fix strong MACs and permission of cron.allow and at.allow

add-openeuler-automatic-hardening.patch

@@ -1,16 +1,18 @@
-From e64af3aba7460bab202a194613ecf672747fc199 Mon Sep 17 00:00:00 2001
+From 3b23cd442beb76647801229660513aedbf03517e Mon Sep 17 00:00:00 2001
-From: jinlun <jinlun@huawei.com>
+From: xuce <xuce10@h-partners.com>
-Date: Tue, 3 Dec 2024 17:18:17 +0800
+Date: Thu, 5 Dec 2024 12:37:16 +0800
-Subject: [PATCH] Automatic hardening is supported.
+Subject: [PATCH] add openeuler automatic hardening
-
 Signed-off-by: jinlun <jinlun@huawei.com>
 Signed-off-by: xuce <xuce10@h-partners.com>
 ---
  controls/std_openeuler.yml                      | 10 +++++++---
  .../package_avahi_removed/rule.yml              |  2 +-
  .../service_avahi-daemon_disabled/rule.yml      |  2 +-
+ .../file_permissions_at_allow/rule.yml          |  2 +-
+ .../file_permissions_cron_allow/rule.yml        |  2 +-
  .../sshd_allow_only_protocol2/bash/shared.sh    |  2 +-
  .../sshd_disable_rhosts_rsa/bash/shared.sh      |  2 +-
+ .../sshd_use_strong_macs/bash/shared.sh         |  2 +-
  .../sshd_use_strong_pubkey/bash/shared.sh       |  2 ++
  .../bash/shared.sh                              |  2 +-
  .../bash/shared.sh                              |  2 +-
@@ -40,7 +42,7 @@ Signed-off-by: xuce <xuce10@h-partners.com>
  shared/templates/service_disabled/bash.template |  2 +-
  shared/templates/service_enabled/bash.template  |  2 +-
  shared/templates/sysctl/bash.template           |  2 +-
- 34 files changed, 100 insertions(+), 36 deletions(-)
+ 37 files changed, 103 insertions(+), 39 deletions(-)
  create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
  create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
  create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
@@ -115,6 +117,32 @@ index e799bae..2b0e53a 100644
  
  title: 'Disable Avahi Server Software'
  
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
+index 30b6553..021fdab 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
+@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9
+ 
+ title: 'Verify Permissions on /etc/at.allow file'
+ 
+-{{%  if 'rhel' not in product %}}
++{{%  if 'rhel' not in product and 'openeuler' not in product %}}
+     {{% set target_perms_octal="0640" %}}
+     {{% set target_perms="-rw-r-----" %}}
+ {{% else %}}
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
+index 1961b9a..dff56f0 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
+@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,r
+ 
+ title: 'Verify Permissions on /etc/cron.allow file'
+ 
+-{{%  if 'rhel' not in product %}}
++{{%  if 'rhel' not in product and 'openeuler' not in product  %}}
+     {{% set target_perms_octal="0640" %}}
+     {{% set target_perms="-rw-r-----" %}}
+ {{% else %}}
 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
 index ba59876..cd31a2f 100644
 --- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
@@ -135,6 +163,16 @@ index 5a1ec5c..7a918c9 100644
  
  
  {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
+index f77be04..07bd77c 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
+@@ -1,4 +1,4 @@
+ # platform = multi_platform_all
+ 
+-{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}}
++{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com") }}}
+ 
 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
 new file mode 100644
 index 0000000..7574233
@@ -175,7 +213,7 @@ index 3a32aad..2b0f4b4 100644
  
 diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
 new file mode 100644
-index 0000000..568f4f5
+index 0000000..c11315b
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
 @@ -0,0 +1,11 @@

scap-security-guide.spec

@@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.68
-Release:	7
+Release:	8
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -65,6 +65,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Thu Dec 5 2024 xuce <xuce10@h-partners.com> - 0.1.68-8
+- fix strong MACs and permission of cron.allow and at.allow
+
 * Tue Dec 3 2024 jinlun <jinlun@huawei.com> - 0.1.68-7
 - fix some issue.