From f3ae4f8628b43ac4bd0f680152785cc234f23a0c Mon Sep 17 00:00:00 2001
From: xuce <xuce10@h-partners.com>
Date: Fri, 15 Nov 2024 10:58:49 +0800
Subject: [PATCH] fix openeuler grub configuration to Automatic hardening.

l
---
 add-openeuler-automatic-hardening.patch | 52 +++++++++++++++++++++----
 scap-security-guide.spec                |  5 ++-
 2 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/add-openeuler-automatic-hardening.patch b/add-openeuler-automatic-hardening.patch
index 22523ff..eca2f7d 100644
--- a/add-openeuler-automatic-hardening.patch
+++ b/add-openeuler-automatic-hardening.patch
@@ -1,4 +1,4 @@
-From e587488759e5c07058b273dbada7937b96cbc388 Mon Sep 17 00:00:00 2001
+From a4a86e816552479cb41e3423aef67acc32fb8510 Mon Sep 17 00:00:00 2001
 From: jinlun <jinlun@huawei.com>
 Date: Wed, 13 Nov 2024 14:38:36 +0800
 Subject: [PATCH] Automatic hardening is supported.
@@ -22,19 +22,20 @@ Signed-off-by: xuce <xuce10@h-partners.com>
  .../use_pam_wheel_for_su/bash/shared.sh         |  2 +-
  .../bash/shared.sh                              |  2 +-
  .../bash/shared.sh                              |  2 +-
- .../configure_dump_journald_log/bash/shared.sh  |  7 +++++++
+ .../configure_dump_journald_log/bash/shared.sh  |  5 +++++
  .../rsyslog_cron_logging/bash/shared.sh         |  4 ++--
  .../bash/shared.sh                              |  2 +-
  .../only_root_can_run_pkexec/bash/shared.sh     |  5 +++++
  .../su/su_always_set_path/bash/shared.sh        |  6 ++++++
  .../sce/openeuler2403.sh                        | 17 +++++++++++++++++
  .../bash/shared.sh                              |  2 +-
+ shared/macros/10-bash.jinja                     | 10 +++++-----
  .../grub2_bootloader_argument/bash.template     |  2 +-
  .../bash.template                               |  2 +-
  shared/templates/service_disabled/bash.template |  2 +-
  shared/templates/service_enabled/bash.template  |  2 +-
  shared/templates/sysctl/bash.template           |  2 +-
- 28 files changed, 95 insertions(+), 23 deletions(-)
+ 29 files changed, 98 insertions(+), 28 deletions(-)
  create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
  create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
  create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
@@ -170,7 +171,7 @@ index 3a32aad..2b0f4b4 100644
  
 diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
 new file mode 100644
-index 0000000..797f631
+index 0000000..568f4f5
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
 @@ -0,0 +1,11 @@
@@ -187,7 +188,7 @@ index 0000000..797f631
 +fi
 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
 new file mode 100644
-index 0000000..9f3f5df
+index 0000000..7795559
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
 @@ -0,0 +1,10 @@
@@ -215,7 +216,7 @@ index 6e47912..107ef85 100644
  
 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
 new file mode 100644
-index 0000000..badcc54
+index 0000000..7f1cd3a
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
 @@ -0,0 +1,10 @@
@@ -261,7 +262,7 @@ index 5007f96..1834f35 100644
  
 diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
 new file mode 100644
-index 0000000..7b8d8aa
+index 0000000..12febfb
 --- /dev/null
 +++ b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
 @@ -0,0 +1,5 @@
@@ -308,7 +309,7 @@ index 0000000..1057e81
 +});" > /etc/polkit-1/rules.d/50-default.rules
 diff --git a/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
 new file mode 100644
-index 0000000..4ac660f
+index 0000000..a5e4058
 --- /dev/null
 +++ b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
 @@ -0,0 +1,6 @@
@@ -351,6 +352,41 @@ index 07e02fa..1a47c35 100644
  {{% if product in ["sle12", "sle15"] %}}
  sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/*
  {{% else %}}
+diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
+index 292a14a..9a8eace 100644
+--- a/shared/macros/10-bash.jinja
++++ b/shared/macros/10-bash.jinja
+@@ -1980,7 +1980,7 @@ Part of the grub2_bootloader_argument template.
+ 
+ #}}
+ {{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}}
+-{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
++{{% if 'ubuntu' in product or 'openeuler' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
+ {{{ update_etc_default_grub_manually(arg_name, arg_name_value) }}}
+ {{% endif -%}}
+ {{{ grub_command("add", arg_name_value) }}}
+@@ -1996,9 +1996,9 @@ Part of the grub2_bootloader_argument template.
+ #}}
+ {{%- macro update_etc_default_grub_manually_absent(arg_name) -%}}
+ # Correct the form of default kernel command line in GRUB
+-if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"'  '/etc/default/grub' ; then
+-       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ arg_name }}}=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+-fi
++while grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"'  '/etc/default/grub' ; do
++       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*[[:space:]]\?\){{{ arg_name }}}=\?[^[:space:]]*[[:space:]]\?\(.*"\)/\1\2/' '/etc/default/grub'
++done
+ {{%- endmacro %}}
+ 
+ 
+@@ -2011,7 +2011,7 @@ Part of the grub2_bootloader_argument_absent template.
+ 
+ #}}
+ {{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}}
+-{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
++{{% if 'ubuntu' in product or 'openeuler' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
+ {{{ update_etc_default_grub_manually_absent(arg_name) }}}
+ {{% endif -%}}
+ {{{ grub_command("remove", arg_name) }}}
 diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
 index 965f4d3..4cbedf3 100644
 --- a/shared/templates/grub2_bootloader_argument/bash.template
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index d16def2..aba3a3f 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.68
-Release:	5
+Release:	6
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -65,6 +65,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Fri Nov 15 2024 jinlun <jinlun@huawei.com> - 0.1.68-6
+- fix openeuler grub configuration to Automatic hardening.
+
 * Wed Nov 13 2024 jinlun <jinlun@huawei.com> - 0.1.68-5
 - Automatic hardening is supported.
 
-- 
Gitee