!44 修改ssg中与openeuler安全规范不一致的条目

From: @jinlun123123 
Reviewed-by: @flysubmarine, @zhujianwei001 
Signed-off-by: @zhujianwei001

add-openeuler-automatic-hardening.patch

@@ -0,0 +1,563 @@
+From 3b23cd442beb76647801229660513aedbf03517e Mon Sep 17 00:00:00 2001
+From: xuce <xuce10@h-partners.com>
+Date: Thu, 5 Dec 2024 12:37:16 +0800
+Subject: [PATCH] add openeuler automatic hardening
+Signed-off-by: jinlun <jinlun@huawei.com>
+Signed-off-by: xuce <xuce10@h-partners.com>
+---
+ controls/std_openeuler.yml                      | 10 +++++++---
+ .../package_avahi_removed/rule.yml              |  2 +-
+ .../service_avahi-daemon_disabled/rule.yml      |  2 +-
+ .../file_permissions_at_allow/rule.yml          |  2 +-
+ .../file_permissions_cron_allow/rule.yml        |  2 +-
+ .../sshd_allow_only_protocol2/bash/shared.sh    |  2 +-
+ .../sshd_disable_rhosts_rsa/bash/shared.sh      |  2 +-
+ .../sshd_use_strong_macs/bash/shared.sh         |  2 +-
+ .../sshd_use_strong_pubkey/bash/shared.sh       |  2 ++
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              | 11 +++++++++++
+ .../require_singleuser_auth/rule.yml            |  2 +-
+ .../gid_passwd_group_same/bash/shared.sh        | 10 ++++++++++
+ .../use_pam_wheel_for_su/bash/shared.sh         |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../bash/shared.sh                              |  2 +-
+ .../configure_dump_journald_log/bash/shared.sh  |  7 +++++++
+ .../configure_dump_journald_log/rule.yml        |  4 ++--
+ .../rsyslog_cron_logging/bash/shared.sh         |  4 ++--
+ .../bash/shared.sh                              |  2 +-
+ .../aide/aide_build_database/oval/shared.xml    |  2 ++
+ .../only_root_can_run_pkexec/bash/shared.sh     |  5 +++++
+ .../su/su_always_set_path/bash/shared.sh        |  6 ++++++
+ .../sce/openeuler2403.sh                        | 17 +++++++++++++++++
+ .../bash/shared.sh                              |  2 +-
+ shared/macros/10-bash.jinja                     | 10 +++++-----
+ .../templates/accounts_password/bash.template   |  4 ++--
+ .../templates/accounts_password/oval.template   |  4 ++--
+ .../grub2_bootloader_argument/bash.template     |  2 +-
+ .../bash.template                               |  2 +-
+ shared/templates/service_disabled/bash.template |  2 +-
+ shared/templates/service_enabled/bash.template  |  2 +-
+ shared/templates/sysctl/bash.template           |  2 +-
+ 37 files changed, 103 insertions(+), 39 deletions(-)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
+ create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh
+
+diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml
+index b187420..6985d6d 100644
+--- a/controls/std_openeuler.yml
++++ b/controls/std_openeuler.yml
+@@ -53,7 +53,7 @@ controls:
+     rules:
+       - accounts_umask_etc_bashrc
+       - accounts_umask_etc_bashrc.severity=high
+-      - var_accounts_user_umask=077
++      - var_accounts_user_umask=027
+ 
+   - id: 1.1.6_no_global_writable_file
+     title: Ensure No Global Writable File
+@@ -280,8 +280,8 @@ controls:
+       - base
+     status: automated
+     rules:
+-      - service_avahi-daemon_disabled
+-      - service_avahi-daemon_disabled.severity=high
++      - package_avahi_removed
++      - package_avahi_removed.severity=high
+ 
+   - id: 1.2.10_ldap_server_not_installed
+     title: Ensure LDAP Server Not Installed
+@@ -711,6 +711,8 @@ controls:
+       - base
+     status: automated
+     rules:
++      - require_singleuser_auth
++      - require_singleuser_auth.severity=high
+       - require_emergency_target_auth
+       - require_emergency_target_auth.severity=high
+ 
+@@ -1627,6 +1629,8 @@ controls:
+       - base
+     status: automated
+     rules:
++      - package_audit_installed
++      - package_audit_installed.severity=high
+       - service_auditd_enabled
+       - service_auditd_enabled.severity=high
+ 
+diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
+index ae6e5f3..ceaa7cf 100644
+--- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
++++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
++prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204,openeuler2203,openeuler2403
+ 
+ title: 'Uninstall avahi Server Package'
+ 
+diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+index e799bae..2b0e53a 100644
+--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
++++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
++prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
+ 
+ title: 'Disable Avahi Server Software'
+ 
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
+index 30b6553..021fdab 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
+@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9
+ 
+ title: 'Verify Permissions on /etc/at.allow file'
+ 
+-{{%  if 'rhel' not in product %}}
++{{%  if 'rhel' not in product and 'openeuler' not in product %}}
+     {{% set target_perms_octal="0640" %}}
+     {{% set target_perms="-rw-r-----" %}}
+ {{% else %}}
+diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
+index 1961b9a..dff56f0 100644
+--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
+@@ -4,7 +4,7 @@ prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,r
+ 
+ title: 'Verify Permissions on /etc/cron.allow file'
+ 
+-{{%  if 'rhel' not in product %}}
++{{%  if 'rhel' not in product and 'openeuler' not in product  %}}
+     {{% set target_perms_octal="0640" %}}
+     {{% set target_perms="-rw-r-----" %}}
+ {{% else %}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
+index ba59876..cd31a2f 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv
++# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler
+ 
+ 
+ {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Protocol', '2', '%s %s') }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
+index 5a1ec5c..7a918c9 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler
+ 
+ 
+ {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
+index f77be04..07bd77c 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
+@@ -1,4 +1,4 @@
+ # platform = multi_platform_all
+ 
+-{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}}
++{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com") }}}
+ 
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
+new file mode 100644
+index 0000000..7574233
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
+@@ -0,0 +1,2 @@
++#platform=multi_platform_openeuler
++{{{ bash_sshd_config_set(parameter="PubkeyAcceptedKeyTypes", value="ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512") }}}
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+index c830c07..d8499be 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler
+ 
+ {{% if product in [ "sle12", "sle15" ] %}}
+ {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
+index 449d912..3426bdc 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
+index 3a32aad..2b0f4b4 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}}
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
+new file mode 100644
+index 0000000..c11315b
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
+@@ -0,0 +1,11 @@
++# platform = multi_platform_openeuler
++
++grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/system-auth
++if [ $? -eq 0 ]; then
++    sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/system-auth
++fi
++
++grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/password-auth
++if [ $? -eq 0 ]; then
++    sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/password-auth
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+index 6e47912..107ef85 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
++prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,openeuler2203,openeuler2403
+ 
+ title: 'Require Authentication for Single User Mode'
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
+new file mode 100644
+index 0000000..7f1cd3a
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
+@@ -0,0 +1,10 @@
++# platform = multi_platform_openeuler
++
++grep -E -v '^(halt|sync|shutdown)' "/etc/passwd" | awk -F ":" '($7 != "/bin/false" && $7 != "/sbin/nologin") {print $1, $4}' | while read user group;
++do
++    grep -q -P "^.*?:[^:]*:$group:" "/etc/group"
++    if [ $? -ne 0 ]; then
++        groupdel $user
++        groupadd -g $group $user
++    fi
++done
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
+index cf672ee..17ed6f2 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler
+ 
+ # uncomment the option if commented
+   sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh
+index 36e7f8c..6f92e73 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_audispd_disk_full_action") }}}
+ 
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
+index 8a53bf8..561ff0f 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_auditd_max_log_file") }}}
+ 
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
+index 5007f96..1834f35 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}}
+ 
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
+index a53f062..45ff50d 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
++# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ 
+ {{{ bash_instantiate_variables("var_auditd_space_left") }}}
+ 
+diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
+new file mode 100644
+index 0000000..3f36da4
+--- /dev/null
++++ b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
+@@ -0,0 +1,7 @@
++# platform = multi_platform_openeuler
++
++echo 'module(load="imjournal"' >> /etc/rsyslog.conf
++echo 'StateFile="/run/log/imjournal.state")' >> /etc/rsyslog.conf
++
++systemctl daemon-reload
++systemctl restart rsyslog
+diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
+index 6121f9c..4643b87 100644
+--- a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
++++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml
+@@ -13,7 +13,7 @@ description: |-
+     consistent with the system. Safety.
+ 
+     <p>Check whether the relevant fields have been configured in the /etc/rsyslog.conf file:</p>
+-    <pre>$ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*</pre>
++    <pre>$ grep "^[^#]*imjournal" /etc/rsyslog.conf</pre>
+ 
+ rationale: |-
+     If there is a volatile storage device for the log, failure to dump
+@@ -22,4 +22,4 @@ rationale: |-
+     are not dumped in time, the logs may fill up the current partition,
+     causing the risk of other processes or system failures.
+ 
+-severity: high
+\ No newline at end of file
++severity: high
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
+index 773f889..f6f3772 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
+@@ -1,8 +1,8 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_openeuler
+ 
+ if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then
+ 	mkdir -p /etc/rsyslog.d
+-	echo "cron.*	/var/log/cron" >> /etc/rsyslog.d/cron.conf
++	echo "cron.*	/var/log/cron" >> /etc/rsyslog.conf
+ fi
+ 
+ systemctl restart rsyslog.service
+diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
+index 91b3495..265cda1 100644
+--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
++# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
+ df --local -P | awk '{if (NR!=1) print $6}' \
+ | xargs -I '$6' find '$6' -xdev -type d \
+ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
+index 14cf458..ffa8444 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
+@@ -17,6 +17,8 @@
+     <ind:filepath>/etc/aide.conf</ind:filepath>
+     {{% if 'sle' in product %}}
+       <ind:pattern operation="pattern match">^database=file:/([/a-z.]+)$</ind:pattern>
++    {{% elif 'openeuler2403' in product %}}
++      <ind:pattern operation="pattern match">^database_in=file:@@{DBDIR}/([a-z.]+)$</ind:pattern>
+     {{% else %}}
+       <ind:pattern operation="pattern match">^database=file:@@{DBDIR}/([a-z.]+)$</ind:pattern>
+     {{% endif %}}
+diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
+new file mode 100644
+index 0000000..8a5a7a2
+--- /dev/null
++++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
+@@ -0,0 +1,5 @@
++# platform = multi_platform_openeuler
++
++echo "polkit.addAdminRule(function(action, subject) {
++    return [\"unix-user:0\"];
++});" > /etc/polkit-1/rules.d/50-default.rules
+diff --git a/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
+new file mode 100644
+index 0000000..a5e4058
+--- /dev/null
++++ b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
+@@ -0,0 +1,6 @@
++# platform = multi_platform_openeuler
++
++grep '^[\s]*ALWAYS_SET_PATH[\s]*=[\s]*yes[\s]*$' /etc/login.defs
++if [ $? -ne 0 ]; then
++    echo "ALWAYS_SET_PATH=yes" >> /etc/login.defs
++fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh
+new file mode 100644
+index 0000000..f272602
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh
+@@ -0,0 +1,17 @@
++#!/bin/bash
++#
++# platform = multi_platform_openeuler
++# check-import = stdout
++
++result=$XCCDF_RESULT_PASS
++
++comm="$(grep "(root)" /etc/sudoers | awk '{print $3}')"
++for line in $comm ; do
++	permissions=$(stat -c "%A" "$line")
++	if [[ ${permissions:8:1} == "w" ]]; then
++		result=$XCCDF_RESULT_FAIL
++		break
++	fi
++done
++
++exit "$result"
+diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh
+index 07e02fa..1a47c35 100644
+--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh
++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle
++# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler
+ {{% if product in ["sle12", "sle15"] %}}
+ sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/*
+ {{% else %}}
+diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
+index 292a14a..9a8eace 100644
+--- a/shared/macros/10-bash.jinja
++++ b/shared/macros/10-bash.jinja
+@@ -1980,7 +1980,7 @@ Part of the grub2_bootloader_argument template.
+ 
+ #}}
+ {{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}}
+-{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
++{{% if 'ubuntu' in product or 'openeuler' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
+ {{{ update_etc_default_grub_manually(arg_name, arg_name_value) }}}
+ {{% endif -%}}
+ {{{ grub_command("add", arg_name_value) }}}
+@@ -1996,9 +1996,9 @@ Part of the grub2_bootloader_argument template.
+ #}}
+ {{%- macro update_etc_default_grub_manually_absent(arg_name) -%}}
+ # Correct the form of default kernel command line in GRUB
+-if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"'  '/etc/default/grub' ; then
+-       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ arg_name }}}=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+-fi
++while grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"'  '/etc/default/grub' ; do
++       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*[[:space:]]\?\){{{ arg_name }}}=\?[^[:space:]]*[[:space:]]\?\(.*"\)/\1\2/' '/etc/default/grub'
++done
+ {{%- endmacro %}}
+ 
+ 
+@@ -2011,7 +2011,7 @@ Part of the grub2_bootloader_argument_absent template.
+ 
+ #}}
+ {{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}}
+-{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
++{{% if 'ubuntu' in product or 'openeuler' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
+ {{{ update_etc_default_grub_manually_absent(arg_name) }}}
+ {{% endif -%}}
+ {{{ grub_command("remove", arg_name) }}}
+diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template
+index 46e98c1..ac8a0d7 100644
+--- a/shared/templates/accounts_password/bash.template
++++ b/shared/templates/accounts_password/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ # reboot = false
+ # strategy = restrict
+ # complexity = low
+@@ -12,7 +12,7 @@ if grep -sq {{{ VARIABLE }}} /etc/security/pwquality.conf.d/*.conf ; then
+ fi
+ {{% endif %}}
+ 
+-{{% if "ol" in product %}}
++{{% if "ol" in product or "openeuler2403" in product %}}
+ {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth',
+                                   'password',
+                                   '',
+diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template
+index c83a666..5d5b1a7 100644
+--- a/shared/templates/accounts_password/oval.template
++++ b/shared/templates/accounts_password/oval.template
+@@ -11,14 +11,14 @@
+       <criteria operator="OR">
+         <criterion comment="pwquality.conf" test_ref="test_password_pam_pwquality_{{{ VARIABLE }}}" />
+       </criteria>
+-      {{% if "ol" in product %}}
++      {{% if "ol" in product or "openeuler2403" in product %}}
+       <criterion comment="{{{ VARIABLE }}} is not overwritten in system-auth"
+         test_ref="test_password_pam_pwquality_{{{ VARIABLE }}}_not_overwritten"/>
+       {{% endif %}}
+     </criteria>
+   </definition>
+ 
+-  {{% if "ol" in product %}}
++  {{% if "ol" in product or "openeuler2403" in product %}}
+   <ind:textfilecontent54_test check="all" check_existence="none_exist"
+     comment="check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf"
+     id="test_password_pam_pwquality_{{{ VARIABLE }}}_not_overwritten" version="1">
+diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
+index 965f4d3..4cbedf3 100644
+--- a/shared/templates/grub2_bootloader_argument/bash.template
++++ b/shared/templates/grub2_bootloader_argument/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ {{#
+    See the OVAL template for more comments.
+    Product-specific categorization should be synced across all template content types
+diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template
+index 8d7d6e9..dd2ff30 100644
+--- a/shared/templates/grub2_bootloader_argument_absent/bash.template
++++ b/shared/templates/grub2_bootloader_argument_absent/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ {{#
+    See the OVAL template for more comments.
+    Product-specific categorization should be synced across all template content types
+diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template
+index 27666b0..6d6f027 100644
+--- a/shared/templates/service_disabled/bash.template
++++ b/shared/templates/service_disabled/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ # reboot = false
+ # strategy = disable
+ # complexity = low
+diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template
+index 00fd1ee..16ca4aa 100644
+--- a/shared/templates/service_enabled/bash.template
++++ b/shared/templates/service_enabled/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ # reboot = false
+ # strategy = enable
+ # complexity = low
+diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
+index 49e4d94..4370e45 100644
+--- a/shared/templates/sysctl/bash.template
++++ b/shared/templates/sysctl/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
+ # reboot = true
+ # strategy = disable
+ # complexity = low
+-- 
+2.33.0
+

scap-is-modified-to-be-consistent-with-the-specif.patch

@@ -0,0 +1,72 @@
+From 34a439703a12363e348329db2cc1145a7084fe4d Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Tue, 10 Dec 2024 19:25:41 +0800
+Subject: [PATCH] the ssg is modified to be consistent with the specifications
+
+---
+ controls/std_openeuler.yml                                  | 1 +
+ .../bash/shared.sh                                          | 6 ++++++
+ .../oval/shared.xml                                         | 4 ++++
+ .../var_auditd_space_left.var                               | 1 +
+ 4 files changed, 12 insertions(+)
+
+diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml
+index 6985d6d..3068afb 100644
+--- a/controls/std_openeuler.yml
++++ b/controls/std_openeuler.yml
+@@ -1752,6 +1752,7 @@ controls:
+     rules:
+       - auditd_data_retention_space_left
+       - auditd_data_retention_space_left.severity=low
++      - var_auditd_space_left=75MB
+       - auditd_data_retention_space_left_action
+       - auditd_data_retention_space_left_action.severity=low
+       - var_auditd_space_left_action=syslog
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh
+index 4233f10..293dc77 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/bash/shared.sh
+@@ -2,6 +2,12 @@
+ 
+ {{{ bash_instantiate_variables("var_auditd_admin_space_left_percentage") }}}
+ 
++{{% if "openeuler" in product %}}
++grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
++  sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage/g" /etc/audit/auditd.conf || \
++  echo "admin_space_left = $var_auditd_admin_space_left_percentage" >> /etc/audit/auditd.conf
++{{% else %}}
+ grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
+   sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage%/g" /etc/audit/auditd.conf || \
+   echo "admin_space_left = $var_auditd_admin_space_left_percentage%" >> /etc/audit/auditd.conf
++{{% endif %}}
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml
+index 16d7433..b2acd8f 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/oval/shared.xml
+@@ -17,7 +17,11 @@
+     <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
+     <!-- Allow only space (exactly) as delimiter: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L426 -->
+     <!-- Require at least one space before and after the equal sign -->
++{{% if "openeuler" in product %}}
++    <ind:pattern operation="pattern match">^[\s]*admin_space_left[\s]+=[\s]+(\d+)[\s]*$</ind:pattern>
++{{% else %}}
+     <ind:pattern operation="pattern match">^[\s]*admin_space_left[\s]+=[\s]+(\d+)%[\s]*$</ind:pattern>
++{{% endif %}}
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var
+index 4a3acba..3d86ed4 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left.var
+@@ -10,6 +10,7 @@ interactive: false
+ 
+ options:
+     1000MB: 1000
++    75MB: 75
+     100MB: 100
+     250MB: 250
+     500MB: 500
+-- 
+2.33.0
+

scap-security-guide.spec

@@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.68
-Release:	4
+Release:	9
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -9,6 +9,8 @@ Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{versio
 Patch0001: add-openeuler-support.patch
 Patch0002: add-openeuler-control-rules.patch
 Patch0003: optimize-rules-for-openEuler.patch
+Patch0004: add-openeuler-automatic-hardening.patch
+Patch0005: scap-is-modified-to-be-consistent-with-the-specif.patch
 
 BuildArch:	noarch
 BuildRequires: 	libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
@@ -64,6 +66,21 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Tue Dec 10 2024 jinlun <jinlun@huawei.com> - 0.1.68-9
+- the ssg is modified to be consistent with the specifications
+
+* Thu Dec 5 2024 xuce <xuce10@h-partners.com> - 0.1.68-8
+- fix strong MACs and permission of cron.allow and at.allow
+
+* Tue Dec 3 2024 jinlun <jinlun@huawei.com> - 0.1.68-7
+- fix some issue.
+
+* Fri Nov 15 2024 jinlun <jinlun@huawei.com> - 0.1.68-6
+- fix openeuler grub configuration to Automatic hardening.
+
+* Wed Nov 13 2024 jinlun <jinlun@huawei.com> - 0.1.68-5
+- Automatic hardening is supported.
+
 * Sat Feb 24 2024 wangqingsan <wangqingsan@huawei.com> - 0.1.68-4
 - optimiz rules for openEuler