From bd4f8c55e173f8e51e58eeee6dad7c702cc98e5c Mon Sep 17 00:00:00 2001
From: zcfsite <zhchf2010@126.com>
Date: Wed, 18 Dec 2024 11:03:57 +0800
Subject: [PATCH] add automatic hardening and fix consistent with the baseline

---
 add-openeuler-automatic-hardening.patch       | 52 ++++++++++++--
 ...ied-to-be-consistent-with-the-specif.patch | 72 +++++++++++++++++++
 scap-security-guide.spec                      |  6 +-
 3 files changed, 122 insertions(+), 8 deletions(-)
 create mode 100644 scap-is-modified-to-be-consistent-with-the-specif.patch

diff --git a/add-openeuler-automatic-hardening.patch b/add-openeuler-automatic-hardening.patch
index a9f32b0..53be676 100644
--- a/add-openeuler-automatic-hardening.patch
+++ b/add-openeuler-automatic-hardening.patch
@@ -1,16 +1,18 @@
-From e64af3aba7460bab202a194613ecf672747fc199 Mon Sep 17 00:00:00 2001
-From: jinlun <jinlun@huawei.com>
-Date: Tue, 3 Dec 2024 17:18:17 +0800
-Subject: [PATCH] Automatic hardening is supported.
-
+From 3b23cd442beb76647801229660513aedbf03517e Mon Sep 17 00:00:00 2001
+From: xuce <xuce10@h-partners.com>
+Date: Thu, 5 Dec 2024 12:37:16 +0800
+Subject: [PATCH] add openeuler automatic hardening
 Signed-off-by: jinlun <jinlun@huawei.com>
 Signed-off-by: xuce <xuce10@h-partners.com>
 ---
  controls/std_openeuler.yml                      | 10 +++++++---
  .../package_avahi_removed/rule.yml              |  2 +-
  .../service_avahi-daemon_disabled/rule.yml      |  2 +-
+ .../file_permissions_at_allow/rule.yml          |  2 +-
+ .../file_permissions_cron_allow/rule.yml        |  2 +-
  .../sshd_allow_only_protocol2/bash/shared.sh    |  2 +-
  .../sshd_disable_rhosts_rsa/bash/shared.sh      |  2 +-
+ .../sshd_use_strong_macs/bash/shared.sh         |  2 +-
  .../sshd_use_strong_pubkey/bash/shared.sh       |  2 ++
  .../bash/shared.sh                              |  2 +-
  .../bash/shared.sh                              |  2 +-
@@ -40,7 +42,7 @@ Signed-off-by: xuce <xuce10@h-partners.com>
  shared/templates/service_disabled/bash.template |  2 +-
  shared/templates/service_enabled/bash.template  |  2 +-
  shared/templates/sysctl/bash.template           |  2 +-
- 34 files changed, 100 insertions(+), 36 deletions(-)
+ 37 files changed, 103 insertions(+), 39 deletions(-)
  create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
  create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
  create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
@@ -115,6 +117,32 @@ index e799bae..2b0e53a 100644
  
  title: 'Disable Avahi Server Software'
  
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
+index 30b6553..021fdab 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
+@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9
+ 
+ title: 'Verify Permissions on /etc/at.allow file'
+ 
+-{{%  if 'rhel' not in product %}}
++{{%  if 'rhel' not in product and 'openeuler' not in product %}}
+     {{% set target_perms_octal="0640" %}}
+     {{% set target_perms="-rw-r-----" %}}
+ {{% else %}}
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
+index 1961b9a..dff56f0 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
+@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,r
+ 
+ title: 'Verify Permissions on /etc/cron.allow file'
+ 
+-{{%  if 'rhel' not in product %}}
++{{%  if 'rhel' not in product and 'openeuler' not in product  %}}
+     {{% set target_perms_octal="0640" %}}
+     {{% set target_perms="-rw-r-----" %}}
+ {{% else %}}
 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
 index ba59876..cd31a2f 100644
 --- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
@@ -135,6 +163,16 @@ index 5a1ec5c..7a918c9 100644
  
  
  {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
+index f77be04..07bd77c 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
+@@ -1,4 +1,4 @@
+ # platform = multi_platform_all
+ 
+-{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}}
++{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com") }}}
+ 
 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
 new file mode 100644
 index 0000000..7574233
@@ -175,7 +213,7 @@ index 3a32aad..2b0f4b4 100644
  
 diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
 new file mode 100644
-index 0000000..568f4f5
+index 0000000..c11315b
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
 @@ -0,0 +1,11 @@
diff --git a/scap-is-modified-to-be-consistent-with-the-specif.patch b/scap-is-modified-to-be-consistent-with-the-specif.patch
new file mode 100644
index 0000000..b8d02e4
--- /dev/null
+++ b/scap-is-modified-to-be-consistent-with-the-specif.patch
@@ -0,0 +1,72 @@
+From 34a439703a12363e348329db2cc1145a7084fe4d Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Tue, 10 Dec 2024 19:25:41 +0800
+Subject: [PATCH] the ssg is modified to be consistent with the specifications
+
+---
+ controls/std_openeuler.yml                                  | 1 +
+ .../bash/shared.sh                                          | 6 ++++++
+ .../oval/shared.xml                                         | 4 ++++
+ .../var_auditd_space_left.var                               | 1 +
+ 4 files changed, 12 insertions(+)
+
+diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml
+index 6985d6d..3068afb 100644
+--- a/controls/std_openeuler.yml
++++ b/controls/std_openeuler.yml
+@@ -1752,6 +1752,7 @@ controls:
+     rules:
+       - auditd_data_retention_space_left
+       - auditd_data_retention_space_left.severity=low
++      - var_auditd_space_left=75MB
+       - auditd_data_retention_space_left_action
+       - auditd_data_retention_space_left_action.severity=low
+       - var_auditd_space_left_action=syslog
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh
+index 4233f10..293dc77 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh
+@@ -2,6 +2,12 @@
+ 
+ {{{ bash_instantiate_variables("var_auditd_admin_space_left_percentage") }}}
+ 
++{{% if "openeuler" in product %}}
++grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
++  sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage/g" /etc/audit/auditd.conf || \
++  echo "admin_space_left = $var_auditd_admin_space_left_percentage" >> /etc/audit/auditd.conf
++{{% else %}}
+ grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
+   sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage%/g" /etc/audit/auditd.conf || \
+   echo "admin_space_left = $var_auditd_admin_space_left_percentage%" >> /etc/audit/auditd.conf
++{{% endif %}}
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml
+index 16d7433..b2acd8f 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml
+@@ -17,7 +17,11 @@
+     <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
+     <!-- Allow only space (exactly) as delimiter: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L426 -->
+     <!-- Require at least one space before and after the equal sign -->
++{{% if "openeuler" in product %}}
++    <ind:pattern operation="pattern match">^[\s]*admin_space_left[\s]+=[\s]+(\d+)[\s]*$</ind:pattern>
++{{% else %}}
+     <ind:pattern operation="pattern match">^[\s]*admin_space_left[\s]+=[\s]+(\d+)%[\s]*$</ind:pattern>
++{{% endif %}}
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var
+index 4a3acba..3d86ed4 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var
+@@ -10,6 +10,7 @@ interactive: false
+ 
+ options:
+     1000MB: 1000
++    75MB: 75
+     100MB: 100
+     250MB: 250
+     500MB: 500
+-- 
+2.33.0
+
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index c0b20f2..9c37f57 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -3,7 +3,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.68
-Release:	6
+Release:	7
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -13,6 +13,7 @@ Patch0001: add-openeuler-support.patch
 Patch0002: add-openeuler-control-rules.patch
 Patch0003: optimize-rules-for-openEuler.patch
 Patch0004: add-openeuler-automatic-hardening.patch
+Patch0005: scap-is-modified-to-be-consistent-with-the-specif.patch
 
 BuildArch:	noarch
 BuildRequires: 	libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
@@ -67,6 +68,9 @@ rm -f %{buildroot}%{_docdir}/%{name}/LICENSE
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Wed Dec 18 2024 zcfsite <zhchf2010@126.com> - 0.1.68-7
+- add automatic hardening and fix consistent with the baseline
+
 * Wed Dec 4 2024 steven <steven_ygui@163.com> - 0.1.68-6 
 - automatic hardening is supported.
 
-- 
Gitee