From dc6e6aa9ee2510ab9fc72521d9d3b3f319dd9a5f Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Mon, 15 Sep 2025 11:12:05 +0800
Subject: [PATCH] fix the issue in 2509

---
 fix-the-issue-in-oe2509.patch | 103 ++++++++++++++++++++++++++++++++++
 scap-security-guide.spec      |   6 +-
 2 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 fix-the-issue-in-oe2509.patch

diff --git a/fix-the-issue-in-oe2509.patch b/fix-the-issue-in-oe2509.patch
new file mode 100644
index 0000000..d1b4258
--- /dev/null
+++ b/fix-the-issue-in-oe2509.patch
@@ -0,0 +1,103 @@
+From 9508cd79a340f9fab00ca616ae2bb8f6abc60a04 Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Mon, 15 Sep 2025 11:09:19 +0800
+Subject: [PATCH] fix the issue in oe2509
+
+---
+ controls/std_openeuler2509.yml                  |  2 +-
+ .../guide/services/ssh/sshd_strong_macs.var     |  1 +
+ .../accounts_password_pam_retry/oval/shared.xml |  2 +-
+ .../oval/shared.xml                             |  2 +-
+ .../aide/aide_build_database/oval/shared.xml    |  2 +-
+ .../sce/openeuler2509.sh                        | 17 +++++++++++++++++
+ 6 files changed, 22 insertions(+), 4 deletions(-)
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2509.sh
+
+diff --git a/controls/std_openeuler2509.yml b/controls/std_openeuler2509.yml
+index f2c5e083..7805561f 100644
+--- a/controls/std_openeuler2509.yml
++++ b/controls/std_openeuler2509.yml
+@@ -1140,8 +1140,8 @@ controls:
+       - l1_server
+     status: automated
+     rules:
++      - sshd_strong_macs=std_openeuler2509
+       - sshd_use_strong_macs
+-      - sshd_use_strong_macs.severity=high
+ 
+   - id: 3.3.7
+     title: Ensure SSHd Ciphers Algorithm Correct
+diff --git a/linux_os/guide/services/ssh/sshd_strong_macs.var b/linux_os/guide/services/ssh/sshd_strong_macs.var
+index 3346763a..7cfde58e 100644
+--- a/linux_os/guide/services/ssh/sshd_strong_macs.var
++++ b/linux_os/guide/services/ssh/sshd_strong_macs.var
+@@ -21,3 +21,4 @@ options:
+     cis_ubuntu2404: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+     stig_rhel9: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
+     stig_ol9: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
++    std_openeuler2509: hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
+index 823e9d8f..150fed28 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
+@@ -9,7 +9,7 @@
+   <definition class="compliance" id="{{{ rule_id }}}" version="2">
+     {{{ oval_metadata("The password retry should meet minimum requirements") }}}
+     <criteria operator="AND" comment="The password retry should meet minimum requirements">
+-      {{% if 'debian' not in product and 'ubuntu' not in product %}}
++      {{% if 'debian' not in product and 'ubuntu' not in product and 'openeuler' not in product %}}
+       <extend_definition definition_ref="enable_authselect"/>
+       {{% endif %}}
+       <criteria operator="OR" comment="Conditions for retry are satisfied">
+diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
+index 8de00f87..cb72b53d 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
+@@ -35,7 +35,7 @@
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="obj_require_emergency_service" version="1">
+     <ind:filepath>/usr/lib/systemd/system/emergency.service</ind:filepath>
+-    {{%- if product in ["fedora", "ol8", "ol9", "kylinserver10", "openeuler2203", "openeuler2403", "sle12", "sle15", "slmicro5"] or 'rhel' in product -%}}
++    {{%- if product in ["fedora", "ol8", "ol9", "kylinserver10", "openeuler2203", "openeuler2403", "openeuler2509", "sle12", "sle15", "slmicro5"] or 'rhel' in product -%}}
+     <ind:pattern operation="pattern match">^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency</ind:pattern>
+     {{%- else -%}}
+     <ind:pattern operation="pattern match">^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"</ind:pattern>
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
+index b9989413..4ad86c73 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
+@@ -17,7 +17,7 @@
+     <ind:filepath>/etc/aide.conf</ind:filepath>
+     {{% if 'sle' in product or 'slmicro' in product %}}
+       <ind:pattern operation="pattern match">^database=file:/([/a-z.]+)$</ind:pattern>
+-    {{% elif 'openeuler2403' in product or product in [ 'ol10', 'rhel10'] %}}
++    {{% elif product in [ 'ol10', 'rhel10', 'openeuler2403', 'openeuler2509' ] %}}
+       <ind:pattern operation="pattern match">^database_in=file:@@{DBDIR}/([a-z.]+)$</ind:pattern>
+     {{% else %}}
+       <ind:pattern operation="pattern match">^database=file:@@{DBDIR}/([a-z.]+)$</ind:pattern>
+diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2509.sh b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2509.sh
+new file mode 100644
+index 00000000..f2726025
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2509.sh
+@@ -0,0 +1,17 @@
++#!/bin/bash
++#
++# platform = multi_platform_openeuler
++# check-import = stdout
++
++result=$XCCDF_RESULT_PASS
++
++comm="$(grep "(root)" /etc/sudoers | awk '{print $3}')"
++for line in $comm ; do
++	permissions=$(stat -c "%A" "$line")
++	if [[ ${permissions:8:1} == "w" ]]; then
++		result=$XCCDF_RESULT_FAIL
++		break
++	fi
++done
++
++exit "$result"
+-- 
+2.33.0
+
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 1f12227..6928bdb 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -3,7 +3,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.77
-Release:	2
+Release:	3
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -17,6 +17,7 @@ Patch0005:	scap-is-modified-to-be-consistent-with-the-specif.patch
 Patch0006:	remove-rule-audit_privilege_escalation_command.patch
 Patch0007:	remove-oval_sshd_config.patch
 Patch0008:	Support-for-2509-configuration-check.patch
+Patch0009:	fix-the-issue-in-oe2509.patch
 
 BuildArch:	noarch
 BuildRequires: 	libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.12, python3-jinja2, python3-PyYAML
@@ -71,6 +72,9 @@ rm -f %{buildroot}%{_docdir}/%{name}/LICENSE
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Mon Sep 15 2025 jinlun <jinlun@h-parthners.com> - 0.1.77-3
+- fix the issue in 2509
+
 * Wed Sep 03 2025 jinlun <jinlun@h-parthners.com> - 0.1.77-2
 - Support for 2509 configuration check
 
-- 
Gitee