fix openeuler grub configuration to Automatic hardening.

l
2024-11-15 10:58:49 +08:00 · 2024-11-15 10:58:49 +08:00 · f3ae4f8628
commit f3ae4f8628
parent c019b6ca50
2 changed files with 48 additions and 9 deletions
--- a/add-openeuler-automatic-hardening.patch
+++ b/add-openeuler-automatic-hardening.patch
@ -1,4 +1,4 @@
-From e587488759e5c07058b273dbada7937b96cbc388 Mon Sep 17 00:00:00 2001
+From a4a86e816552479cb41e3423aef67acc32fb8510 Mon Sep 17 00:00:00 2001
 From: jinlun <jinlun@huawei.com>
 Date: Wed, 13 Nov 2024 14:38:36 +0800
 Subject: [PATCH] Automatic hardening is supported.
@ -22,19 +22,20 @@ Signed-off-by: xuce <xuce10@h-partners.com>
 .../use_pam_wheel_for_su/bash/shared.sh         |  2 +-
 .../bash/shared.sh                              |  2 +-
 .../bash/shared.sh                              |  2 +-
- .../configure_dump_journald_log/bash/shared.sh  |  7 +++++++
+ .../configure_dump_journald_log/bash/shared.sh  |  5 +++++
 .../rsyslog_cron_logging/bash/shared.sh         |  4 ++--
 .../bash/shared.sh                              |  2 +-
 .../only_root_can_run_pkexec/bash/shared.sh     |  5 +++++
 .../su/su_always_set_path/bash/shared.sh        |  6 ++++++
 .../sce/openeuler2403.sh                        | 17 +++++++++++++++++
 .../bash/shared.sh                              |  2 +-
 shared/macros/10-bash.jinja                     | 10 +++++-----
 .../grub2_bootloader_argument/bash.template     |  2 +-
 .../bash.template                               |  2 +-
 shared/templates/service_disabled/bash.template |  2 +-
 shared/templates/service_enabled/bash.template  |  2 +-
 shared/templates/sysctl/bash.template           |  2 +-
- 28 files changed, 95 insertions(+), 23 deletions(-)
+ 29 files changed, 98 insertions(+), 28 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
@ -170,7 +171,7 @@ index 3a32aad..2b0f4b4 100644
 diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
 new file mode 100644
-index 0000000..797f631
+index 0000000..568f4f5
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
@@ -0,0 +1,11 @@
@ -187,7 +188,7 @@ index 0000000..797f631
 +fi
 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
 new file mode 100644
-index 0000000..9f3f5df
+index 0000000..7795559
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
@@ -0,0 +1,10 @@
@ -215,7 +216,7 @@ index 6e47912..107ef85 100644
 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
 new file mode 100644
-index 0000000..badcc54
+index 0000000..7f1cd3a
 --- /dev/null
 +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
@@ -0,0 +1,10 @@
@ -261,7 +262,7 @@ index 5007f96..1834f35 100644
 diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
 new file mode 100644
-index 0000000..7b8d8aa
+index 0000000..12febfb
 --- /dev/null
 +++ b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
@@ -0,0 +1,5 @@
@ -308,7 +309,7 @@ index 0000000..1057e81
 +});" > /etc/polkit-1/rules.d/50-default.rules
 diff --git a/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
 new file mode 100644
-index 0000000..4ac660f
+index 0000000..a5e4058
 --- /dev/null
 +++ b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
@@ -0,0 +1,6 @@
@ -351,6 +352,41 @@ index 07e02fa..1a47c35 100644
 {{% if product in ["sle12", "sle15"] %}}
 sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/*
 {{% else %}}
 diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
 index 292a14a..9a8eace 100644
 --- a/shared/macros/10-bash.jinja
 +++ b/shared/macros/10-bash.jinja
@@ -1980,7 +1980,7 @@ Part of the grub2_bootloader_argument template.
 #}}
 {{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}}
 -{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
 +{{% if 'ubuntu' in product or 'openeuler' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
 {{{ update_etc_default_grub_manually(arg_name, arg_name_value) }}}
 {{% endif -%}}
 {{{ grub_command("add", arg_name_value) }}}
@@ -1996,9 +1996,9 @@ Part of the grub2_bootloader_argument template.
 #}}
 {{%- macro update_etc_default_grub_manually_absent(arg_name) -%}}
 # Correct the form of default kernel command line in GRUB
 -if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"'  '/etc/default/grub' ; then
 -       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ arg_name }}}=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
 -fi
 +while grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"'  '/etc/default/grub' ; do
 +       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*[[:space:]]\?\){{{ arg_name }}}=\?[^[:space:]]*[[:space:]]\?\(.*"\)/\1\2/' '/etc/default/grub'
 +done
 {{%- endmacro %}}
@@ -2011,7 +2011,7 @@ Part of the grub2_bootloader_argument_absent template.
 #}}
 {{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}}
 -{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
 +{{% if 'ubuntu' in product or 'openeuler' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
 {{{ update_etc_default_grub_manually_absent(arg_name) }}}
 {{% endif -%}}
 {{{ grub_command("remove", arg_name) }}}
 diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
 index 965f4d3..4cbedf3 100644
 --- a/shared/templates/grub2_bootloader_argument/bash.template
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.68
-Release:	5
+Release:	6
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@ -65,6 +65,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 %changelog
 * Fri Nov 15 2024 jinlun <jinlun@huawei.com> - 0.1.68-6
 - fix openeuler grub configuration to Automatic hardening.
 * Wed Nov 13 2024 jinlun <jinlun@huawei.com> - 0.1.68-5
 - Automatic hardening is supported.