            |  1 +
+ .../accounts-session/accounts_tmout/rule.yml  |  2 +-
+ .../oval/shared.xml                           | 83 ++++++++++++++++++
+ .../rule.yml                                  |  2 +-
+ .../accounts_umask_etc_bashrc/oval/shared.xml |  1 +
+ .../accounts_umask_etc_bashrc/rule.yml        |  2 +-
+ .../accounts_umask_interactive_users/rule.yml |  2 +-
+ .../oval/shared.xml                           | 20 +++++
+ .../grub2_nosmap_argument_absent/rule.yml     | 25 ++++++
+ .../oval/shared.xml                           | 20 +++++
+ .../grub2_nosmep_argument_absent/rule.yml     | 25 ++++++
+ .../grub2_uefi_password/rule.yml              |  2 +-
+ .../oval/shared.xml                           |  1 +
+ .../oval/shared.xml                           |  1 +
+ .../file_permissions_ungroupowned/rule.yml    |  2 +-
+ .../files/no_empty_symlink_files/rule.yml     | 26 ++++++
+ .../no_files_unowned_by_user/oval/shared.xml  |  1 +
+ .../files/no_files_unowned_by_user/rule.yml   |  2 +-
+ .../files/no_hide_exec_files/oval/shared.xml  | 40 +++++++++
+ .../files/no_hide_exec_files/rule.yml         | 14 +++
+ .../sysctl_kernel_dmesg_restrict/rule.yml     |  2 +-
+ .../oval/shared.xml                           |  1 +
+ .../configure_ssh_crypto_policy/rule.yml      |  2 +-
+ .../package_python2_removed/rule.yml          | 18 ++++
+ .../oval/shared.xml                           |  1 +
+ .../ensure_gpgcheck_never_disabled/rule.yml   |  2 +-
+ .../cpe/openeuler2203-cpe-dictionary.xml      | 61 +++++++++++++
+ openeuler2203/profiles/standard.profile       | 85 +++++++++++++++++++
+ .../oval/installed_env_has_login_defs.xml     |  4 +
+ shared/macros-oval.jinja                      | 73 ++++++++++++++++
+ shared/templates/template_OVAL_sysctl         |  4 +
+ ssg/constants.py                              |  4 +-
+ 98 files changed, 1462 insertions(+), 34 deletions(-)
+ create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
+ create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml
+ create mode 100644 linux_os/guide/services/ssh/sshd_strong_kex.var
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
+ create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml
+ create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
+ create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml
+ create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
+ create mode 100644 linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml
+ create mode 100644 linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml
+ create mode 100644 linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml
+ create mode 100644 linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml
+
+diff --git a/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml b/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
+new file mode 100644
+index 0000000..ef1fc32
+--- /dev/null
++++ b/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
+@@ -0,0 +1,30 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Ensure All Commands/Bashes In Crontab File Are Not Writeable By Low-privilege Users'
++
++description: |-
++    <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
++    <p>Use below cli commands to check if there is any low-privilege users writeable commands/bashes in <tt>/etc/crontab</tt></p>
++    <ul>
++    <li>Step 1: list the commands/bashes from <tt>/etc/crontab</tt>
++    <pre>
++    # cat /etc/crontab
++    /bin/example.sh
++    </pre>
++    </li>
++    <li>Step 2: check the right of the commands/bashes file
++    <pre>
++    # ll /bin/example.sh
++    -rwxrwxrwx. 1 root root 200 Mar 17 18:00 /bin/example.sh
++    </pre>
++    </li>
++    </ul>
++    So, the wirteable flag of other users is present(-rwxr<tt>w</tt>xr<tt>w</tt>x.) and it is a risk.
++
++rationale: |-
++    If any symlink files have no camonical path, it should be removed.
++
++severity: medium
++
+diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
+new file mode 100644
+index 0000000..ee68c97
+--- /dev/null
++++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
+@@ -0,0 +1,22 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Remove ftp Client'
++
++description: |-
++    FTP is a simple file transfer protocol,
++    it does not support authentication and can be easily hacked. The package
++    <tt>ftp</tt> is a client program that allows for connections to a <tt>ftp</tt> server.
++
++rationale: |-
++    It is recommended that FTP be removed, unless there is a specific need
++    for FTP. In that case, use extreme caution when configuring
++    the services.
++
++severity: low
++
++template:
++    name: package_removed
++    vars:
++        pkgname: ftp
+diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+index 37a9b68..700e673 100644
+--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
++++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: rhel6,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Uninstall tftp-server Package'
+ 
+diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
+index 2e7858e..de45e4b 100644
+--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
++++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: rhel6,rhel7,rhel8
++prodtype: openeuler2203,rhel6,rhel7,rhel8
+ 
+ title: 'Remove tftp Daemon'
+ 
+diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
+index 817463d..6484570 100644
+--- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
++++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: debian10,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: debian10,debian9,fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Uninstall net-snmp Package'
+ 
+diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
+new file mode 100644
+index 0000000..8178251
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
+@@ -0,0 +1,20 @@
++<def-group>
++  <definition class="compliance" id="disable_host_auth" version="1">
++    <metadata>
++      <title>Disable Host-Based Authentication</title>
++      {{{- oval_affected(products) }}}
++      <description>To disable host-based authentication.</description>
++    </metadata>
++    <criteria>
++      <criterion comment="To disable host-based authentication" test_ref="test_disable_host_auth" />
++    </criteria>
++  </definition>
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test host-based authentication disabled" id="test_disable_host_auth" version="1">
++    <ind:object object_ref="object_disable_host_auth" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="object_disable_host_auth" version="1">
++    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
++    <ind:pattern operation="pattern match">^HostbasedAuthentication[\s]+no$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++</def-group>
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
+new file mode 100644
+index 0000000..9446c3f
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
+@@ -0,0 +1,20 @@
++<def-group>
++  <definition class="compliance" id="sshd_allow_only_protocol2" version="1">
++    <metadata>
++      <title>Allow Only SSH Protocol 2</title>
++      {{{- oval_affected(products) }}}
++      <description>Only SSH protocol version 2 connections should be permitted.</description>
++    </metadata>
++    <criteria>
++      <criterion comment="tests that there are only SSH protocol version 2 connections should be permitted" test_ref="test_sshd_allow_only_protocol2" />
++    </criteria>
++  </definition>
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="test that there are only SSH protocol version 2 connections should be permitted" id="test_sshd_allow_only_protocol2" version="1">
++    <ind:object object_ref="object_sshd_allow_only_protocol2" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="object_sshd_allow_only_protocol2" version="1">
++    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
++    <ind:pattern operation="pattern match">^Protocol[\s]+2$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++</def-group>
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml
+new file mode 100644
+index 0000000..44c5eab
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml
+@@ -0,0 +1,20 @@
++<def-group>
++  <definition class="compliance" id="sshd_disable_empty_passwords" version="1">
++    <metadata>
++      <title>Disable SSH Access via Empty Passwords</title>
++      {{{- oval_affected(products) }}}
++      <description>Disable SSH Access via Empty Passwords.</description>
++    </metadata>
++    <criteria>
++      <criterion comment="To disable SSH access via empty passwords" test_ref="test_sshd_disable_empty_passwords" />
++    </criteria>
++  </definition>
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test empty passwords accessing disabled" id="test_sshd_disable_empty_passwords" version="1">
++    <ind:object object_ref="object_sshd_disable_empty_passwords" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="object_sshd_disable_empty_passwords" version="1">
++    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
++    <ind:pattern operation="pattern match">^PermitEmptyPasswords[\s]+no$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++</def-group>
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml
+new file mode 100644
+index 0000000..22a1069
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml
+@@ -0,0 +1,20 @@
++<def-group>
++  <definition class="compliance" id="sshd_disable_rhosts" version="1">
++    <metadata>
++      <title>Disable SSH Support for .rhosts Files</title>
++      {{{- oval_affected(products) }}}
++      <description>Disable SSH Support for .rhosts Files.</description>
++    </metadata>
++    <criteria>
++      <criterion comment="To disable SSH support for .rhosts files" test_ref="test_sshd_disable_rhosts" />
++    </criteria>
++  </definition>
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test .rhosts files supporting disabled" id="test_sshd_disable_rhosts" version="1">
++    <ind:object object_ref="object_sshd_disable_rhosts" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="object_sshd_disable_rhosts" version="1">
++    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
++    <ind:pattern operation="pattern match">^IgnoreRhosts[\s]+yes$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++</def-group>
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml
+new file mode 100644
+index 0000000..5a3d8ee
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml
+@@ -0,0 +1,26 @@
++srg_requirement: |-
++    {{{ full_name }}} must enable the Pluggable Authenitcation Module (PAM) interface for SSHD.
++
++vuldiscussion: |-
++    When UsePAM is set to yes, PAM runs through account and session types properly. This is
++    important if you want to restrict access to services based off of IP, time or other factors of
++    the account. Additionally, you can make sure users inherit certain environment variables
++    on login or disallow access to the server.
++
++checktext: |-
++    Verify the {{{ full_name }}} SSHD is configured to allow for the UsePAM interface with the following command:
++
++    $ sudo grep -i usepam /etc/ssh/sshd_config
++
++    UsePAM yes
++
++    If the "UsePAM" keyword is set to "no", is missing, or is commented out, this is a finding.
++
++fixtext: |-
++    Configure the {{{ full_name }}} SSHD to use the UsePAM interface add or modify the following line in "/etc/ssh/sshd_config".
++
++    UsePAM yes
++
++    Restart the SSH daemon for the settings to take effect:
++
++    $ sudo systemctl restart sshd.service
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
+new file mode 100644
+index 0000000..e303b2c
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
+@@ -0,0 +1,26 @@
++documentation_complete: true
++
++title: 'Enable PAM'
++
++description: |-
++    UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
++    enable PAM authentication using ChallengeResponseAuthentication and
++    PasswordAuthentication in addition to PAM account and session module processing for all
++    authentication types.
++
++rationale: |-
++    When UsePAM is set to yes, PAM runs through account and session types properly. This is
++    important if you want to restrict access to services based off of IP, time or other factors of
++    the account. Additionally, you can make sure users inherit certain environment variables
++    on login or disallow access to the server.
++
++severity: medium
++
++
++template:
++    name: sshd_lineinfile
++    vars:
++        missing_parameter_pass: 'false'
++        parameter: UsePAM
++        rule_id: sshd_enable_pam
++        value: 'yes'
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
+index d476fda..59bb6a6 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: ol7,rhel6,rhel7
++prodtype: ol7,openeuler2203,rhel6,rhel7
+ 
+ title: 'Use Only Strong Ciphers'
+ 
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
+new file mode 100644
+index 0000000..d8d13d8
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
+@@ -0,0 +1,73 @@
++<def-group>
++  <definition class="compliance" id="sshd_use_strong_kex" version="1">
++    {{{ oval_metadata("Limit the Key Exchange Algorithms to those which are FIPS-approved.") }}}
++    {{% if product in ['openeuler2203'] %}}
++    <criteria comment="SSH is configured correctly or is not installed">
++      <criterion comment="Check KexAlgorithms in /etc/ssh/sshd_config"
++            test_ref="test_sshd_use_strong_kex" />
++    </criteria>
++    {{% else %}}
++    <criteria comment="SSH is configured correctly or is not installed"
++        operator="OR">
++      <criteria comment="sshd is not installed" operator="AND">
++        <extend_definition comment="sshd is not required or requirement is unset"
++            definition_ref="sshd_not_required_or_unset" />
++        {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
++        <extend_definition comment="package openssh removed"
++            definition_ref="package_openssh_removed" />
++        {{% else %}}
++        <extend_definition comment="package openssh-server removed"
++            definition_ref="package_openssh-server_removed" />
++        {{% endif %}}
++      </criteria>
++      <criteria comment="sshd is installed and configured" operator="AND">
++        <extend_definition comment="sshd is required or requirement is unset"
++            definition_ref="sshd_required_or_unset" />
++        {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
++        <extend_definition comment="package openssh installed"
++            definition_ref="package_openssh_installed" />
++        {{% else %}}
++        <extend_definition comment="package openssh-server installed"
++            definition_ref="package_openssh-server_installed" />
++        {{% endif %}}
++        <criterion comment="Check KexAlgorithms in /etc/ssh/sshd_config"
++            test_ref="test_sshd_use_strong_kex" />
++      </criteria>
++    </criteria>
++    {{% endif %}}
++  </definition>
++
++  <ind:variable_test check="at least one"
++  comment="tests the value of KexAlgorithms setting in the /etc/ssh/sshd_config file"
++  id="test_sshd_use_strong_kex" version="1">
++    <ind:object object_ref="obj_sshd_use_strong_kex" />
++    <ind:state state_ref="ste_sshd_use_strong_kex" />
++  </ind:variable_test>
++
++  <ind:variable_object id="obj_sshd_use_strong_kex" version="1">
++    <ind:var_ref>var_sshd_config_kex</ind:var_ref>
++  </ind:variable_object>
++
++  <ind:variable_state comment="approved strong kex" id="ste_sshd_use_strong_kex" version="1">
++    <ind:value operation="equals" datatype="string" var_ref="var_sshd_strong_kex" var_check="at least one" />
++  </ind:variable_state>
++
++  <ind:textfilecontent54_object id="obj_sshd_config_kex" version="1">
++    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
++    <ind:pattern operation="pattern match">^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <local_variable id="var_sshd_config_kex" datatype="string" version="1" comment="MACs values splitted on comma">
++    <split delimiter=",">
++      <object_component item_field="subexpression" object_ref="obj_sshd_config_kex" />
++    </split>
++  </local_variable>
++
++  <local_variable id="var_sshd_strong_kex" datatype="string" version="1" comment="approved strong KEX values splitted on comma">
++    <split delimiter=",">
++      <variable_component var_ref="sshd_strong_kex" />
++    </split>
++  </local_variable>
++  <external_variable comment="SSH Approved KEX by FIPS" datatype="string" id="sshd_strong_kex" version="1" />
++</def-group>
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml
+new file mode 100644
+index 0000000..2f94f68
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml
+@@ -0,0 +1,17 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Use Only Strong Key Exchange algorithms'
++
++description: |-
++    Limit the Key Exchange to strong algorithms.
++
++rationale: |-
++    Key exchange is any method in cryptography by which cryptographic keys are exchanged
++    between two parties, allowing use of a cryptographic algorithm. If the sender and receiver
++    wish to exchange encrypted messages, each must be equipped to encrypt messages to be
++    sent and decrypt messages received
++
++severity: medium
++
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
+index e5631ce..66d0402 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: ol7,rhel6,rhel7
++prodtype: ol7,openeuler2203,rhel6,rhel7
+ 
+ title: 'Use Only Strong MACs'
+ 
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml
+new file mode 100644
+index 0000000..3c13a96
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml
+@@ -0,0 +1 @@
++{{{ oval_sshd_config(parameter="PubkeyAcceptedKeyTypes", value="((ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512),?)+") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml
+new file mode 100644
+index 0000000..cdc3061
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml
+@@ -0,0 +1,13 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Use Only Strong Algorithms For Public Key'
++
++description: |-
++    Limit the algorithm of public key to strong algorithms.
++
++rationale: |-
++    Week algorithms will introduce risks.
++
++severity: medium
+diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var
+new file mode 100644
+index 0000000..36b03ba
+--- /dev/null
++++ b/linux_os/guide/services/ssh/sshd_strong_kex.var
+@@ -0,0 +1,19 @@
++documentation_complete: true
++
++title: 'SSH Strong KEX by FIPS'
++
++description: "Specify the FIPS approved KEXs (Key Exchange Algorithms) algorithms\n\tthat are used for methods in cryptography by which cryptographic keys are exchanged between two parties"
++
++type: string
++
++operator: equals
++
++interactive: false
++
++options:
++    default: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
++    cis_rhel7: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
++    cis_sle12: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
++    cis_sle15: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
++    cis_ubuntu2004: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
++    standard_openeuler2203: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
+index 28eecc8..5165c15 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
+@@ -8,6 +8,7 @@
+         <platform>multi_platform_fedora</platform>
+         <platform>multi_platform_rhv</platform>
+         <platform>multi_platform_ol</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>The passwords to remember should be set correctly.</description>
+     </metadata>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+index 579ffc0..cb2d878 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Limit Password Reuse'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
+index db91fa9..0139186 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
+@@ -129,8 +129,12 @@
+   <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_preauth_silent_system-auth" version="1">
+     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
+-         pam_unix.so module in auth section -->
++    pam_unix.so module in auth section -->
++    {{% if product in ["openeuler2203"] %}}
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*audit[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    {{% else %}}
+     <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    {{% endif %}}
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -178,8 +182,12 @@
+   <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_preauth_silent_password-auth" version="1">
+     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
+-         pam_unix.so module in auth section -->
++    pam_unix.so module in auth section -->
++    {{% if product in ["openeuler2203"] %}}
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*audit[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    {{% else %}}
+     <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    {{% endif %}}
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+index 5575bd3..1fe3174 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Set Deny For Failed Password Attempts'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
+index 402feab..da09d06 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
+@@ -9,6 +9,7 @@
+         <platform>multi_platform_fedora</platform>
+         <platform>multi_platform_rhv</platform>
+         <platform>multi_platform_ol</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>The root account should be configured to deny access after the number of defined
+       failed attempts has been reached.</description>
+@@ -37,8 +38,12 @@
+     <ind:behaviors singleline="true" />
+     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
+-         pam_unix.so module in auth section -->
++    pam_unix.so module in auth section -->
++    {{% if product in ["openeuler2203"] %}}
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+audit[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    {{% else %}}
+     <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    {{% endif %}}
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -72,8 +77,12 @@
+     <ind:behaviors singleline="true" />
+     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
+-         pam_unix.so module in auth section -->
++    pam_unix.so module in auth section -->
++    {{% if product in ["openeuler2203"] %}}
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+audit[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    {{% else %}}
+     <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    {{% endif %}}
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+index 03329a6..6615efa 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Configure the root Account for Failed Password Attempts'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
+index ad3e2f1..057aca8 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
+@@ -7,6 +7,7 @@
+         <platform>multi_platform_fedora</platform>
+         <platform>multi_platform_rhv</platform>
+         <platform>multi_platform_ol</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>The number of allowed failed logins should be set correctly.</description>
+     </metadata>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+index e4403bb..dccf1b7 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4
++prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
+ 
+ title: 'Set Lockout Time for Failed Password Attempts'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var
+index 46c73e4..206b03e 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var
+@@ -17,5 +17,6 @@ options:
+     604800: 604800
+     86400: 86400
+     900: 900
++    300: 300
+     default: 0
+     never: 0
+diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml
+new file mode 100644
+index 0000000..af4a11e
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml
+@@ -0,0 +1,32 @@
++<def-group>
++  <definition class="compliance" id="no_name_contained_in_password" version="1">
++    <metadata>
++      <title>Accounts password should not be contained substring of name</title>
++      {{{- oval_affected(products) }}}
++      <description>Accounts password should not be contained substring of name.</description>
++    </metadata>
++    <criteria operator="AND" comment="Check that there is no usercheck=0 in pam files">
++      <criterion comment="Check /etc/pam.d/password-auth" test_ref="test_password_auth_no_name_in_password" />
++      <criterion comment="Check /etc/pam.d/system-auth" test_ref="test_system_no_name_in_password" />
++    </criteria>
++  </definition>
++  <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Test that there is no substring in password" id="test_password_auth_no_name_in_password" version="1">
++    <ind:object object_ref="object_test_password_auth_no_name_in_password" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Test that there is no substring in password" id="test_system_no_name_in_password" version="1">
++    <ind:object object_ref="object_test_system_no_name_in_password" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="object_test_password_auth_no_name_in_password" version="1">
++    <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
++    <ind:pattern operation="pattern match">^.*usercheck[\s]*=[\s]*0.*$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_object id="object_test_system_no_name_in_password" version="1">
++    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
++    <ind:pattern operation="pattern match">^.*usercheck[\s]*=[\s]*0.*$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml
+new file mode 100644
+index 0000000..fa84a3b
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml
+@@ -0,0 +1,12 @@
++documentation_complete: true
++
++title: 'Accounts Name Should Not Be Contained In Password'
++
++description: |-
++    Accounts name should not be contained in password.
++    There is no usercheck=0.
++
++rationale: |-
++    If the passowrd contains substring of accounts name, it is a risk.
++
++severity: high
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
+index 86ec1e6..629a797 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Ensure PAM Enforces Password Requirements - Minimum Digit Characters'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml
+new file mode 100644
+index 0000000..13bbae4
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml
+@@ -0,0 +1,27 @@
++<def-group>
++  <definition class="compliance" id="accounts_password_pam_dictcheck" version="3">
++    {{{ oval_metadata("Check dictcheck in pwquality") }}}
++    <criteria comment="conditions for dictcheck are satisfied">
++      <criterion comment="pwquality.conf" test_ref="test_password_pam_pwquality_dictcheck" />
++    </criteria>
++  </definition>
++
++  <ind:textfilecontent54_test check="all" state_operator="AND"
++    comment="check the configuration of /etc/security/pwquality.conf"
++    id="test_password_pam_pwquality_dictcheck" version="3">
++    <ind:object object_ref="obj_password_pam_pwquality_dictcheck" />
++    <ind:state state_ref="state_password_pam_dictcheck" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="obj_password_pam_pwquality_dictcheck" version="3">
++    <ind:filepath operation="pattern match">{{{ filepath_regex }}}</ind:filepath>
++    <ind:pattern operation="pattern match">^\s*dictcheck[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
++    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_state id="state_password_pam_dictcheck" version="3">
++    <ind:subexpression datatype="int" operation="equals" var_ref="var_password_pam_dictcheck" />
++  </ind:textfilecontent54_state>
++
++  <external_variable comment="External variable for pam_dictcheck" datatype="int" id="var_password_pam_dictcheck" version="3" />
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
+new file mode 100644
+index 0000000..b10e340
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
+@@ -0,0 +1,23 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words'
++
++description: |-
++    The pam_pwquality module's <tt>dictcheck</tt> check if passwords contains dictionary words. When
++    <tt>dictcheck</tt> is set to <tt>1</tt> passwords will be checked for dictionary words.
++
++rationale: |-
++    Use of a complex password helps to increase the time and resources required to compromise the password.
++    Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
++    guessing and brute-force attacks.
++    <br /><br />
++    Password complexity is one factor of several that determines how long it takes to crack a password. The more
++    complex the password, the greater the number of possible combinations that need to be tested before the
++    password is compromised.
++    <br /><br />
++    Passwords with dictionary words may be more vulnerable to password-guessing attacks.
++
++severity: medium
++
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
+index 159a832..4e63274 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+index 5c596d0..866fa5f 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+index 7db443b..3b65cb6 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Ensure PAM Enforces Password Requirements - Minimum Length'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
+index bdef268..0597fe9 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Ensure PAM Enforces Password Requirements - Minimum Special Characters'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
+index d888d78..4588489 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
+@@ -8,6 +8,7 @@
+         <platform>multi_platform_ol</platform>
+         <platform>multi_platform_rhel</platform>
+         <platform>multi_platform_wrlinux</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>The password retry should meet minimum requirements</description>
+     </metadata>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+index 099cbbf..908ca40 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
+index 7b5fe67..203da95 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
+new file mode 100644
+index 0000000..26452c3
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
+@@ -0,0 +1,16 @@
++documentation_complete: true
++
++title: dictcheck
++
++description: |-
++    Prevent the use of dictionary words for passwords.
++
++type: number
++
++operator: equals
++
++interactive: false
++
++options:
++    1: 1
++    default: 1
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+index 3770a64..4cb9dc0 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+@@ -8,6 +8,7 @@
+         <platform>multi_platform_fedora</platform>
+         <platform>multi_platform_rhv</platform>
+         <platform>multi_platform_ol</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.</description>
+     </metadata>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+index 1c4032c..9bd46d6 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: "Set PAM's Password Hashing Algorithm"
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml
+new file mode 100644
+index 0000000..bfd0b01
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml
+@@ -0,0 +1,60 @@
++<def-group>
++  <definition class="compliance" id="verify_owner_password" version="1">
++    <metadata>
++      <title>Accounts password should be verified during modifying</title>
++      {{{- oval_affected(products) }}}
++      <description>Accounts password should be verified during modifying.</description>
++    </metadata>
++    <criteria operator="AND" comment="Check that there is pam_unix.so in pam files">
++      <criteria operator="AND" comment="Check /etc/pam.d/password-auth">
++        <criterion comment="Check pam_unix.so" test_ref="test_password_auth_unix" />
++        <criterion comment="Check pam_deny.so" test_ref="test_password_auth_deny" />
++      </criteria>
++      <criteria operator="AND" comment="Check /etc/pam.d/system-auth">
++        <criterion comment="Check pam_unix.so" test_ref="test_system_auth_unix" />
++        <criterion comment="Check pam_deny.so" test_ref="test_system_auth_deny" />
++      </criteria>
++    </criteria>
++  </definition>
++
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test that there is pam_unix.so in pam files" id="test_password_auth_unix" version="1">
++    <ind:object object_ref="object_test_password_auth_unix" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test that there is pam_unix.so in pam files" id="test_password_auth_deny" version="1">
++    <ind:object object_ref="object_test_password_auth_deny" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test that there is pam_unix.so in pam files" id="test_system_auth_unix" version="1">
++    <ind:object object_ref="object_test_system_auth_unix" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test that there is pam_unix.so in pam files" id="test_system_auth_deny" version="1">
++    <ind:object object_ref="object_test_system_auth_deny" />
++  </ind:textfilecontent54_test>
++
++
++  <ind:textfilecontent54_object id="object_test_password_auth_unix" version="1">
++    <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
++    <ind:pattern operation="pattern match">^password[\s]+sufficient[\s]+pam_unix\.so.*$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_object id="object_test_password_auth_deny" version="1">
++    <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
++    <ind:pattern operation="pattern match">^password[\s]+required[\s]+pam_deny\.so.*$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_object id="object_test_system_auth_unix" version="1">
++    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
++    <ind:pattern operation="pattern match">^password[\s]+sufficient[\s]+pam_unix\.so.*$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_object id="object_test_system_auth_deny" version="1">
++    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
++    <ind:pattern operation="pattern match">^password[\s]+required[\s]+pam_deny\.so.*$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml
+new file mode 100644
+index 0000000..b03948a
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml
+@@ -0,0 +1,12 @@
++documentation_complete: true
++
++title: 'Accounts Password Should Be Verified When Changing'
++
++description: |-
++    Accounts password should be verified when it is modifying.
++    It is done by pam_unix.so.
++
++rationale: |-
++    Anyone can change the password if no verifying.
++
++severity: high
+diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+index c81e8cc..568163e 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Require Authentication for Single User Mode'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
+new file mode 100644
+index 0000000..011d03b
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
+@@ -0,0 +1,51 @@
++<def-group>
++  <definition class="compliance" id="account_unique_group_id" version="1">
++    {{{ oval_metadata("All accounts on the system should have unique master group IDs for proper accountability.") }}}
++      <criteria comment="There should not exist duplicate user master group IDs entries in /etc/passwd">
++        <criterion test_ref="test_etc_passwd_no_duplicate_user_group_ids" />
++      </criteria>
++
++  </definition>
++
++  <!-- collect information about all users -->
++  <unix:password_object id="obj_all_user_group_ids" version="1">
++    <unix:username operation="pattern match">^(?!sync|shutdown|halt|operator).*</unix:username>
++  </unix:password_object>
++
++  <!-- variable storing count of all uids - including duplicates -->
++  <local_variable id="variable_count_of_all_user_group_ids" datatype="int" version="1"
++  comment="Count of all group ids (including duplicates if any)">
++    <count>
++      <object_component item_field="group_id" object_ref="obj_all_user_group_ids" />
++    </count>
++  </local_variable>
++
++  <!-- Turn the OVAL variable representing count of user ids into OVAL object
++       (for use in <variable_test> below)-->
++  <ind:variable_object id="obj_count_of_all_user_group_ids" version="1">
++    <ind:var_ref>variable_count_of_all_user_group_ids</ind:var_ref>
++  </ind:variable_object>
++
++  <!-- OVAL variable to hold the count of unique user ids defined in /etc/passwd -->
++  <local_variable id="variable_count_of_unique_user_group_ids" datatype="int" version="1"
++  comment="Count of unique group ids">
++    <count>
++      <unique>
++        <object_component item_field="group_id" object_ref="obj_all_user_group_ids" />
++      </unique>
++    </count>
++  </local_variable>
++
++  <!-- this state checks that both counts (unique and non-unique) are the same -->
++  <ind:variable_state id="state_no_duplicate_user_group_ids" version="1">
++    <ind:value var_ref="variable_count_of_unique_user_group_ids" datatype="int"
++    operation="equals" var_check="at least one" />
++  </ind:variable_state>
++
++  <ind:variable_test id="test_etc_passwd_no_duplicate_user_group_ids" check="all" check_existence="all_exist"
++  comment="There should not exist duplicate user group ids in /etc/passwd" version="1">
++    <ind:object object_ref="obj_count_of_all_user_group_ids" />
++    <ind:state state_ref="state_no_duplicate_user_group_ids" />
++  </ind:variable_test>
++
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml
+new file mode 100644
+index 0000000..01b1ea9
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml
+@@ -0,0 +1,11 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Ensure All Accounts on the System Have Unique Master Group IDs'
++
++description: 'Change user master group IDs, or delete accounts.'
++
++rationale: 'To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.'
++
++severity: medium
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml
+new file mode 100644
+index 0000000..491ad45
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml
+@@ -0,0 +1,51 @@
++<def-group>
++  <definition class="compliance" id="account_unique_id" version="1">
++    {{{ oval_metadata("All accounts on the system should have unique IDs for proper accountability.") }}}
++      <criteria comment="There should not exist duplicate user IDs entries in /etc/passwd">
++        <criterion test_ref="test_etc_passwd_no_duplicate_user_ids" />
++      </criteria>
++
++  </definition>
++
++  <!-- collect information about all users -->
++  <unix:password_object id="obj_all_uids" version="1">
++    <unix:username operation="pattern match">.*</unix:username>
++  </unix:password_object>
++
++  <!-- variable storing count of all uids - including duplicates -->
++  <local_variable id="variable_count_of_all_uids" datatype="int" version="1"
++  comment="Count of all uids (including duplicates if any)">
++    <count>
++      <object_component item_field="user_id" object_ref="obj_all_uids" />
++    </count>
++  </local_variable>
++
++  <!-- Turn the OVAL variable representing count of user ids into OVAL object
++       (for use in <variable_test> below)-->
++  <ind:variable_object id="obj_count_of_all_uids" version="1">
++    <ind:var_ref>variable_count_of_all_uids</ind:var_ref>
++  </ind:variable_object>
++
++  <!-- OVAL variable to hold the count of unique user ids defined in /etc/passwd -->
++  <local_variable id="variable_count_of_unique_uids" datatype="int" version="1"
++  comment="Count of unique uids">
++    <count>
++      <unique>
++        <object_component item_field="user_id" object_ref="obj_all_uids" />
++      </unique>
++    </count>
++  </local_variable>
++
++  <!-- this state checks that both counts (unique and non-unique) are the same -->
++  <ind:variable_state id="state_no_duplicate_uids" version="1">
++    <ind:value var_ref="variable_count_of_unique_uids" datatype="int"
++    operation="equals" var_check="at least one" />
++  </ind:variable_state>
++
++  <ind:variable_test id="test_etc_passwd_no_duplicate_user_ids" check="all" check_existence="all_exist"
++  comment="There should not exist duplicate user ids in /etc/passwd" version="1">
++    <ind:object object_ref="obj_count_of_all_uids" />
++    <ind:state state_ref="state_no_duplicate_uids" />
++  </ind:variable_test>
++
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml
+new file mode 100644
+index 0000000..cfe5f91
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml
+@@ -0,0 +1,15 @@
++srg_requirement: |-
++    {{{ full_name }}} duplicate User IDs (UIDs) must not exist for interactive users.
++
++vuldiscussion: |-
++    To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
++
++checktext: |-
++    Verify that {{{ full_name }}} contains no duplicate User IDs (UIDs) for interactive users with the following command:
++
++    $ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
++
++    If output is produced and the accounts listed are interactive user accounts, this is a finding.
++
++fixtext: |-
++    Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate User ID (UID) with a unique UID.
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
+new file mode 100644
+index 0000000..687a0c3
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
+@@ -0,0 +1,11 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Ensure All Accounts on the System Have Unique User IDs'
++
++description: 'Change user IDs (UIDs), or delete accounts, so each has a unique id.'
++
++rationale: 'To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.'
++
++severity: medium
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh
+new file mode 100644
+index 0000000..645c46e
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh
+@@ -0,0 +1,2 @@
++#!/bin/bash
++# remediation = none
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh
+new file mode 100644
+index 0000000..cc7f221
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh
+@@ -0,0 +1,5 @@
++#!/bin/bash
++# remediation = none
++
++echo "test_user:x:30090:30090:Test User:/home/test_user:/usr/bin/bash" >> /etc/passwd
++echo "test_user_2:x:30090:30090:Test User 2:/home/test_user_2:/usr/bin/bash" >> /etc/passwd
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml
+new file mode 100644
+index 0000000..e2047d9
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml
+@@ -0,0 +1,25 @@
++<def-group>
++  <definition class="compliance" id="accounts_are_necessary" version="1">
++    <metadata>
++      <title>All Accounts are Necessary</title>
++      <affected family="unix">
++        <platform>openEuler 22.03LTS</platform>
++      </affected>
++      <description>All Accounts are Necessary</description>
++    </metadata>
++    <criteria>
++      <criterion comment="Check /etc/passwd all accounts are necessary" test_ref="accounts_are_necessary_test" />
++    </criteria>
++  </definition>
++
++  <unix:password_object id="accounts_are_necessary_object" version="1">
++    <unix:username datatype="string" operation="pattern match">.*</unix:username>
++  </unix:password_object>
++  
++  <unix:password_test xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
++  check="all" check_existence="none_exist" comment="List all accounts on the system"
++  id="accounts_are_necessary_test" version="1">
++    <unix:object object_ref="accounts_are_necessary_object" />
++  </unix:password_test>
++</def-group>
++  
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml
+new file mode 100644
+index 0000000..143fe8a
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml
+@@ -0,0 +1,20 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'All Accounts Are Necessary'
++
++description: |-
++    <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
++    <p>If any account is not necessary, it should be removed from <tt>/etc/passwd</tt>.</p>
++    <ul>
++    <li>Use below cli command to list all accounts in system:
++    <pre># cat /etc/passwd | awk  -F ":" '{print $1}'</pre>
++    </li>
++    </ul>
++
++rationale: |-
++    It is a risk if an account exists in system but it is not necessary.
++
++severity: medium
++
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml
+new file mode 100644
+index 0000000..b3425ec
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml
+@@ -0,0 +1,50 @@
++<def-group>
++    <definition class="compliance" id="{{{rule_id}}}" version="1">
++        {{{ oval_metadata("All groups on the system should have unique names for proper accountability.") }}}
++        <criteria comment="There should not exist duplicate group ids entries in /etc/passwd">
++            <criterion test_ref="test_etc_group_no_duplicate_group_ids"/>
++        </criteria>
++    </definition>
++
++    <ind:textfilecontent54_object id="obj_all_group_ids" version="1" comment="Get all group ids">
++        <ind:filepath>/etc/group</ind:filepath>
++        <ind:pattern operation="pattern match">^.+:.+:(\d+):.*$</ind:pattern>
++        <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++    </ind:textfilecontent54_object>
++
++    <!-- variable storing count of all group ids - including duplicates -->
++    <local_variable id="variable_count_of_all_group_ids" datatype="int" version="1"
++                    comment="Count of all group ids (including duplicates if any)">
++        <count>
++            <object_component item_field="subexpression" object_ref="obj_all_group_ids"/>
++        </count>
++    </local_variable>
++
++    <!-- OVAL variable to hold the count of unique group ids defined in /etc/group -->
++    <local_variable id="variable_count_of_unique_group_ids" datatype="int" version="1"
++                    comment="Count of unique group ids">
++        <count>
++            <unique>
++                <object_component item_field="subexpression" object_ref="obj_all_group_ids"/>
++            </unique>
++        </count>
++    </local_variable>
++
++    <!-- Turn the OVAL variable representing count of user ids into OVAL object
++       (for use in <variable_test> below)-->
++    <ind:variable_object id="obj_count_of_all_group_ids" version="1">
++        <ind:var_ref>variable_count_of_all_group_ids</ind:var_ref>
++    </ind:variable_object>
++
++    <!-- this state checks that both counts (unique and non-unique) are the same -->
++    <ind:variable_state id="state_no_duplicate_group_ids" version="1">
++        <ind:value var_ref="variable_count_of_unique_group_ids" datatype="int"
++                   operation="equals" var_check="at least one"/>
++    </ind:variable_state>
++
++    <ind:variable_test id="test_etc_group_no_duplicate_group_ids" check="all" check_existence="all_exist"
++                       comment="There should not exist duplicate group ids in /etc/passwd" version="1">
++        <ind:object object_ref="obj_count_of_all_group_ids"/>
++        <ind:state state_ref="state_no_duplicate_group_ids"/>
++    </ind:variable_test>
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml
+new file mode 100644
+index 0000000..6944a01
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml
+@@ -0,0 +1,15 @@
++srg_requirement: |-
++    {{{ full_name }}} groups must have unique Group ID (GID).
++
++vuldiscussion: |-
++    To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
++
++checktext: |-
++    Verify that {{{ full_name }}} contains no duplicate Group IDs (GID) for interactive users with the following command:
++
++     $  cut -d : -f 3 /etc/group | uniq -d
++
++    If the system has duplicate group ids, this is a finding.
++
++fixtext: |-
++    Edit the file "/etc/group" and provide each group that has a duplicate Group ID (GID) with a unique GID.
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
+new file mode 100644
+index 0000000..66925eb
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
+@@ -0,0 +1,12 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Ensure All Groups on the System Have Unique Group ID'
++
++description: 'Change the group name or delete groups, so each has a unique id.'
++
++rationale: 'To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.'
++
++severity: medium
++
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh
+new file mode 100644
+index 0000000..031b46c
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh
+@@ -0,0 +1,4 @@
++#!/bin/bash
++# remediation = no
++
++groupadd cac_test$(date +%s)
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh
+new file mode 100644
+index 0000000..d8d9f7e
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh
+@@ -0,0 +1,5 @@
++#!/bin/bash
++# remediation = no
++
++echo "testgroup1:x:1004:" >> /etc/group
++echo "testgroup:x:1004:" >> /etc/group
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
+new file mode 100644
+index 0000000..a1d46bb
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
+@@ -0,0 +1,50 @@
++<def-group>
++    <definition class="compliance" id="{{{rule_id}}}" version="1">
++        {{{ oval_metadata("All groups on the system should have unique names for proper accountability.") }}}
++        <criteria comment="There should not exist duplicate group names entries in /etc/passwd">
++            <criterion test_ref="test_etc_group_no_duplicate_group_names"/>
++        </criteria>
++    </definition>
++
++    <ind:textfilecontent54_object id="obj_all_group_names" version="1" comment="Get all group names">
++        <ind:filepath>/etc/group</ind:filepath>
++        <ind:pattern operation="pattern match">^(.+):.+</ind:pattern>
++        <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++    </ind:textfilecontent54_object>
++
++    <!-- variable storing count of all group names - including duplicates -->
++    <local_variable id="variable_count_of_all_group_names" datatype="int" version="1"
++                    comment="Count of all group names (including duplicates if any)">
++        <count>
++            <object_component item_field="subexpression" object_ref="obj_all_group_names"/>
++        </count>
++    </local_variable>
++
++    <!-- OVAL variable to hold the count of unique group names defined in /etc/group -->
++    <local_variable id="variable_count_of_unique_group_names" datatype="int" version="1"
++                    comment="Count of unique group names">
++        <count>
++            <unique>
++                <object_component item_field="subexpression" object_ref="obj_all_group_names"/>
++            </unique>
++        </count>
++    </local_variable>
++
++    <!-- Turn the OVAL variable representing count of user ids into OVAL object
++       (for use in <variable_test> below)-->
++    <ind:variable_object id="obj_count_of_all_group_names" version="1">
++        <ind:var_ref>variable_count_of_all_group_names</ind:var_ref>
++    </ind:variable_object>
++
++    <!-- this state checks that both counts (unique and non-unique) are the same -->
++    <ind:variable_state id="state_no_duplicate_group_names" version="1">
++        <ind:value var_ref="variable_count_of_unique_group_names" datatype="int"
++                   operation="equals" var_check="at least one"/>
++    </ind:variable_state>
++
++    <ind:variable_test id="test_etc_group_no_duplicate_group_names" check="all" check_existence="all_exist"
++                       comment="There should not exist duplicate group names in /etc/passwd" version="1">
++        <ind:object object_ref="obj_count_of_all_group_names"/>
++        <ind:state state_ref="state_no_duplicate_group_names"/>
++    </ind:variable_test>
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
+new file mode 100644
+index 0000000..d3bc722
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
+@@ -0,0 +1,12 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Ensure All Groups on the System Have Unique Group Names'
++
++description: 'Change the group name or delete groups, so each has a unique name.'
++
++rationale: 'To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.'
++
++severity: medium
++
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh
+new file mode 100644
+index 0000000..031b46c
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh
+@@ -0,0 +1,4 @@
++#!/bin/bash
++# remediation = no
++
++groupadd cac_test$(date +%s)
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh
+new file mode 100644
+index 0000000..e375c55
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh
+@@ -0,0 +1,5 @@
++#!/bin/bash
++# remediation = no
++
++echo "testgroup:x:1004:" >> /etc/group
++echo "testgroup:x:1005:" >> /etc/group
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml
+new file mode 100644
+index 0000000..ac39f98
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml
+@@ -0,0 +1,30 @@
++<def-group>
++  <definition class="compliance" id="login_accounts_are_necessary" version="1">
++    <metadata>
++      <title>All Login Accounts are Necessary</title>
++      <affected family="unix">
++        <platform>openEuler 22.03LTS</platform>
++      </affected>
++      <description>All Login Accounts are Necessary</description>
++    </metadata>
++    <criteria>
++      <criterion comment="Check /etc/passwd all login accounts are necessary" test_ref="login_accounts_are_necessary_test" />
++    </criteria>
++  </definition>
++
++  <unix:password_state id="login_accounts_are_necessary_state" version="1">
++    <unix:login_shell operation="pattern match">.*nologin.*</unix:login_shell>
++  </unix:password_state>
++
++  <unix:password_object id="login_accounts_are_necessary_object" version="1">
++    <unix:username datatype="string" operation="pattern match">.*</unix:username>
++    <filter action="exclude">login_accounts_are_necessary_state</filter>
++  </unix:password_object>
++  
++  <unix:password_test xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
++  check="all" check_existence="none_exist" comment="List all login accounts on the system"
++  id="login_accounts_are_necessary_test" version="1">
++    <unix:object object_ref="login_accounts_are_necessary_object" />
++  </unix:password_test>
++</def-group>
++  
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml
+new file mode 100644
+index 0000000..7fd34bc
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml
+@@ -0,0 +1,31 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'All Login Accounts Are Necessary'
++
++description: |-
++    <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
++    If any account need not login, it should be removed from <tt>/etc/passwd</tt>
++    or it should be marked by <tt>"nologin"</tt>.
++    <p>It can be checked as below cli commands:</p>
++    <ul>
++    <li>List all nologin accounts, then check it manually:
++    <pre># cat /etc/passwd | grep "\/sbin\/nologin\|\/bin\/false" | awk -F ":" '{print $1}'</pre>
++    </li>
++    <li>List all login accounts, then check it manually:
++    <pre># cat /etc/passwd | grep -v "\/sbin\/nologin\|\/bin\/false" | awk -F ":" '{print $1}'</pre>
++    </li>
++    <li>List all accounts which the password are locked:
++    <pre># cat /etc/passwd | awk -F ":" '{print $1}' | xargs -I '{}' passwd -S '{}' | awk '($2=="L" || $2=="LK") {print $1}'</pre>
++    </li>
++    <li>List all accounts which the password are not locked:
++    <pre># cat /etc/passwd | awk -F ":" '{print $1}' | xargs -I '{}' passwd -S '{}' | awk '($2!="L" &amp;&amp; $2!="LK") {print $1}'</pre>
++    </li>
++    </ul>
++
++rationale: |-
++    It is a risk if an account can login system but it is not necessary.
++
++severity: medium
++
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
+index 34d605b..781cd3f 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
+@@ -7,7 +7,8 @@
+         <platform>multi_platform_fedora</platform>
+         <platform>multi_platform_ol</platform>
+         <platform>multi_platform_rhel</platform>
+-        <platform>multi_platform_wrlinux</platform>
++	<platform>multi_platform_wrlinux</platform>
++	<platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>All GIDs referenced in /etc/passwd must be defined in /etc/group.</description>
+     </metadata>
+diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml
+index c68effb..bcb50bd 100644
+--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml
+@@ -8,6 +8,7 @@
+         <platform>multi_platform_ol</platform>
+         <platform>multi_platform_rhel</platform>
+         <platform>multi_platform_wrlinux</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>Checks interactive shell timeout</description>
+     </metadata>
+diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+index cdfa67d..4ceead4 100644
+--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Set Interactive Session Timeout'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
+new file mode 100644
+index 0000000..56b3396
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
+@@ -0,0 +1,83 @@
++<def-group>
++  <definition class="compliance" id="{{{ rule_id }}}" version="1">
++    {{{ oval_metadata("All Interactive Users Home Directories Must Exist") }}}
++    <criteria operator="OR">
++      <criterion test_ref="test_accounts_user_interactive_home_directory_exists"
++                 comment="All Interactive Users Home Directories Must Exist"/>
++      <criterion test_ref="test_accounts_user_interactive_home_directory_exists_users"
++                 comment="Interactive users don't exist on the system"/>
++    </criteria>
++  </definition>
++
++  {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}}
++  {{{ create_interactive_users_list_object(interactive_users_object) }}}
++
++  <!-- #### create a local variable composed by the list of home dirs from /etc/passwd #### -->
++  <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_list"
++                  datatype="string" version="1"
++                  comment="Variable including all home dirs from interactive users">
++    <object_component item_field="home_dir"
++                      object_ref="{{{ interactive_users_object }}}"/>
++  </local_variable>
++
++  <!-- #### create a local variable composed by the number of home dirs from /etc/passwd #### -->
++  <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_count"
++                  datatype="int" version="1"
++                  comment="Variable including expected count of home dirs present on the system">
++    <count>
++      <variable_component var_ref="var_accounts_user_interactive_home_directory_exists_dirs_list"/>
++    </count>
++  </local_variable>
++
++  <!-- #### create a file_object to check existence of home dirs on file system #### -->
++  <unix:file_object id="object_accounts_user_interactive_home_directory_exists_dirs_fs"
++                    version="1">
++    <unix:path var_ref="var_accounts_user_interactive_home_directory_exists_dirs_list"
++               var_check="at least one"/>
++    <unix:filename xsi:nil="true"/>
++  </unix:file_object>
++
++  <!-- #### create a local variable with the number of home dirs present on file system #### -->
++  <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_count_fs"
++                  datatype="int" version="1"
++                  comment="Variable including number of home dirs present on file system">
++    <count>
++      <object_component item_field="path"
++                  object_ref="object_accounts_user_interactive_home_directory_exists_dirs_fs"/>
++    </count>
++  </local_variable>
++
++  <!-- #### create a variable object with count of home dirs from file system #### -->
++  <ind:variable_object id="object_accounts_user_interactive_home_directory_exists_dirs_count_fs"
++                       version="1">
++    <ind:var_ref>var_accounts_user_interactive_home_directory_exists_dirs_count_fs</ind:var_ref>
++  </ind:variable_object>
++
++  <!-- #### create a variable state with count of home dirs from /etc/passwd #### -->
++  <ind:variable_state id="state_accounts_user_interactive_home_directory_exists_dirs_count_pw"
++                      version="1">
++    <ind:value datatype="int" operation="equals" var_check="at least one"
++               var_ref="var_accounts_user_interactive_home_directory_exists_dirs_count"/>
++  </ind:variable_state>
++
++  <!-- #### test_accounts_user_interactive_home_directory_exists #### -->
++  <ind:variable_test id="test_accounts_user_interactive_home_directory_exists" check="all"
++                     check_existence="at_least_one_exists" version="1"
++                     comment="Check the existence of interactive users.">
++    <ind:object object_ref="object_accounts_user_interactive_home_directory_exists_dirs_count_fs"/>
++    <ind:state state_ref="state_accounts_user_interactive_home_directory_exists_dirs_count_pw"/>
++  </ind:variable_test>
++
++  <!-- #### create of variable object with count of home dirs from /etc/passwd #### -->
++  <ind:variable_object id="object_accounts_user_interactive_home_directory_exists_dirs_count_pw"
++                       version="1">
++    <ind:var_ref>var_accounts_user_interactive_home_directory_exists_dirs_count</ind:var_ref>
++  </ind:variable_object>
++
++  <!-- #### test_accounts_user_interactive_home_directory_exists_users #### -->
++  <ind:variable_test id="test_accounts_user_interactive_home_directory_exists_users" check="all"
++                     check_existence="none_exist" version="1"
++                     comment="Check the existence of interactive users.">
++    <ind:object object_ref="object_accounts_user_interactive_home_directory_exists_dirs_count_pw"/>
++  </ind:variable_test>
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+index d51679f..6163f3d 100644
+--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: rhel7,rhel8,rhv4,wrlinux1019
++prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'All Interactive Users Home Directories Must Exist'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
+index 73e457d..9bbd226 100644
+--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
+@@ -6,6 +6,7 @@
+         <platform>multi_platform_rhel</platform>
+         <platform>multi_platform_wrlinux</platform>
+         <platform>multi_platform_ol</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>The default umask for users of the bash shell</description>
+     </metadata>
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+index 9b189bc..88acb8b 100644
+--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: ol7,ol8,rhel6,rhel7,rhel8
++prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8
+ 
+ title: 'Ensure the Default Bash Umask is Set Correctly'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
+index 7e6b11a..6271928 100644
+--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Ensure the Default Umask is Set Correctly For Interactive Users'
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml
+new file mode 100644
+index 0000000..40d201e
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml
+@@ -0,0 +1,20 @@
++<def-group>
++  <definition class="compliance" id="grub2_nosmap_argument_absent" version="1">
++    {{{ oval_metadata("SMAP should not be set.") }}}
++      <criteria comment="SMAP not set">
++        <criterion test_ref="test_grub2_nosmap_argument_absent" />
++      </criteria>
++  </definition>
++
++  <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="No SMAP" id="test_grub2_nosmap_argument_absent" version="1">
++    <ind:object object_ref="obj_grub2_nosmap_argument_absent" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="obj_grub2_nosmap_argument_absent" version="1">
++    <ind:filepath>/proc/cmdline</ind:filepath>
++    <ind:pattern operation="pattern match">^.*nosmap.*$</ind:pattern>
++    <ind:instance datatype="int" operation="equals">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++
++</def-group>
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
+new file mode 100644
+index 0000000..51dab28
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
+@@ -0,0 +1,25 @@
++documentation_complete: true
++
++title: 'Ensure SMAP is not disabled during boot'
++
++description: |-
++    The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
++    memory pages in the user space, it is enabled by default since Linux kernel 3.7.
++    But it could be disabled through kernel boot parameters.
++
++    Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
++    the <tt>nosmap</tt> boot paramenter option.
++
++    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
++    doesn't contain the argument <tt>nosmap</tt>.
++    Run the following command to update command line for already installed kernels:
++    <pre># grubby --update-kernel=ALL --remove-args="nosmap"</pre>
++
++rationale: |-
++    Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and
++    manipulation of data in the user space.
++
++severity: medium
++
++platform: machine
++
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml
+new file mode 100644
+index 0000000..359bc84
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml
+@@ -0,0 +1,20 @@
++<def-group>
++  <definition class="compliance" id="grub2_nosmep_argument_absent" version="1">
++    {{{ oval_metadata("SMEP should not be set.") }}}
++      <criteria comment="SMEP not set">
++        <criterion test_ref="test_grub2_nosmep_argument_absent" />
++      </criteria>
++  </definition>
++
++  <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="No SMEP" id="test_grub2_nosmep_argument_absent" version="1">
++    <ind:object object_ref="obj_grub2_nosmep_argument_absent" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="obj_grub2_nosmep_argument_absent" version="1">
++    <ind:filepath>/proc/cmdline</ind:filepath>
++    <ind:pattern operation="pattern match">^.*nosmep.*$</ind:pattern>
++    <ind:instance datatype="int" operation="equals">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++
++</def-group>
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
+new file mode 100644
+index 0000000..f39bbb7
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
+@@ -0,0 +1,25 @@
++documentation_complete: true
++
++title: 'Ensure SMEP is not disabled during boot'
++
++description: |-
++    The SMEP is used to prevent the supervisor mode from executing user space code,
++    it is enabled by default since Linux kernel 3.0. But it could be disabled through
++    kernel boot parameters.
++
++    Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
++    the <tt>nosmep</tt> boot paramenter option.
++
++    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
++    doesn't contain the argument <tt>nosmep</tt>.
++    Run the following command to update command line for already installed kernels:
++    <pre># grubby --update-kernel=ALL --remove-args="nosmep"</pre>
++
++rationale: |-
++    Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
++    the kernel to unintentionally execute code in less privileged memory space.
++
++severity: medium
++
++platform: machine
++
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+index d12c53c..0c629cb 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Set the UEFI Boot Loader Password'
+ 
+diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml
+index 12df194..18a5974 100644
+--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml
++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml
+@@ -6,6 +6,7 @@
+         <platform>Red Hat Virtualization 4</platform>
+         <platform>multi_platform_ol</platform>
+         <platform>multi_platform_rhel</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>The sticky bit should be set for all world-writable directories.</description>
+     </metadata>
+diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
+index ed85608..d364e2b 100644
+--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
++++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
+@@ -7,6 +7,7 @@
+         <platform>multi_platform_fedora</platform>
+         <platform>multi_platform_rhel</platform>
+         <platform>multi_platform_wrlinux</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>All files should be owned by a group</description>
+     </metadata>
+diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
+index e51cd7e..efd5046 100644
+--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
++++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,rhel6,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Ensure All Files Are Owned by a Group'
+ 
+diff --git a/linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml b/linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml
+new file mode 100644
+index 0000000..5db67ea
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml
+@@ -0,0 +1,26 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Ensure All Symlink Files Have Canonical Path'
++
++description: |-
++    <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
++    <p>If any symlink files have no camonical path, it should be removed.</p>
++    <ul>
++    <li>You can use below cli command to find out all symlink files which have no canonical path under current path:
++    <pre># find ./ -type l -follow</pre>
++    </li>
++    <li>Or find it under root path bug exclude some dirs:
++    <pre># find / -path /var -prune -o -path /run -prune -o -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -type l -follow</pre>
++    </li>
++    <li>Or find it under the whole disk partition:
++    <pre># find / -xdev -type l -follow</pre>
++    </li>
++    </ul>
++
++rationale: |-
++    If any symlink files have no camonical path, it should be removed.
++
++severity: medium
++
+diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml
+index 75d95d4..64429cc 100644
+--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml
++++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml
+@@ -6,6 +6,7 @@
+         <platform>Red Hat Virtualization 4</platform>
+         <platform>multi_platform_rhel</platform>
+         <platform>multi_platform_wrlinux</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>All files should be owned by a user</description>
+     </metadata>
+diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
+index f2fb1f2..2903767 100644
+--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
++++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,rhel6,rhel7,rhel8,rhv4,wrlinux1019
++prodtype: fedora,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+ 
+ title: 'Ensure All Files Are Owned by a User'
+ 
+diff --git a/linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml b/linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml
+new file mode 100644
+index 0000000..107fed0
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml
+@@ -0,0 +1,40 @@
++<def-group>
++  <definition class="compliance" id="no_hide_exec_files" version="1">
++    <metadata>
++      <title>All hidden executable files</title>
++      <affected family="unix">
++        <platform>multi_platform_openeuler</platform>
++      </affected>
++      <description>Find out all hidden executable files</description>
++    </metadata>
++    <criteria>
++      <criterion comment="Check all hidden exec files" test_ref="test_no_hide_exec_files" />
++    </criteria>
++  </definition>
++
++  <unix:file_state id="symlink_file_list_match" version="1">
++    <unix:type operation="equals">symbolic link</unix:type>
++  </unix:file_state>
++
++  <unix:file_state id="exec_file_list_match" version="1">
++    <unix:type operation="equals">regular</unix:type>
++    <unix:uexec datatype="boolean">false</unix:uexec>
++    <unix:gexec datatype="boolean">false</unix:gexec>
++    <unix:oexec datatype="boolean">false</unix:oexec>
++  </unix:file_state>
++
++  <unix:file_object comment="all local files" id="object_no_hide_exec_files" version="1">
++    <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="local" />
++    <unix:path>/</unix:path>
++    <unix:filename operation="pattern match">^\..*</unix:filename>
++    <filter action="exclude">symlink_file_list_match</filter>
++    <filter action="exclude">exec_file_list_match</filter>
++  </unix:file_object>
++  
++  <unix:file_test xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
++  check="all" check_existence="none_exist" comment="Check all exec files"
++  id="test_no_hide_exec_files" version="1">
++    <unix:object object_ref="object_no_hide_exec_files" />
++  </unix:file_test>
++</def-group>
++  
+diff --git a/linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml b/linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml
+new file mode 100644
+index 0000000..5c8bc4b
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml
+@@ -0,0 +1,14 @@
++documentation_complete: true
++
++prodtype: openeuler2203
++
++title: 'Ensure All Executable Files are not hidden'
++
++description: |-
++    Find out all hidden executable files from system.
++
++rationale: |-
++    If a executable file is hidden, it maybe will introduce risks, since it can not be fould easily
++
++severity: medium
++
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
+index bf58274..0ccf428 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
+ 
+ title: 'Restrict Access to Kernel Message Buffer'
+ 
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
+index 637b76d..cfb23ef 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
+@@ -6,6 +6,7 @@
+         <platform>multi_platform_fedora</platform>
+         <platform>Red Hat Enterprise Linux 8</platform>
+         <platform>Oracle Linux 8</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>SSH should be configured to use the system-wide crypto policy setting.</description>
+     </metadata>
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+index b9d8b06..5442718 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol8,rhel8
++prodtype: fedora,ol8,openeuler2203,rhel8
+ 
+ title: 'Configure SSH to use System Crypto Policy'
+ 
+diff --git a/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml
+new file mode 100644
+index 0000000..1147e9b
+--- /dev/null
++++ b/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml
+@@ -0,0 +1,18 @@
++documentation_complete: true
++
++prodtype: openeuler2203 
++
++title: 'Uninstall All Python2 Packages'
++
++description: |-
++    {{{ describe_package_remove(package="python2") }}}
++
++rationale: |-
++    python2 related packages should be removed.
++
++severity: medium
++
++template:
++    name: package_removed
++    vars:
++        pkgname: python2
+diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml
+index 600c7c0..26c1de9 100644
+--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml
++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml
+@@ -8,6 +8,7 @@
+         <platform>multi_platform_rhv</platform>
+         <platform>multi_platform_rhel</platform>
+         <platform>multi_platform_ol</platform>
++        <platform>multi_platform_openeuler</platform>
+       </affected>
+       <description>Ensure all yum or dnf repositories utilize signature checking.</description>
+     </metadata>
+diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
+index fc460dc..e1b4280 100644
+--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4
++prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
+ 
+ title: 'Ensure gpgcheck Enabled for All {{{ pkg_manager }}} Package Repositories'
+ 
+diff --git a/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
+index 986a804..f0eb8a8 100644
+--- a/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
++++ b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
+@@ -7,4 +7,65 @@
+             <!-- the check references an OVAL file that contains an inventory definition -->
+             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_openeuler2203</check>
+       </cpe-item>
++      <cpe-item name="cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server">
++            <title xml:lang="en-us">openEuler 22.03 LTS</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_openeuler2203</check>
++      </cpe-item>
++      <cpe-item name="cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server">
++            <title xml:lang="en-us">openEuler 22.03 LTS</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_openeuler2203</check>
++      </cpe-item>
++
++      <cpe-item name="cpe:/a:container">
++            <title xml:lang="en-us">Container</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_container</check>
++      </cpe-item>
++      <cpe-item name="cpe:/a:machine">
++            <title xml:lang="en-us">Bare-metal or Virtual Machine</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_machine</check>
++      </cpe-item>
++      <cpe-item name="cpe:/a:gdm">
++            <title xml:lang="en-us">Package gdm is installed</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
++      </cpe-item>
++      <cpe-item name="cpe:/a:libuser">
++            <title xml:lang="en-us">Package libuser is installed</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_libuser_package</check>
++      </cpe-item>
++      <cpe-item name="cpe:/a:nss-pam-ldapd">
++            <title xml:lang="en-us">Package nss-pam-ldapd is installed</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_nss-pam-ldapd_package</check>
++      </cpe-item>
++      <cpe-item name="cpe:/a:pam">
++            <title xml:lang="en-us">Package pam is installed</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_pam_package</check>
++      </cpe-item>
++      <cpe-item name="cpe:/a:login_defs">
++            <title xml:lang="en-us">Package providing /etc/login.defs is installed</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_login_defs</check>
++      </cpe-item>
++      <cpe-item name="cpe:/a:sssd">
++            <title xml:lang="en-us">Package sssd-common is installed</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_sssd-common_package</check>
++      </cpe-item>
++      <cpe-item name="cpe:/a:systemd">
++            <title xml:lang="en-us">Package systemd is installed</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_systemd_package</check>
++      </cpe-item>
++      <cpe-item name="cpe:/a:yum">
++            <title xml:lang="en-us">Package yum is installed</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
++      </cpe-item>
+ </cpe-list>
+diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
+index 6fd9707..7f6f0e3 100644
+--- a/openeuler2203/profiles/standard.profile
++++ b/openeuler2203/profiles/standard.profile
+@@ -9,3 +9,88 @@ description: |-
+ 
+ selections:
+     - package_telnet_removed
++    - package_tftp-server_removed
++    - package_tftp_removed
++    - package_net-snmp_removed
++    - accounts_no_uid_except_zero
++    - file_owner_etc_passwd
++    - file_groupowner_etc_passwd
++    - file_permissions_etc_passwd
++    - file_owner_etc_shadow
++    - file_groupowner_etc_shadow
++    - file_permissions_etc_shadow
++    - file_owner_etc_group
++    - file_groupowner_etc_group
++    - file_permissions_etc_group
++    - file_owner_etc_gshadow
++    - file_groupowner_etc_gshadow
++    - file_permissions_etc_gshadow
++    - accounts_user_interactive_home_directory_exists
++    - gid_passwd_group_same
++    - var_password_pam_minlen=8
++    - accounts_password_pam_minlen
++    - accounts_password_pam_minclass
++    - var_password_pam_ucredit=0
++    - accounts_password_pam_ucredit
++    - var_password_pam_lcredit=0
++    - accounts_password_pam_lcredit
++    - var_password_pam_dcredit=0
++    - accounts_password_pam_dcredit
++    - var_password_pam_ocredit=0
++    - accounts_password_pam_ocredit
++    - accounts_password_pam_retry
++    - accounts_password_pam_unix_remember
++    - set_password_hashing_algorithm_systemauth
++    - accounts_maximum_age_login_defs
++    - var_accounts_minimum_age_login_defs=0
++    - accounts_minimum_age_login_defs
++    - accounts_password_warn_age_login_defs
++    - sshd_disable_empty_passwords
++    - grub2_uefi_password
++    - require_singleuser_auth
++    - accounts_passwords_pam_faillock_deny
++    - accounts_passwords_pam_faillock_deny_root
++    - var_accounts_passwords_pam_faillock_unlock_time=300
++    - accounts_passwords_pam_faillock_unlock_time
++    - var_accounts_tmout=5_min
++    - accounts_tmout
++    - sshd_allow_only_protocol2
++    - sshd_disable_rhosts
++    - disable_host_auth
++    - configure_ssh_crypto_policy
++    - sysctl_kernel_randomize_va_space
++    - sysctl_kernel_dmesg_restrict
++    - sysctl_kernel_kptr_restrict
++    - no_files_unowned_by_user
++    - file_permissions_ungroupowned
++    - dir_perms_world_writable_sticky_bits
++    - var_accounts_user_umask=077
++    - accounts_umask_etc_bashrc
++    - service_auditd_enabled
++    - auditd_data_retention_max_log_file_action
++    - auditd_data_retention_num_logs
++    - service_rsyslog_enabled
++    - package_python2_removed
++    - ensure_gpgcheck_never_disabled
++    - login_accounts_are_necessary
++    - accounts_are_necessary
++    - group_unique_id
++    - account_unique_id
++    - account_unique_group_id
++    - account_unique_name
++    - group_unique_name
++    - accounts_password_pam_dictcheck
++    - verify_owner_password
++    - no_name_contained_in_password
++    - sshd_strong_kex=standard_openeuler2203
++    - sshd_use_strong_kex
++    - sshd_use_strong_pubkey
++    - sshd_enable_pam
++    - sshd_use_strong_macs
++    - sshd_use_strong_ciphers
++    - grub2_nosmap_argument_absent
++    - grub2_nosmep_argument_absent
++    - package_ftp_removed
++    - no_empty_symlink_files
++    - no_hide_exec_files
++    - no_lowprivilege_users_writeable_cmds_in_crontab_file
+diff --git a/shared/checks/oval/installed_env_has_login_defs.xml b/shared/checks/oval/installed_env_has_login_defs.xml
+index 94ecbda..e304b19 100644
+--- a/shared/checks/oval/installed_env_has_login_defs.xml
++++ b/shared/checks/oval/installed_env_has_login_defs.xml
+@@ -21,7 +21,11 @@
+     <linux:object object_ref="obj_env_has_login_defs_installed" />
+   </linux:rpminfo_test>
+   <linux:rpminfo_object id="obj_env_has_login_defs_installed" version="1">
++{{% if product == "openeuler2203" %}}
++    <linux:name>shadow</linux:name>
++{{% else %}}
+     <linux:name>shadow-utils</linux:name>
++{{% endif %}}
+   </linux:rpminfo_object>
+ {{% elif pkg_system == "dpkg" %}}
+   <linux:dpkginfo_test check="all" check_existence="all_exist"
+diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
+index 867e083..111ba3c 100644
+--- a/shared/macros-oval.jinja
++++ b/shared/macros-oval.jinja
+@@ -34,6 +34,7 @@
+     <criteria comment="{{{ application }}} is configured correctly and configuration file exists"
+     operator="AND">
+     {{%- endif %}}
++    {{%- if product != "openeuler2203" %}}
+     {{%- if application == "sshd" %}}
+ {{#-
+     This condition is here to avoid regression in sshd configuration rules.
+@@ -46,6 +47,7 @@
+         {{{- application_not_required_or_requirement_unset() }}}
+         {{{- application_required_or_requirement_unset() }}}
+     {{%- endif %}}
++    {{%- endif %}}
+     <criteria comment="{{{ application }}} is configured correctly"
+     operator="OR">
+         {{{- oval_line_in_file_criterion(path, parameter) }}}
+@@ -53,10 +55,12 @@
+         {{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass) }}}
+         {{%- endif %}}
+     </criteria>
++    {{%- if product != "openeuler2203" %}}
+     {{%- if application == "sshd" %}}
+     </criteria> {{# close criteria left open in application_required_or_requirement_unset #}}
+     </criteria>
+     {{%- endif %}}
++    {{%- endif %}}
+     {{%- if missing_config_file_fail %}}
+         {{{- oval_config_file_exists_criterion(path) }}}
+     </criteria>
+@@ -368,7 +372,11 @@
+     <linux:object object_ref="obj_{{{ test_id }}}" />
+   </linux:rpminfo_test>
+   <linux:rpminfo_object id="obj_{{{ test_id }}}" version="1">
++{{% if package == "python2" %}}
++    <linux:name operation="pattern match">python2-.*</linux:name>
++{{% else %}}
+     <linux:name>{{{ package }}}</linux:name>
++{{% endif %}}
+   </linux:rpminfo_object>
+ {{% elif pkg_system == "dpkg" %}}
+   <linux:dpkginfo_test check="all" check_existence="none_exist"
+@@ -490,3 +498,68 @@
+ 
+   </def-group>
+ {{%- endmacro %}}
++
++
++{{#
++  Macro which generates the OVAL metadata section
++
++:param description: The text to place in the description section
++:type description: str
++:param title: Optional, the associated rule title is used by default
++:type title: str
++:param affected_platforms: Optional, list of unix platform strings (e.g. "Fedora") to put under the affected element. Uses the oval_affected macro by default under the hood.
++:type affected_platforms: str
++
++#}}
++{{%- macro oval_metadata(description, title="", affected_platforms=None) -%}}
++    <metadata>
++{{%- if title %}}
++        <title>{{{ title }}}</title>
++{{%- else %}}
++        <title>{{{ rule_title }}}</title>
++{{%- endif -%}}
++{{%- if affected_platforms %}}
++            <affected family="unix">
++{{%- for platform in affected_platforms %}}
++                <platform>{{{ platform }}}</platform>
++{{%- endfor %}}
++            </affected>
++{{%- else %}}
++        {{{ oval_affected(products) | indent -}}}
++{{%- endif %}}
++        <description>{{{ description }}}{{{ caller() if caller else '' }}}</description>
++    </metadata>
++{{%- endmacro %}}
++
++{{#
++  Extract from /etc/passwd a list composed of password objects related to non-system UIDs.
++  This list is then filtered to exclude some special usernames and users with /sbin/nologin shell.
++
++  The macro receives a string as parameter, which is used as the password_object id in the rule.
++
++  :param object_id: Object id to be created.
++  :type object_id: str
++#}}
++{{%- macro create_interactive_users_list_object(object_id) -%}}
++  {{%- set ignored_users_list="(nobody|nfsnobody)" %}}
++
++  <unix:password_object id="{{{ object_id }}}" version="1">
++    <unix:username datatype="string" operation="pattern match">.*</unix:username>
++    <filter action="include">state_{{{ rule_id }}}_users_uids</filter>
++    <filter action="exclude">state_{{{ rule_id }}}_users_ignored</filter>
++    <filter action="exclude">state_{{{ rule_id }}}_users_nologin_shell</filter>
++  </unix:password_object>
++
++  <unix:password_state id="state_{{{ rule_id }}}_users_uids" version="1">
++    <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
++  </unix:password_state>
++
++  <unix:password_state id="state_{{{ rule_id }}}_users_ignored" version="1">
++    <unix:username datatype="string" operation="pattern match">^{{{ ignored_users_list }}}$</unix:username>
++  </unix:password_state>
++
++  <unix:password_state id="state_{{{ rule_id }}}_users_nologin_shell" version="1">
++    <unix:login_shell datatype="string" operation="pattern match">^/sbin/nologin$</unix:login_shell>
++  </unix:password_state>
++{{%- endmacro %}}
++
+diff --git a/shared/templates/template_OVAL_sysctl b/shared/templates/template_OVAL_sysctl
+index f84fc3d..62ae26d 100644
+--- a/shared/templates/template_OVAL_sysctl
++++ b/shared/templates/template_OVAL_sysctl
+@@ -23,7 +23,9 @@
+       <description>The "{{{ SYSCTLVAR }}}" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</description>
+     </metadata>
+     <criteria operator="AND">
++{{% if product not in ["openeuler2203"] %}}
+       <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check" definition_ref="sysctl_static_{{{ SYSCTLID }}}" />
++{{% endif %}}
+       <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check" definition_ref="sysctl_runtime_{{{ SYSCTLID }}}" />
+     </criteria>
+   </definition>
+@@ -47,7 +49,9 @@
+       <extend_definition comment="is IPv6 enabled?" definition_ref="sysctl_kernel_ipv6_disable" />
+ {{% endif %}}
+       <criteria operator="AND">
++{{% if product not in ["openeuler2203"] %}}
+         <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check" definition_ref="sysctl_static_{{{ SYSCTLID }}}" />
++{{% endif %}}
+         <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check" definition_ref="sysctl_runtime_{{{ SYSCTLID }}}" />
+       </criteria>
+     </criteria>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index 401c60d..aa081d8 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -120,7 +120,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
+     "Red Hat OpenShift Container Platform 4": "ocp4",
+     "Oracle Linux 7": "ol7",
+     "Oracle Linux 8": "ol8",
+-    "openEuler 22.03 LTS": "openeuler2203",
++    "multi_platform_openeuler": "openeuler2203",
+     "openSUSE": "opensuse",
+     "Red Hat Enterprise Linux 6": "rhel6",
+     "Red Hat Enterprise Linux 7": "rhel7",
+@@ -224,6 +224,8 @@ PRODUCT_TO_CPE_MAPPING = {
+     ],
+     "openeuler2203": [
+         "cpe:/o:openEuler:openEuler:22.03LTS:ga:server",
++        "cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server",
++        "cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server",
+     ],
+     "opensuse": [
+         "cpe:/o:opensuse:leap:42.1",
+-- 
+2.21.0.windows.1
+
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 8744822..8a96bd2 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.49
-Release:	3
+Release:	4
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -12,6 +12,7 @@ Patch0003:backport-fix-deprecated-getiterator-function.patch
 Patch0004:backport-fix-remaining-getchildren-and-getiterator-functions.patch
 Patch0005:backport-fix-for-older-python-versions-lacking-.iter-method.patch
 Patch0006:init-openEuler-ssg-project.patch
+Patch0007:enable-76-rules-for-openEuler.patch
 
 BuildArch:	noarch
 BuildRequires: 	libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
@@ -66,6 +67,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Thu May 18 2023 steven <steven_ygui@163.com> - 0.1.49-4
+- enable 76 rules for openEuler
+
 * Tue May 9 2023 steven <steven_ygui@163.com> - 0.1.49-3
 - add openEuler project into ssg
 
-- 
Gitee


From f21f424cb74a40748f6887d70e9635e4bcdf8cc9 Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Sun, 25 Jun 2023 17:27:01 +0800
Subject: [PATCH 2/6] add some descriptions

---
 enable-76-rules-for-openEuler.patch | 120 ++++++++++++++++++++++++----
 scap-security-guide.spec            |   5 +-
 2 files changed, 109 insertions(+), 16 deletions(-)

diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch
index 1551e35..0955ac5 100644
--- a/enable-76-rules-for-openEuler.patch
+++ b/enable-76-rules-for-openEuler.patch
@@ -1,7 +1,7 @@
-From a2fde1d192ec8fa8e1bdaed9daf68156b77e7ca4 Mon Sep 17 00:00:00 2001
+From 808277d4cd1bb001fc2925034f1e770f51b70aa9 Mon Sep 17 00:00:00 2001
 From: "steven.y.gui" <steven_ygui@163.com>
-Date: Tue, 6 Jun 2023 21:03:36 +0800
-Subject: [PATCH] enable 76 rules for openEuler
+Date: Sun, 25 Jun 2023 17:23:33 +0800
+Subject: [PATCH] enable-76-rules-for-openEuler.patch
 
 ---
  .../rule.yml                                  | 30 +++++++
@@ -23,9 +23,9 @@ Subject: [PATCH] enable 76 rules for openEuler
  .../sshd_use_strong_pubkey/rule.yml           | 13 +++
  .../guide/services/ssh/sshd_strong_kex.var    | 19 +++++
  .../oval/shared.xml                           |  1 +
- .../rule.yml                                  |  2 +-
+ .../rule.yml                                  |  7 +-
  .../oval/shared.xml                           | 12 ++-
- .../rule.yml                                  |  2 +-
+ .../rule.yml                                  |  8 +-
  .../oval/shared.xml                           | 13 ++-
  .../rule.yml                                  |  2 +-
  .../oval/shared.xml                           |  1 +
@@ -35,7 +35,7 @@ Subject: [PATCH] enable 76 rules for openEuler
  .../no_name_contained_in_password/rule.yml    | 12 +++
  .../accounts_password_pam_dcredit/rule.yml    |  2 +-
  .../oval/shared.xml                           | 27 ++++++
- .../accounts_password_pam_dictcheck/rule.yml  | 23 +++++
+ .../accounts_password_pam_dictcheck/rule.yml  | 28 ++++++
  .../accounts_password_pam_lcredit/rule.yml    |  2 +-
  .../accounts_password_pam_minclass/rule.yml   |  2 +-
  .../accounts_password_pam_minlen/rule.yml     |  2 +-
@@ -70,13 +70,14 @@ Subject: [PATCH] enable 76 rules for openEuler
  .../tests/wrong_value.fail.sh                 |  5 ++
  .../oval/shared.xml                           | 30 +++++++
  .../login_accounts_are_necessary/rule.yml     | 31 +++++++
+ .../accounts_maximum_age_login_defs/rule.yml  |  5 ++
  .../gid_passwd_group_same/oval/shared.xml     |  3 +-
  .../accounts_tmout/oval/shared.xml            |  1 +
- .../accounts-session/accounts_tmout/rule.yml  |  2 +-
+ .../accounts-session/accounts_tmout/rule.yml  |  7 +-
  .../oval/shared.xml                           | 83 ++++++++++++++++++
  .../rule.yml                                  |  2 +-
  .../accounts_umask_etc_bashrc/oval/shared.xml |  1 +
- .../accounts_umask_etc_bashrc/rule.yml        |  2 +-
+ .../accounts_umask_etc_bashrc/rule.yml        |  9 +-
  .../accounts_umask_interactive_users/rule.yml |  2 +-
  .../oval/shared.xml                           | 20 +++++
  .../grub2_nosmap_argument_absent/rule.yml     | 25 ++++++
@@ -91,6 +92,7 @@ Subject: [PATCH] enable 76 rules for openEuler
  .../files/no_files_unowned_by_user/rule.yml   |  2 +-
  .../files/no_hide_exec_files/oval/shared.xml  | 40 +++++++++
  .../files/no_hide_exec_files/rule.yml         | 14 +++
+ .../sysctl_kernel_kptr_restrict/rule.yml      |  5 ++
  .../sysctl_kernel_dmesg_restrict/rule.yml     |  2 +-
  .../oval/shared.xml                           |  1 +
  .../configure_ssh_crypto_policy/rule.yml      |  2 +-
@@ -103,7 +105,7 @@ Subject: [PATCH] enable 76 rules for openEuler
  shared/macros-oval.jinja                      | 73 ++++++++++++++++
  shared/templates/template_OVAL_sysctl         |  4 +
  ssg/constants.py                              |  4 +-
- 99 files changed, 1481 insertions(+), 36 deletions(-)
+ 101 files changed, 1519 insertions(+), 36 deletions(-)
  create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
  create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
  create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
@@ -612,7 +614,7 @@ index 28eecc8..5165c15 100644
        <description>The passwords to remember should be set correctly.</description>
      </metadata>
 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
-index 579ffc0..cb2d878 100644
+index 579ffc0..1d926b7 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
 +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
 @@ -1,6 +1,6 @@
@@ -623,6 +625,18 @@ index 579ffc0..cb2d878 100644
  
  title: 'Limit Password Reuse'
  
+@@ -20,6 +20,11 @@ description: |-
+     </li>
+     </ul>
+     The DoD STIG requirement is 5 passwords.
++    {{% if product in ["openeuler2203"] %}}
++    Considering the usability of the community release of openEuler in different scenarios, 
++    the openEuler release does not disable historical passwords by default. 
++    Please configure historical passwords based on the site requirements.
++    {{% endif %}}
+ 
+ rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.'
+ 
 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
 index db91fa9..0139186 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
@@ -656,7 +670,7 @@ index db91fa9..0139186 100644
      <ind:instance datatype="int" operation="equals">1</ind:instance>
    </ind:textfilecontent54_object>
 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
-index 5575bd3..1fe3174 100644
+index 5575bd3..a06d04e 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
 +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
 @@ -1,6 +1,6 @@
@@ -667,6 +681,19 @@ index 5575bd3..1fe3174 100644
  
  title: 'Set Deny For Failed Password Attempts'
  
+@@ -17,6 +17,12 @@ description: |-
+     <li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
+     <pre>account required pam_faillock.so</pre></li>
+     </ul>
++    {{% if product in ["openeuler2203"] %}}
++    Considering the usability of the community release of openEuler in different scenarios, 
++    the openEuler release does not provide this security function by default. 
++    Please configure the default number of failures and lockout duration based on 
++    the actual application scenario and requirements.
++    {{% endif %}}
+ 
+ rationale: |-
+     Locking out user accounts after a number of incorrect attempts
 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
 index 402feab..da09d06 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
@@ -857,10 +884,10 @@ index 0000000..13bbae4
 +</def-group>
 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
 new file mode 100644
-index 0000000..b10e340
+index 0000000..1dc59f5
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,28 @@
 +documentation_complete: true
 +
 +prodtype: openeuler2203
@@ -870,6 +897,11 @@ index 0000000..b10e340
 +description: |-
 +    The pam_pwquality module's <tt>dictcheck</tt> check if passwords contains dictionary words. When
 +    <tt>dictcheck</tt> is set to <tt>1</tt> passwords will be checked for dictionary words.
++    {{% if product in ["openeuler2203"] %}}
++    Considering the usability of the community release of openEuler in different scenarios, 
++    the weak password dictionary check is not configured for the openEuler release by default. 
++    Please configure the weak password dictionary check based on the site requirements.
++    {{% endif %}}
 +
 +rationale: |-
 +    Use of a complex password helps to increase the time and resources required to compromise the password.
@@ -1692,6 +1724,22 @@ index 0000000..7fd34bc
 +
 +severity: medium
 +
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+index d41a0eb..738fb8b 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+@@ -10,6 +10,11 @@ description: |-
+     A value of 180 days is sufficient for many environments.
+     The DoD requirement is 60.
+     The profile requirement is <tt><sub idref="var_accounts_maximum_age_login_defs" /></tt>.
++    {{% if product in ["openeuler2203"] %}}
++    Considering the usability of the community release of openEuler in different scenarios,
++    the password expiration time is not configured in the openEuler release by default.
++    Please set the password expiration time based on the site requirements.
++    {{% endif %}}
+ 
+ rationale: |-
+     Any password, no matter how complex, can eventually be cracked. Therefore, passwords
 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
 index 34d605b..781cd3f 100644
 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
@@ -1719,7 +1767,7 @@ index c68effb..bcb50bd 100644
        <description>Checks interactive shell timeout</description>
      </metadata>
 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-index cdfa67d..4ceead4 100644
+index cdfa67d..437abe6 100644
 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
 +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
 @@ -1,6 +1,6 @@
@@ -1730,6 +1778,18 @@ index cdfa67d..4ceead4 100644
  
  title: 'Set Interactive Session Timeout'
  
+@@ -9,6 +9,11 @@ description: |-
+     all user sessions will terminate based on inactivity. The <tt>TMOUT</tt>
+     setting in <tt>/etc/profile</tt> should read as follows:
+     <pre>TMOUT=<sub idref="var_accounts_tmout" /></pre>
++    {{% if product in ["openeuler2203"] %}}
++    Considering the usability of the community release of openEuler in different scenarios, 
++    the session timeout interval is not configured by default in the openEuler release. 
++    Please configure the session timeout interval based on the site requirements.
++    {{% endif %}}
+ 
+ rationale: |-
+     Terminating an idle session within a short time period reduces
 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
 new file mode 100644
 index 0000000..56b3396
@@ -1844,7 +1904,7 @@ index 73e457d..9bbd226 100644
        <description>The default umask for users of the bash shell</description>
      </metadata>
 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
-index 9b189bc..88acb8b 100644
+index 9b189bc..a6d933c 100644
 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
 +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
 @@ -1,6 +1,6 @@
@@ -1855,6 +1915,20 @@ index 9b189bc..88acb8b 100644
  
  title: 'Ensure the Default Bash Umask is Set Correctly'
  
+@@ -9,6 +9,13 @@ description: |-
+     add or correct the <tt>umask</tt> setting in <tt>/etc/bashrc</tt> to read
+     as follows:
+     <pre>umask <sub idref="var_accounts_user_umask" /></pre>
++    {{% if product in ["openeuler2203"] %}}
++    After UMASK is set to 077, the default permission on the created file is 600, 
++    and the default permission on the directory is 700. 
++    Considering the usability of the community release of openEuler in different scenarios, 
++    the openEuler release does not configure the UMASK by default. 
++    Please configure the UMASK based on the site requirements.
++    {{% endif %}}
+ 
+ rationale: |-
+     The umask value influences the permissions assigned to files when they are created.
 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
 index 7e6b11a..6271928 100644
 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
@@ -2151,6 +2225,22 @@ index 0000000..5c8bc4b
 +
 +severity: medium
 +
+diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+index 2408bd0..53cb7f6 100644
+--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+@@ -3,6 +3,11 @@ documentation_complete: true
+ title: 'Restrict Exposed Kernel Pointer Addresses Access'
+ 
+ description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}'
++    {{% if product in ["openeuler2203"] %}}
++    To ensure easy maintenance and location, 
++    the kptr_restrict parameter is set to 0 by default in the openEuler release. 
++    Please set this parameter based on the site requirements.
++    {{% endif %}}
+ 
+ rationale: |-
+     Exposing kernel pointers (through procfs or <tt>seq_printf()</tt>) exposes
 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
 index bf58274..0ccf428 100644
 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 644b43d..0375175 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.49
-Release:	5
+Release:	6
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -67,6 +67,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Sun Jun 25 2023 steven <steven_ygui@163.com> - 0.1.49-6
+- add some descriptions
+
 * Tue Jun 6 2023 steven <steven_ygui@163.com> - 0.1.49-5
 - fix bug of rule "require_signleuser_auth"
 
-- 
Gitee


From e72f93dfa02499223c7d4ff658d99f18687bb9e2 Mon Sep 17 00:00:00 2001
From: steven_ygui <steven_ygui@163.com>
Date: Fri, 19 May 2023 01:39:08 +0800
Subject: [PATCH 3/6] fix

---
 enable-76-rules-for-openEuler.patch | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch
index 0955ac5..3b86709 100644
--- a/enable-76-rules-for-openEuler.patch
+++ b/enable-76-rules-for-openEuler.patch
@@ -1,6 +1,6 @@
-From 808277d4cd1bb001fc2925034f1e770f51b70aa9 Mon Sep 17 00:00:00 2001
-From: "steven.y.gui" <steven_ygui@163.com>
-Date: Sun, 25 Jun 2023 17:23:33 +0800
+From 262435c4b8c511cf8afc5927051cb0948415f593 Mon Sep 17 00:00:00 2001
+From: steven_ygui <steven_ygui@163.com>
+Date: Fri, 19 May 2023 01:37:20 +0800
 Subject: [PATCH] enable-76-rules-for-openEuler.patch
 
 ---
@@ -92,7 +92,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler.patch
  .../files/no_files_unowned_by_user/rule.yml   |  2 +-
  .../files/no_hide_exec_files/oval/shared.xml  | 40 +++++++++
  .../files/no_hide_exec_files/rule.yml         | 14 +++
- .../sysctl_kernel_kptr_restrict/rule.yml      |  5 ++
+ .../sysctl_kernel_kptr_restrict/rule.yml      |  8 +-
  .../sysctl_kernel_dmesg_restrict/rule.yml     |  2 +-
  .../oval/shared.xml                           |  1 +
  .../configure_ssh_crypto_policy/rule.yml      |  2 +-
@@ -105,7 +105,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler.patch
  shared/macros-oval.jinja                      | 73 ++++++++++++++++
  shared/templates/template_OVAL_sysctl         |  4 +
  ssg/constants.py                              |  4 +-
- 101 files changed, 1519 insertions(+), 36 deletions(-)
+ 101 files changed, 1521 insertions(+), 37 deletions(-)
  create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
  create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
  create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
@@ -2226,13 +2226,16 @@ index 0000000..5c8bc4b
 +severity: medium
 +
 diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
-index 2408bd0..53cb7f6 100644
+index 2408bd0..a5bd907 100644
 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
 +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
-@@ -3,6 +3,11 @@ documentation_complete: true
+@@ -2,7 +2,13 @@ documentation_complete: true
+ 
  title: 'Restrict Exposed Kernel Pointer Addresses Access'
  
- description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}'
+-description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}'
++description: |-
++    {{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
 +    {{% if product in ["openeuler2203"] %}}
 +    To ensure easy maintenance and location, 
 +    the kptr_restrict parameter is set to 0 by default in the openEuler release. 
@@ -2665,5 +2668,5 @@ index 401c60d..aa081d8 100644
      "opensuse": [
          "cpe:/o:opensuse:leap:42.1",
 -- 
-2.21.0.windows.1
+2.33.0
 
-- 
Gitee


From 8da5d0956fd0e238c8e274b62705514e9504d247 Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Tue, 6 Jun 2023 21:06:15 +0800
Subject: [PATCH 4/6] fix issue of rule require singleuser auth

---
 enable-76-rules-for-openEuler.patch | 62 +++++++++++++++++++++++++++--
 scap-security-guide.spec            |  5 ++-
 2 files changed, 62 insertions(+), 5 deletions(-)

diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch
index e2598ee..1551e35 100644
--- a/enable-76-rules-for-openEuler.patch
+++ b/enable-76-rules-for-openEuler.patch
@@ -1,6 +1,6 @@
-From b651d038a07d02cc4386a472a3f72886d8c0c31e Mon Sep 17 00:00:00 2001
+From a2fde1d192ec8fa8e1bdaed9daf68156b77e7ca4 Mon Sep 17 00:00:00 2001
 From: "steven.y.gui" <steven_ygui@163.com>
-Date: Thu, 18 May 2023 17:41:54 +0800
+Date: Tue, 6 Jun 2023 21:03:36 +0800
 Subject: [PATCH] enable 76 rules for openEuler
 
 ---
@@ -48,6 +48,7 @@ Subject: [PATCH] enable 76 rules for openEuler
  .../rule.yml                                  |  2 +-
  .../verify_owner_password/oval/shared.xml     | 60 +++++++++++++
  .../verify_owner_password/rule.yml            | 12 +++
+ .../require_singleuser_auth/oval/shared.xml   | 21 ++++-
  .../require_singleuser_auth/rule.yml          |  2 +-
  .../account_unique_group_id/oval/shared.xml   | 51 +++++++++++
  .../account_unique_group_id/rule.yml          | 11 +++
@@ -102,7 +103,7 @@ Subject: [PATCH] enable 76 rules for openEuler
  shared/macros-oval.jinja                      | 73 ++++++++++++++++
  shared/templates/template_OVAL_sysctl         |  4 +
  ssg/constants.py                              |  4 +-
- 98 files changed, 1462 insertions(+), 34 deletions(-)
+ 99 files changed, 1481 insertions(+), 36 deletions(-)
  create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
  create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
  create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
@@ -1097,6 +1098,59 @@ index 0000000..b03948a
 +    Anyone can change the password if no verifying.
 +
 +severity: high
+diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
+index 827129d..9dd6b89 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
+@@ -11,8 +11,12 @@
+       <criterion comment="Conditions are satisfied"
+       test_ref="test_require_rescue_service" />
+       <criterion test_ref="test_require_rescue_service_runlevel1" />
++      {{%- if product in ["openeuler2203"] -%}}
++      <criterion test_ref="test_require_emergency_service" />
++      {{%- else -%}}
+       <criterion test_ref="test_no_custom_runlevel1_target" negate="true"/>
+       <criterion test_ref="test_no_custom_rescue_service" negate="true"/>
++      {{%- endif -%}}
+     </criteria>
+     {{%- else -%}}
+     <criteria>
+@@ -24,7 +28,7 @@
+   {{%- if init_system == "systemd" -%}}
+   <ind:textfilecontent54_test check="all" check_existence="all_exist"
+     comment="Tests that
+-    {{% if product in ["fedora", "rhel8"] -%}}
++    {{% if product in ["fedora", "rhel8", "openeuler2203"] -%}}
+     /usr/lib/systemd/systemd-sulogin-shell
+     {{%- else -%}}
+     /sbin/sulogin
+@@ -36,7 +40,7 @@
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="obj_require_rescue_service" version="1">
+     <ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
+-    {{%- if product in ["fedora", "rhel8"] -%}}
++    {{%- if product in ["fedora", "rhel8", "openeuler2203"] -%}}
+     <ind:pattern operation="pattern match">^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue</ind:pattern>
+     {{%- else -%}}
+     <ind:pattern operation="pattern match">^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"</ind:pattern>
+@@ -90,4 +94,17 @@
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+   {{%- endif -%}}
++
++  {{%- if product in ["openeuler2203"] -%}}
++  <ind:textfilecontent54_test check="all" check_existence="all_exist"
++    comment="Tests that the systemd-sulogin-shell is in the emergency.service"
++    id="test_require_emergency_service" version="1">
++    <ind:object object_ref="obj_require_emergency_service" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="obj_require_emergency_service" version="1">
++    <ind:filepath>/usr/lib/systemd/system/emergency.service</ind:filepath>
++    <ind:pattern operation="pattern match">^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+emergency</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++  {{%- endif -%}}
+ </def-group>
 diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
 index c81e8cc..568163e 100644
 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -1111,7 +1165,7 @@ index c81e8cc..568163e 100644
  
 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
 new file mode 100644
-index 0000000..011d03b
+index 0000000..8d31f9a
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
 @@ -0,0 +1,51 @@
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 8a96bd2..644b43d 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.49
-Release:	4
+Release:	5
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -67,6 +67,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Tue Jun 6 2023 steven <steven_ygui@163.com> - 0.1.49-5
+- fix bug of rule "require_signleuser_auth"
+
 * Thu May 18 2023 steven <steven_ygui@163.com> - 0.1.49-4
 - enable 76 rules for openEuler
 
-- 
Gitee


From 696e34728b7075247e8502d201cc8aaea2149b4c Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Mon, 26 Jun 2023 17:10:55 +0800
Subject: [PATCH 5/6] add some descriptions

---
 enable-76-rules-for-openEuler.patch | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch
index 3b86709..f5ccc6f 100644
--- a/enable-76-rules-for-openEuler.patch
+++ b/enable-76-rules-for-openEuler.patch
@@ -1,7 +1,7 @@
-From 262435c4b8c511cf8afc5927051cb0948415f593 Mon Sep 17 00:00:00 2001
-From: steven_ygui <steven_ygui@163.com>
-Date: Fri, 19 May 2023 01:37:20 +0800
-Subject: [PATCH] enable-76-rules-for-openEuler.patch
+From 49b0ed553a842d15ed5f942dd9825aa89eb84078 Mon Sep 17 00:00:00 2001
+From: "steven.y.gui" <steven_ygui@163.com>
+Date: Mon, 26 Jun 2023 17:09:54 +0800
+Subject: [PATCH] enable-76-rules-for-openEuler
 
 ---
  .../rule.yml                                  | 30 +++++++
@@ -41,7 +41,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler.patch
  .../accounts_password_pam_minlen/rule.yml     |  2 +-
  .../accounts_password_pam_ocredit/rule.yml    |  2 +-
  .../oval/shared.xml                           |  1 +
- .../accounts_password_pam_retry/rule.yml      |  2 +-
+ .../accounts_password_pam_retry/rule.yml      |  7 +-
  .../accounts_password_pam_ucredit/rule.yml    |  2 +-
  .../var_password_pam_dictcheck.var            | 16 ++++
  .../oval/shared.xml                           |  1 +
@@ -105,7 +105,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler.patch
  shared/macros-oval.jinja                      | 73 ++++++++++++++++
  shared/templates/template_OVAL_sysctl         |  4 +
  ssg/constants.py                              |  4 +-
- 101 files changed, 1521 insertions(+), 37 deletions(-)
+ 101 files changed, 1526 insertions(+), 37 deletions(-)
  create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
  create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
  create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
@@ -977,7 +977,7 @@ index d888d78..4588489 100644
        <description>The password retry should meet minimum requirements</description>
      </metadata>
 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-index 099cbbf..908ca40 100644
+index 099cbbf..50853ed 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
 +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
 @@ -1,6 +1,6 @@
@@ -988,6 +988,18 @@ index 099cbbf..908ca40 100644
  
  title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session'
  
+@@ -10,6 +10,11 @@ description: |-
+     show <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value if
+     site policy is more restrictive.
+     The DoD requirement is a maximum of 3 prompts per session.
++    {{% if product in ["openeuler2203"] %}}
++    Considering the usability of the community release of openEuler in different scenarios, 
++    the values of retry are not configured in the openEuler release by default. 
++    Please set it based on the site requirements.
++    {{% endif %}}
+ 
+ rationale: |-
+     Setting the password retry prompts that are permitted on a per-session basis to a low value
 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
 index 7b5fe67..203da95 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
@@ -2668,5 +2680,5 @@ index 401c60d..aa081d8 100644
      "opensuse": [
          "cpe:/o:opensuse:leap:42.1",
 -- 
-2.33.0
+2.21.0.windows.1
 
-- 
Gitee


From 9b9f626e2c66b6326797566fe79d2a4362c2b44e Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Mon, 26 Jun 2023 19:33:30 +0800
Subject: [PATCH 6/6] add br

---
 enable-76-rules-for-openEuler.patch | 36 ++++++++++++++++-------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch
index f5ccc6f..2a1f0a1 100644
--- a/enable-76-rules-for-openEuler.patch
+++ b/enable-76-rules-for-openEuler.patch
@@ -1,7 +1,7 @@
-From 49b0ed553a842d15ed5f942dd9825aa89eb84078 Mon Sep 17 00:00:00 2001
+From 6c007906571ed8e7b931d1b923a54af52b6ec91c Mon Sep 17 00:00:00 2001
 From: "steven.y.gui" <steven_ygui@163.com>
-Date: Mon, 26 Jun 2023 17:09:54 +0800
-Subject: [PATCH] enable-76-rules-for-openEuler
+Date: Mon, 26 Jun 2023 19:32:25 +0800
+Subject: [PATCH] enable 76 rules for openEuler
 
 ---
  .../rule.yml                                  | 30 +++++++
@@ -23,7 +23,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler
  .../sshd_use_strong_pubkey/rule.yml           | 13 +++
  .../guide/services/ssh/sshd_strong_kex.var    | 19 +++++
  .../oval/shared.xml                           |  1 +
- .../rule.yml                                  |  7 +-
+ .../rule.yml                                  |  8 +-
  .../oval/shared.xml                           | 12 ++-
  .../rule.yml                                  |  8 +-
  .../oval/shared.xml                           | 13 ++-
@@ -35,13 +35,13 @@ Subject: [PATCH] enable-76-rules-for-openEuler
  .../no_name_contained_in_password/rule.yml    | 12 +++
  .../accounts_password_pam_dcredit/rule.yml    |  2 +-
  .../oval/shared.xml                           | 27 ++++++
- .../accounts_password_pam_dictcheck/rule.yml  | 28 ++++++
+ .../accounts_password_pam_dictcheck/rule.yml  | 29 +++++++
  .../accounts_password_pam_lcredit/rule.yml    |  2 +-
  .../accounts_password_pam_minclass/rule.yml   |  2 +-
  .../accounts_password_pam_minlen/rule.yml     |  2 +-
  .../accounts_password_pam_ocredit/rule.yml    |  2 +-
  .../oval/shared.xml                           |  1 +
- .../accounts_password_pam_retry/rule.yml      |  7 +-
+ .../accounts_password_pam_retry/rule.yml      |  8 +-
  .../accounts_password_pam_ucredit/rule.yml    |  2 +-
  .../var_password_pam_dictcheck.var            | 16 ++++
  .../oval/shared.xml                           |  1 +
@@ -70,7 +70,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler
  .../tests/wrong_value.fail.sh                 |  5 ++
  .../oval/shared.xml                           | 30 +++++++
  .../login_accounts_are_necessary/rule.yml     | 31 +++++++
- .../accounts_maximum_age_login_defs/rule.yml  |  5 ++
+ .../accounts_maximum_age_login_defs/rule.yml  |  6 ++
  .../gid_passwd_group_same/oval/shared.xml     |  3 +-
  .../accounts_tmout/oval/shared.xml            |  1 +
  .../accounts-session/accounts_tmout/rule.yml  |  7 +-
@@ -105,7 +105,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler
  shared/macros-oval.jinja                      | 73 ++++++++++++++++
  shared/templates/template_OVAL_sysctl         |  4 +
  ssg/constants.py                              |  4 +-
- 101 files changed, 1526 insertions(+), 37 deletions(-)
+ 101 files changed, 1530 insertions(+), 37 deletions(-)
  create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
  create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
  create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
@@ -614,7 +614,7 @@ index 28eecc8..5165c15 100644
        <description>The passwords to remember should be set correctly.</description>
      </metadata>
 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
-index 579ffc0..1d926b7 100644
+index 579ffc0..3bb940f 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
 +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
 @@ -1,6 +1,6 @@
@@ -625,11 +625,12 @@ index 579ffc0..1d926b7 100644
  
  title: 'Limit Password Reuse'
  
-@@ -20,6 +20,11 @@ description: |-
+@@ -20,6 +20,12 @@ description: |-
      </li>
      </ul>
      The DoD STIG requirement is 5 passwords.
 +    {{% if product in ["openeuler2203"] %}}
++    <br />
 +    Considering the usability of the community release of openEuler in different scenarios, 
 +    the openEuler release does not disable historical passwords by default. 
 +    Please configure historical passwords based on the site requirements.
@@ -884,10 +885,10 @@ index 0000000..13bbae4
 +</def-group>
 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
 new file mode 100644
-index 0000000..1dc59f5
+index 0000000..46159db
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,29 @@
 +documentation_complete: true
 +
 +prodtype: openeuler2203
@@ -898,6 +899,7 @@ index 0000000..1dc59f5
 +    The pam_pwquality module's <tt>dictcheck</tt> check if passwords contains dictionary words. When
 +    <tt>dictcheck</tt> is set to <tt>1</tt> passwords will be checked for dictionary words.
 +    {{% if product in ["openeuler2203"] %}}
++    <br />
 +    Considering the usability of the community release of openEuler in different scenarios, 
 +    the weak password dictionary check is not configured for the openEuler release by default. 
 +    Please configure the weak password dictionary check based on the site requirements.
@@ -977,7 +979,7 @@ index d888d78..4588489 100644
        <description>The password retry should meet minimum requirements</description>
      </metadata>
 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-index 099cbbf..50853ed 100644
+index 099cbbf..4bf912f 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
 +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
 @@ -1,6 +1,6 @@
@@ -988,11 +990,12 @@ index 099cbbf..50853ed 100644
  
  title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session'
  
-@@ -10,6 +10,11 @@ description: |-
+@@ -10,6 +10,12 @@ description: |-
      show <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value if
      site policy is more restrictive.
      The DoD requirement is a maximum of 3 prompts per session.
 +    {{% if product in ["openeuler2203"] %}}
++    <br />
 +    Considering the usability of the community release of openEuler in different scenarios, 
 +    the values of retry are not configured in the openEuler release by default. 
 +    Please set it based on the site requirements.
@@ -1737,14 +1740,15 @@ index 0000000..7fd34bc
 +severity: medium
 +
 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
-index d41a0eb..738fb8b 100644
+index d41a0eb..d667d96 100644
 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
 +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
-@@ -10,6 +10,11 @@ description: |-
+@@ -10,6 +10,12 @@ description: |-
      A value of 180 days is sufficient for many environments.
      The DoD requirement is 60.
      The profile requirement is <tt><sub idref="var_accounts_maximum_age_login_defs" /></tt>.
 +    {{% if product in ["openeuler2203"] %}}
++    <br />
 +    Considering the usability of the community release of openEuler in different scenarios,
 +    the password expiration time is not configured in the openEuler release by default.
 +    Please set the password expiration time based on the site requirements.
-- 
Gitee