Automatic hardening is supported.

2024-11-13 11:19:56 +08:00 · 2024-11-13 11:19:56 +08:00 · 6e2b0fcc76
commit 6e2b0fcc76
parent 2efbf43a27
2 changed files with 411 additions and 1 deletions
--- a/add-openeuler-automatic-hardening.patch
+++ b/add-openeuler-automatic-hardening.patch
@ -0,0 +1,406 @@
+From e587488759e5c07058b273dbada7937b96cbc388 Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Wed, 13 Nov 2024 14:38:36 +0800
+Subject: [PATCH] Automatic hardening is supported.
+
+Signed-off-by: jinlun <jinlun@huawei.com>
+Signed-off-by: xuce <xuce10@h-partners.com>
+---
+ controls/std_openeuler.yml                      | 10 +++++++---
+ .../package_avahi_removed/rule.yml              |  2 +-
+ .../service_avahi-daemon_disabled/rule.yml      |  2 +-
+ .../sshd_allow_only_protocol2/bash/shared.sh    |  2 +-
+ .../sshd_disable_rhosts_rsa/bash/shared.sh      |  2 +-
+ .../sshd_use_strong_pubkey/bash/shared.sh       |  2 ++
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              | 11 +++++++++++
+ .../bash/shared.sh                              | 10 ++++++++++
+ .../require_singleuser_auth/rule.yml            |  2 +-
+ .../gid_passwd_group_same/bash/shared.sh        | 10 ++++++++++
+ .../use_pam_wheel_for_su/bash/shared.sh         |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../configure_dump_journald_log/bash/shared.sh  |  7 +++++++
+ .../rsyslog_cron_logging/bash/shared.sh         |  4 ++--
+ .../bash/shared.sh                              |  2 +-
+ .../only_root_can_run_pkexec/bash/shared.sh     |  5 +++++
+ .../su/su_always_set_path/bash/shared.sh        |  6 ++++++
+ .../sce/openeuler2403.sh                        | 17 +++++++++++++++++
+ .../bash/shared.sh                              |  2 +-
+ .../grub2_bootloader_argument/bash.template     |  2 +-
+ .../bash.template                               |  2 +-
+ shared/templates/service_disabled/bash.template |  2 +-
+ shared/templates/service_enabled/bash.template  |  2 +-
+ shared/templates/sysctl/bash.template           |  2 +-
+ 28 files changed, 95 insertions(+), 23 deletions(-)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
+ create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh
+
+diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml
+index b187420..6985d6d 100644
+--- a/controls/std_openeuler.yml
+++ b/controls/std_openeuler.yml
+@@ -53,7 +53,7 @@ controls:
+     rules:
+       - accounts_umask_etc_bashrc
+       - accounts_umask_etc_bashrc.severity=high
+-      - var_accounts_user_umask=077
+      - var_accounts_user_umask=027
+ 
+   - id: 1.1.6_no_global_writable_file
+     title: Ensure No Global Writable File
+@@ -280,8 +280,8 @@ controls:
+       - base
+     status: automated
+     rules:
+-      - service_avahi-daemon_disabled
+-      - service_avahi-daemon_disabled.severity=high
+      - package_avahi_removed
+      - package_avahi_removed.severity=high
+ 
+   - id: 1.2.10_ldap_server_not_installed
+     title: Ensure LDAP Server Not Installed
+@@ -711,6 +711,8 @@ controls:
+       - base
+     status: automated
+     rules:
+      - require_singleuser_auth
+      - require_singleuser_auth.severity=high
+       - require_emergency_target_auth
+       - require_emergency_target_auth.severity=high
+ 
+@@ -1627,6 +1629,8 @@ controls:
+       - base
+     status: automated
+     rules:
+      - package_audit_installed
+      - package_audit_installed.severity=high
+       - service_auditd_enabled
+       - service_auditd_enabled.severity=high
+ 
+diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
+index ae6e5f3..ceaa7cf 100644
+--- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
+++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204,openeuler2203,openeuler2403
+ 
+ title: 'Uninstall avahi Server Package'
+ 
+diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+index e799bae..2b0e53a 100644
+--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
+ 
+ title: 'Disable Avahi Server Software'
+ 
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
+index ba59876..cd31a2f 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler
+ 
+ 
+ {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Protocol', '2', '%s %s') }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
+index 5a1ec5c..7a918c9 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler
+ 
+ 
+ {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
+new file mode 100644
+index 0000000..7574233
+--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
+@@ -0,0 +1,2 @@
+#platform=multi_platform_openeuler
+{{{ bash_sshd_config_set(parameter="PubkeyAcceptedKeyTypes", value="ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512") }}}
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+index c830c07..d8499be 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler
+ 
+ {{% if product in [ "sle12", "sle15" ] %}}
+ {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
+index 449d912..3426bdc 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
+index 3a32aad..2b0f4b4 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}}
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
+new file mode 100644
+index 0000000..797f631
+--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
+@@ -0,0 +1,11 @@
+# platform = multi_platform_openeuler
+
+grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/system-auth
+if [ $? -eq 0 ]; then
+    sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/system-auth
+fi
+
+grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/password-auth
+if [ $? -nq 0 ]; then
+    sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/password-auth
+fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
+new file mode 100644
+index 0000000..9f3f5df
+--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
+@@ -0,0 +1,10 @@
+# platform = multi_platform_openeuler
+
+
+cracklib-unpacker /usr/share/cracklib/pw_dict > ssg_dictionary.txt
+create-cracklib-dict ssg_dictionary.txt
+rm -f ssg_dictionary.txt
+grep -oE '^ *dictcheck *= *(-?[0-9]+)([[:space:]]|$)' /etc/security/pwquality.conf
+if [ $? -ne 0 ]; then
+echo "dictcheck = 1" >> /etc/security/pwquality.conf
+fi
+diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+index 6e47912..107ef85 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,openeuler2203,openeuler2403
+ 
+ title: 'Require Authentication for Single User Mode'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
+new file mode 100644
+index 0000000..badcc54
+--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
+@@ -0,0 +1,10 @@
+# platform = multi_platform_openeuler
+
+grep -E -v '^(halt|sync|shutdown)' "/etc/passwd" | awk -F ":" '($7 != "/bin/false" && $7 != "/sbin/nologin") {print $1, $4}' | while read user group;
+do
+    grep -q -P "^.*?:[^:]*:$group:" "/etc/group"
+    if [ $? -ne 0 ]; then
+        groupdel $user
+        groupadd -g $group $user
+    fi
+done
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
+index cf672ee..17ed6f2 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler
+ 
+ # uncomment the option if commented
+   sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
+index 8a53bf8..561ff0f 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_auditd_max_log_file") }}}
+ 
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
+index 5007f96..1834f35 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}}
+ 
+diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
+new file mode 100644
+index 0000000..7b8d8aa
+--- /dev/null
+++ b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
+@@ -0,0 +1,5 @@
+# platform = multi_platform_openeuler
+
+echo 'module(load="imjournal"' >> /etc/rsyslog.conf
+echo 'StateFile="/run/log/imjournal.state")' >> /etc/rsyslog.conf
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
+index 773f889..f6f3772 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
+@@ -1,8 +1,8 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_openeuler
+ 
+ if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then
+ 	mkdir -p /etc/rsyslog.d
+-	echo "cron.*	/var/log/cron" >> /etc/rsyslog.d/cron.conf
+	echo "cron.*	/var/log/cron" >> /etc/rsyslog.conf
+ fi
+ 
+ systemctl restart rsyslog.service
+diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
+index 91b3495..265cda1 100644
+--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ df --local -P | awk '{if (NR!=1) print $6}' \
+ | xargs -I '$6' find '$6' -xdev -type d \
+ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
+diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
+new file mode 100644
+index 0000000..1057e81
+--- /dev/null
+++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
+@@ -0,0 +1,5 @@
+# platform = multi_platform_openeuler
+
+echo "polkit.addAdminRule(function(action, subject) {
+    return ["unix-user:0"];
+});" > /etc/polkit-1/rules.d/50-default.rules
+diff --git a/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
+new file mode 100644
+index 0000000..4ac660f
+--- /dev/null
+++ b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
+@@ -0,0 +1,6 @@
+# platform = multi_platform_openeuler
+
+grep '^[\s]*ALWAYS_SET_PATH[\s]*=[\s]*yes[\s]*$' /etc/login.defs
+if [ $? -ne 0 ]; then
+    echo "ALWAYS_SET_PATH=yes" >> /etc/login.defs
+fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh
+new file mode 100644
+index 0000000..f272602
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh
+@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# platform = multi_platform_openeuler
+# check-import = stdout
+
+result=$XCCDF_RESULT_PASS
+
+comm="$(grep "(root)" /etc/sudoers | awk '{print $3}')"
+for line in $comm ; do
+	permissions=$(stat -c "%A" "$line")
+	if [[ ${permissions:8:1} == "w" ]]; then
+		result=$XCCDF_RESULT_FAIL
+		break
+	fi
+done
+
+exit "$result"
+diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh
+index 07e02fa..1a47c35 100644
+--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler
+ {{% if product in ["sle12", "sle15"] %}}
+ sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/*
+ {{% else %}}
+diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
+index 965f4d3..4cbedf3 100644
+--- a/shared/templates/grub2_bootloader_argument/bash.template
+++ b/shared/templates/grub2_bootloader_argument/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ {{#
+    See the OVAL template for more comments.
+    Product-specific categorization should be synced across all template content types
+diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template
+index 8d7d6e9..dd2ff30 100644
+--- a/shared/templates/grub2_bootloader_argument_absent/bash.template
+++ b/shared/templates/grub2_bootloader_argument_absent/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ {{#
+    See the OVAL template for more comments.
+    Product-specific categorization should be synced across all template content types
+diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template
+index 27666b0..6d6f027 100644
+--- a/shared/templates/service_disabled/bash.template
+++ b/shared/templates/service_disabled/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ # reboot = false
+ # strategy = disable
+ # complexity = low
+diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template
+index 00fd1ee..16ca4aa 100644
+--- a/shared/templates/service_enabled/bash.template
+++ b/shared/templates/service_enabled/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ # reboot = false
+ # strategy = enable
+ # complexity = low
+diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
+index 49e4d94..4370e45 100644
+--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ # reboot = true
+ # strategy = disable
+ # complexity = low
+-- 
+2.33.0
+
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.68
-Release:	4
+Release:	5
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@ -9,6 +9,7 @@ Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{versio
 Patch0001: add-openeuler-support.patch
 Patch0002: add-openeuler-control-rules.patch
 Patch0003: optimize-rules-for-openEuler.patch
+Patch0004: add-openeuler-automatic-hardening.patch

 BuildArch:	noarch
 BuildRequires: 	libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
@ -64,6 +65,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html

 %changelog
+* Wed Nov 13 2024 jinlun <jinlun@huawei.com> - 0.1.68-5
+- Automatic hardening is supported.
+
 * Sat Feb 24 2024 wangqingsan <wangqingsan@huawei.com> - 0.1.68-4
 - optimiz rules for openEuler