From e587488759e5c07058b273dbada7937b96cbc388 Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Wed, 13 Nov 2024 14:38:36 +0800
Subject: [PATCH] Automatic hardening is supported.

Signed-off-by: jinlun <jinlun@huawei.com>
Signed-off-by: xuce <xuce10@h-partners.com>
---
 controls/std_openeuler.yml                      | 10 +++++++---
 .../package_avahi_removed/rule.yml              |  2 +-
 .../service_avahi-daemon_disabled/rule.yml      |  2 +-
 .../sshd_allow_only_protocol2/bash/shared.sh    |  2 +-
 .../sshd_disable_rhosts_rsa/bash/shared.sh      |  2 +-
 .../sshd_use_strong_pubkey/bash/shared.sh       |  2 ++
 .../bash/shared.sh                              |  2 +-
 .../bash/shared.sh                              |  2 +-
 .../bash/shared.sh                              |  2 +-
 .../bash/shared.sh                              | 11 +++++++++++
 .../bash/shared.sh                              | 10 ++++++++++
 .../require_singleuser_auth/rule.yml            |  2 +-
 .../gid_passwd_group_same/bash/shared.sh        | 10 ++++++++++
 .../use_pam_wheel_for_su/bash/shared.sh         |  2 +-
 .../bash/shared.sh                              |  2 +-
 .../bash/shared.sh                              |  2 +-
 .../configure_dump_journald_log/bash/shared.sh  |  7 +++++++
 .../rsyslog_cron_logging/bash/shared.sh         |  4 ++--
 .../bash/shared.sh                              |  2 +-
 .../only_root_can_run_pkexec/bash/shared.sh     |  5 +++++
 .../su/su_always_set_path/bash/shared.sh        |  6 ++++++
 .../sce/openeuler2403.sh                        | 17 +++++++++++++++++
 .../bash/shared.sh                              |  2 +-
 .../grub2_bootloader_argument/bash.template     |  2 +-
 .../bash.template                               |  2 +-
 shared/templates/service_disabled/bash.template |  2 +-
 shared/templates/service_enabled/bash.template  |  2 +-
 shared/templates/sysctl/bash.template           |  2 +-
 28 files changed, 95 insertions(+), 23 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
 create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
 create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
 create mode 100644 linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh

diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml
index b187420..6985d6d 100644
--- a/controls/std_openeuler.yml
+++ b/controls/std_openeuler.yml
@@ -53,7 +53,7 @@ controls:
     rules:
       - accounts_umask_etc_bashrc
       - accounts_umask_etc_bashrc.severity=high
-      - var_accounts_user_umask=077
+      - var_accounts_user_umask=027
 
   - id: 1.1.6_no_global_writable_file
     title: Ensure No Global Writable File
@@ -280,8 +280,8 @@ controls:
       - base
     status: automated
     rules:
-      - service_avahi-daemon_disabled
-      - service_avahi-daemon_disabled.severity=high
+      - package_avahi_removed
+      - package_avahi_removed.severity=high
 
   - id: 1.2.10_ldap_server_not_installed
     title: Ensure LDAP Server Not Installed
@@ -711,6 +711,8 @@ controls:
       - base
     status: automated
     rules:
+      - require_singleuser_auth
+      - require_singleuser_auth.severity=high
       - require_emergency_target_auth
       - require_emergency_target_auth.severity=high
 
@@ -1627,6 +1629,8 @@ controls:
       - base
     status: automated
     rules:
+      - package_audit_installed
+      - package_audit_installed.severity=high
       - service_auditd_enabled
       - service_auditd_enabled.severity=high
 
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
index ae6e5f3..ceaa7cf 100644
--- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
+++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204,openeuler2203,openeuler2403
 
 title: 'Uninstall avahi Server Package'
 
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
index e799bae..2b0e53a 100644
--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Disable Avahi Server Software'
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
index ba59876..cd31a2f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler
 
 
 {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Protocol', '2', '%s %s') }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
index 5a1ec5c..7a918c9 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_openeuler
 
 
 {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
new file mode 100644
index 0000000..7574233
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/bash/shared.sh
@@ -0,0 +1,2 @@
+#platform=multi_platform_openeuler
+{{{ bash_sshd_config_set(parameter="PubkeyAcceptedKeyTypes", value="ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
index c830c07..d8499be 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler
 
 {{% if product in [ "sle12", "sle15" ] %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
index 449d912..3426bdc 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
 
 {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
index 3a32aad..2b0f4b4 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_openeuler
 
 {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}}
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
new file mode 100644
index 0000000..797f631
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/bash/shared.sh
@@ -0,0 +1,11 @@
+# platform = multi_platform_openeuler
+
+grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/system-auth
+if [ $? -eq 0 ]; then
+    sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/system-auth
+fi
+
+grep '^.*usercheck[\s]*=[\s]*0.*$' /etc/pam.d/password-auth
+if [ $? -nq 0 ]; then
+    sed -i 's/usercheck[\s]*=[\s]*0//g' /etc/pam.d/password-auth
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
new file mode 100644
index 0000000..9f3f5df
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/bash/shared.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_openeuler
+
+
+cracklib-unpacker /usr/share/cracklib/pw_dict > ssg_dictionary.txt
+create-cracklib-dict ssg_dictionary.txt
+rm -f ssg_dictionary.txt
+grep -oE '^ *dictcheck *= *(-?[0-9]+)([[:space:]]|$)' /etc/security/pwquality.conf
+if [ $? -ne 0 ]; then
+echo "dictcheck = 1" >> /etc/security/pwquality.conf
+fi
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index 6e47912..107ef85 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,openeuler2203,openeuler2403
 
 title: 'Require Authentication for Single User Mode'
 
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
new file mode 100644
index 0000000..badcc54
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/bash/shared.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_openeuler
+
+grep -E -v '^(halt|sync|shutdown)' "/etc/passwd" | awk -F ":" '($7 != "/bin/false" && $7 != "/sbin/nologin") {print $1, $4}' | while read user group;
+do
+    grep -q -P "^.*?:[^:]*:$group:" "/etc/group"
+    if [ $? -ne 0 ]; then
+        groupdel $user
+        groupadd -g $group $user
+    fi
+done
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
index cf672ee..17ed6f2 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler
 
 # uncomment the option if commented
   sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
index 8a53bf8..561ff0f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
 
 {{{ bash_instantiate_variables("var_auditd_max_log_file") }}}
 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
index 5007f96..1834f35 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
 
 {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}}
 
diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
new file mode 100644
index 0000000..7b8d8aa
--- /dev/null
+++ b/linux_os/guide/system/logging/configure_dump_journald_log/bash/shared.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_openeuler
+
+echo 'module(load="imjournal"' >> /etc/rsyslog.conf
+echo 'StateFile="/run/log/imjournal.state")' >> /etc/rsyslog.conf
+
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
index 773f889..f6f3772 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/bash/shared.sh
@@ -1,8 +1,8 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_openeuler
 
 if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then
 	mkdir -p /etc/rsyslog.d
-	echo "cron.*	/var/log/cron" >> /etc/rsyslog.d/cron.conf
+	echo "cron.*	/var/log/cron" >> /etc/rsyslog.conf
 fi
 
 systemctl restart rsyslog.service
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
index 91b3495..265cda1 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_openeuler
 df --local -P | awk '{if (NR!=1) print $6}' \
 | xargs -I '$6' find '$6' -xdev -type d \
 \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
new file mode 100644
index 0000000..1057e81
--- /dev/null
+++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/bash/shared.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_openeuler
+
+echo "polkit.addAdminRule(function(action, subject) {
+    return ["unix-user:0"];
+});" > /etc/polkit-1/rules.d/50-default.rules
diff --git a/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
new file mode 100644
index 0000000..4ac660f
--- /dev/null
+++ b/linux_os/guide/system/software/su/su_always_set_path/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_openeuler
+
+grep '^[\s]*ALWAYS_SET_PATH[\s]*=[\s]*yes[\s]*$' /etc/login.defs
+if [ $? -ne 0 ]; then
+    echo "ALWAYS_SET_PATH=yes" >> /etc/login.defs
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh
new file mode 100644
index 0000000..f272602
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/sce/openeuler2403.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# platform = multi_platform_openeuler
+# check-import = stdout
+
+result=$XCCDF_RESULT_PASS
+
+comm="$(grep "(root)" /etc/sudoers | awk '{print $3}')"
+for line in $comm ; do
+	permissions=$(stat -c "%A" "$line")
+	if [[ ${permissions:8:1} == "w" ]]; then
+		result=$XCCDF_RESULT_FAIL
+		break
+	fi
+done
+
+exit "$result"
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh
index 07e02fa..1a47c35 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_sle,multi_platform_openeuler
 {{% if product in ["sle12", "sle15"] %}}
 sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/*
 {{% else %}}
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
index 965f4d3..4cbedf3 100644
--- a/shared/templates/grub2_bootloader_argument/bash.template
+++ b/shared/templates/grub2_bootloader_argument/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
 {{#
    See the OVAL template for more comments.
    Product-specific categorization should be synced across all template content types
diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template
index 8d7d6e9..dd2ff30 100644
--- a/shared/templates/grub2_bootloader_argument_absent/bash.template
+++ b/shared/templates/grub2_bootloader_argument_absent/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
 {{#
    See the OVAL template for more comments.
    Product-specific categorization should be synced across all template content types
diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template
index 27666b0..6d6f027 100644
--- a/shared/templates/service_disabled/bash.template
+++ b/shared/templates/service_disabled/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
 # reboot = false
 # strategy = disable
 # complexity = low
diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template
index 00fd1ee..16ca4aa 100644
--- a/shared/templates/service_enabled/bash.template
+++ b/shared/templates/service_enabled/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
 # reboot = false
 # strategy = enable
 # complexity = low
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index 49e4d94..4370e45 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_openeuler
 # reboot = true
 # strategy = disable
 # complexity = low
-- 
2.33.0