diff --git a/add-openeuler-support.patch b/add-openeuler-support.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c8db5c289d546de07fc2f3e630de19ffe7d7b8a --- /dev/null +++ b/add-openeuler-support.patch @@ -0,0 +1,448 @@ +From 34393e749c834bc08cd1a25f8ac1fd9ff36c7872 Mon Sep 17 00:00:00 2001 +From: "steven.y.gui" +Date: Thu, 17 Aug 2023 21:02:06 +0800 +Subject: [PATCH] add openeuler support + +--- + CMakeLists.txt | 10 ++++++ + controls/std_openeuler.yml | 34 +++++++++++++++++++ + .../services/ftp/package_ftp_removed/rule.yml | 2 +- + .../package_telnet-server_removed/rule.yml | 2 +- + .../telnet/package_telnet_removed/rule.yml | 2 +- + .../tftp/package_tftp-server_removed/rule.yml | 2 +- + .../tftp/package_tftp_removed/rule.yml | 2 +- + products/openeuler/CMakeLists.txt | 6 ++++ + products/openeuler/product.yml | 19 +++++++++++ + products/openeuler/profiles/standard.profile | 14 ++++++++ + products/openeuler/transforms/constants.xslt | 9 +++++ + products/openeuler2203/CMakeLists.txt | 6 ++++ + products/openeuler2203/product.yml | 29 ++++++++++++++++ + .../openeuler2203/profiles/standard.profile | 14 ++++++++ + .../openeuler2203/transforms/constants.xslt | 9 +++++ + .../checks/oval/installed_OS_is_openeuler.xml | 22 ++++++++++++ + .../oval/installed_OS_is_openeuler2203.xml | 26 ++++++++++++++ + .../oval/sysctl_kernel_ipv6_disable.xml | 1 + + ssg/constants.py | 7 ++++ + 19 files changed, 211 insertions(+), 5 deletions(-) + create mode 100644 controls/std_openeuler.yml + create mode 100644 products/openeuler/CMakeLists.txt + create mode 100644 products/openeuler/product.yml + create mode 100644 products/openeuler/profiles/standard.profile + create mode 100644 products/openeuler/transforms/constants.xslt + create mode 100644 products/openeuler2203/CMakeLists.txt + create mode 100644 products/openeuler2203/product.yml + create mode 100644 products/openeuler2203/profiles/standard.profile + create mode 100644 products/openeuler2203/transforms/constants.xslt + create mode 100644 shared/checks/oval/installed_OS_is_openeuler.xml + create mode 100644 shared/checks/oval/installed_OS_is_openeuler2203.xml + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 7d1cffd..b466580 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -83,6 +83,8 @@ option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${ + option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_OL9 "If enabled, the Oracle Linux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) ++option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT}) ++option(SSG_PRODUCT_OPENEULER "If enabled, the openEuler basic version content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +@@ -277,6 +279,8 @@ message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}") + message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}") + message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}") + message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}") ++message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}") ++message(STATUS "openEuler: ${SSG_PRODUCT_OPENEULER}") + message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}") + message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}") + message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}") +@@ -374,6 +378,12 @@ endif() + if (SSG_PRODUCT_OL9) + add_subdirectory("products/ol9" "ol9") + endif() ++if (SSG_PRODUCT_OPENEULER2203) ++ add_subdirectory("products/openeuler2203" "openeuler2203") ++endif() ++if (SSG_PRODUCT_OPENEULER) ++ add_subdirectory("products/openeuler" "openeuler") ++endif() + if (SSG_PRODUCT_OPENSUSE) + add_subdirectory("products/opensuse" "opensuse") + endif() +diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml +new file mode 100644 +index 0000000..5599b04 +--- /dev/null ++++ b/controls/std_openeuler.yml +@@ -0,0 +1,34 @@ ++--- ++policy: 'Standard Benchmark for openEuler' ++title: 'Standard Benchmark for openEuler' ++id: std_openeuler ++version: '1.0' ++levels: ++ - id: base ++ ++controls: ++ - id: 1.2.1_ftp_not_installed ++ title: Ensure FTP is not installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_ftp_removed ++ ++ - id: 1.2.2_tftp_server_not_installed ++ title: Ensure TFTP Server is not installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_tftp_removed ++ - package_tftp-server_removed ++ ++ - id: 1.2.3_telnet_server_not_installed ++ title: Ensure Telnet Server is not installed ++ levels: ++ - base ++ status: automated ++ rules: ++ - package_telnet_removed ++ - package_telnet-server_removed +diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml +index 1129ce7..c5450ca 100644 +--- a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml ++++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel9 ++prodtype: openeuler,openeuler2203,rhel9 + + title: 'Remove ftp Package' + +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +index 6b59559..fc38a3c 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Uninstall telnet-server Package' + +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +index 2571d50..3638424 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Remove telnet Clients' + +diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +index 93fd712..46ebdb7 100644 +--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Uninstall tftp-server Package' + +diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +index 35e0a2f..f836879 100644 +--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,openeuler,openeuler2203,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Remove tftp Daemon' + +diff --git a/products/openeuler/CMakeLists.txt b/products/openeuler/CMakeLists.txt +new file mode 100644 +index 0000000..8733082 +--- /dev/null ++++ b/products/openeuler/CMakeLists.txt +@@ -0,0 +1,6 @@ ++# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way. ++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") ++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") ++endif() ++ ++ssg_build_product("openeuler") +diff --git a/products/openeuler/product.yml b/products/openeuler/product.yml +new file mode 100644 +index 0000000..fd33efe +--- /dev/null ++++ b/products/openeuler/product.yml +@@ -0,0 +1,19 @@ ++product: openeuler ++full_name: openEuler ++type: platform ++ ++benchmark_id: OPENEULER ++benchmark_root: "../../linux_os/guide" ++ ++profiles_root: "./profiles" ++ ++pkg_manager: "dnf" ++ ++init_system: "systemd" ++ ++cpes_root: "../../shared/applicability" ++cpes: ++ - openeuler2309: ++ name: "cpe:/o:openEuler:openEuler:23.09:ga:server" ++ title: "openEuler 23.09" ++ check_id: installed_OS_is_openeuler +diff --git a/products/openeuler/profiles/standard.profile b/products/openeuler/profiles/standard.profile +new file mode 100644 +index 0000000..e4e9450 +--- /dev/null ++++ b/products/openeuler/profiles/standard.profile +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0 ++ ++title: 'Standard System Security Profile for openEuler' ++ ++description: |- ++ This profile contains rules to ensure standard security baseline ++ of all openEuler systems. Regardless of your system's workload ++ all of these checks should pass. ++ ++selections: ++ - std_openeuler:all:base +diff --git a/products/openeuler/transforms/constants.xslt b/products/openeuler/transforms/constants.xslt +new file mode 100644 +index 0000000..b0a07a0 +--- /dev/null ++++ b/products/openeuler/transforms/constants.xslt +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++openEuler ++openEuler ++openeuler ++ ++ +diff --git a/products/openeuler2203/CMakeLists.txt b/products/openeuler2203/CMakeLists.txt +new file mode 100644 +index 0000000..258e195 +--- /dev/null ++++ b/products/openeuler2203/CMakeLists.txt +@@ -0,0 +1,6 @@ ++# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way. ++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") ++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") ++endif() ++ ++ssg_build_product("openeuler2203") +diff --git a/products/openeuler2203/product.yml b/products/openeuler2203/product.yml +new file mode 100644 +index 0000000..89e9f8b +--- /dev/null ++++ b/products/openeuler2203/product.yml +@@ -0,0 +1,29 @@ ++product: openeuler2203 ++full_name: openEuler 2203 ++type: platform ++ ++benchmark_id: OPENEULER2203 ++benchmark_root: "../../linux_os/guide" ++ ++profiles_root: "./profiles" ++ ++pkg_manager: "dnf" ++ ++init_system: "systemd" ++ ++cpes_root: "../../shared/applicability" ++cpes: ++ - openeuler2203lts: ++ name: "cpe:/o:openEuler:openEuler:22.03LTS:ga:server" ++ title: "openEuler 22.03 LTS" ++ check_id: installed_OS_is_openeuler2203 ++ ++ - openeuler2203lts-sp1: ++ name: "cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server" ++ title: "openEuler 22.03 LTS SP1" ++ check_id: installed_OS_is_openeuler2203 ++ ++ - openeuler2203lts-sp2: ++ name: "cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server" ++ title: "openEuler 22.03 LTS SP2" ++ check_id: installed_OS_is_openeuler2203 +diff --git a/products/openeuler2203/profiles/standard.profile b/products/openeuler2203/profiles/standard.profile +new file mode 100644 +index 0000000..8a7ae9c +--- /dev/null ++++ b/products/openeuler2203/profiles/standard.profile +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0 ++ ++title: 'Standard System Security Profile for openEuler 22.03 LTS' ++ ++description: |- ++ This profile contains rules to ensure standard security baseline ++ of an openEuler system. Regardless of your system's workload ++ all of these checks should pass. ++ ++selections: ++ - std_openeuler:all:base +diff --git a/products/openeuler2203/transforms/constants.xslt b/products/openeuler2203/transforms/constants.xslt +new file mode 100644 +index 0000000..666c119 +--- /dev/null ++++ b/products/openeuler2203/transforms/constants.xslt +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++openEuler2203 ++openEuler2203 ++openeuler2203 ++ ++ +diff --git a/shared/checks/oval/installed_OS_is_openeuler.xml b/shared/checks/oval/installed_OS_is_openeuler.xml +new file mode 100644 +index 0000000..4835266 +--- /dev/null ++++ b/shared/checks/oval/installed_OS_is_openeuler.xml +@@ -0,0 +1,22 @@ ++ ++ ++ ++ openEuler ++ ++ multi_platform_all ++ ++ The operating system installed on the system is openEuler. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ openEuler-release ++ ++ ++ +diff --git a/shared/checks/oval/installed_OS_is_openeuler2203.xml b/shared/checks/oval/installed_OS_is_openeuler2203.xml +new file mode 100644 +index 0000000..6a1ce97 +--- /dev/null ++++ b/shared/checks/oval/installed_OS_is_openeuler2203.xml +@@ -0,0 +1,26 @@ ++ ++ ++ ++ openEuler 22.03 LTS ++ ++ multi_platform_all ++ ++ The operating system installed on the system is openEuler 22.03 LTS. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^22\.03.*$ ++ ++ ++ openEuler-release ++ ++ ++ +diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +index affb977..593ecda 100644 +--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml ++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +@@ -8,6 +8,7 @@ + multi_platform_debian + multi_platform_example + multi_platform_fedora ++ multi_platform_openeuler + multi_platform_opensuse + multi_platform_ol + multi_platform_rhcos +diff --git a/ssg/constants.py b/ssg/constants.py +index f66ba00..60697df 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -50,6 +50,7 @@ product_directories = [ + 'ocp4', + 'rhcos4', + 'ol7', 'ol8', 'ol9', ++ 'openeuler', 'openeuler2203', + 'opensuse', + 'rhel7', 'rhel8', 'rhel9', + 'rhv4', +@@ -207,6 +208,8 @@ FULL_NAME_TO_PRODUCT_MAPPING = { + "Oracle Linux 7": "ol7", + "Oracle Linux 8": "ol8", + "Oracle Linux 9": "ol9", ++ "openEuler": "openeuler", ++ "openEuler 2203": "openeuler2203", + "openSUSE": "opensuse", + "Red Hat Enterprise Linux 7": "rhel7", + "Red Hat Enterprise Linux 8": "rhel8", +@@ -266,6 +269,7 @@ REFERENCES = dict( + + + MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", ++ "openeuler", + "opensuse", "sle", "ol", "ocp", "rhcos", + "example", "eks", "alinux", "uos", "anolis"] + +@@ -276,6 +280,7 @@ MULTI_PLATFORM_MAPPING = { + "multi_platform_example": ["example"], + "multi_platform_eks": ["eks"], + "multi_platform_fedora": ["fedora"], ++ "multi_platform_openeuler": ["openeuler", "openeuler2203"], + "multi_platform_opensuse": ["opensuse"], + "multi_platform_ol": ["ol7", "ol8", "ol9"], + "multi_platform_ocp": ["ocp4"], +@@ -447,6 +452,8 @@ MAKEFILE_ID_TO_PRODUCT_MAP = { + 'uos': 'UnionTech OS Server', + 'eap': 'JBoss Enterprise Application Platform', + 'fuse': 'JBoss Fuse', ++ 'openeuler': 'openEuler', ++ 'openeuler2203': 'openEuler 2203', + 'opensuse': 'openSUSE', + 'sle': 'SUSE Linux Enterprise', + 'example': 'Example', +-- +2.21.0.windows.1 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index f254c9b2f7aa95fa88fe95650240b300f9c3cb3d..bc9c4c31ac0548335eb3cf62657bf19b8831166a 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,11 +1,13 @@ Name: scap-security-guide Version: 0.1.68 -Release: 1 +Release: 2 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +Patch0001: add-openeuler-support.patch + BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML Requires: xml-common, openscap-scanner >= 1.2.5 @@ -60,6 +62,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Thu Aug 17 2023 steven - 0.1.68-2 +- Add openeuler support + * Tue Jul 18 2023 xu_ping <707078654@qq.com> - 0.1.68-1 - Upgrade to 0.1.68