scap-security-guide/add-openeuler-support.patch

From a67afa8ba2bd385c1c645972fb7a2340d9d6f5bb Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Mon, 19 Feb 2024 18:59:26 +0800
Subject: [PATCH] add openeuler support

---
 CMakeLists.txt                                | 10 ++++++
 controls/std_openeuler.yml                    | 34 +++++++++++++++++++
 .../services/ftp/package_ftp_removed/rule.yml |  2 +-
 .../package_telnet-server_removed/rule.yml    |  2 +-
 .../telnet/package_telnet_removed/rule.yml    |  2 +-
 .../tftp/package_tftp-server_removed/rule.yml |  2 +-
 .../tftp/package_tftp_removed/rule.yml        |  2 +-
 products/openeuler2203/CMakeLists.txt         |  6 ++++
 products/openeuler2203/product.yml            | 29 ++++++++++++++++
 .../openeuler2203/profiles/standard.profile   | 14 ++++++++
 .../openeuler2203/transforms/constants.xslt   |  9 +++++
 products/openeuler2403/CMakeLists.txt         |  6 ++++
 products/openeuler2403/product.yml            | 19 +++++++++++
 .../openeuler2403/profiles/standard.profile   | 14 ++++++++
 .../openeuler2403/transforms/constants.xslt   |  9 +++++
 .../oval/installed_OS_is_openeuler2203.xml    | 26 ++++++++++++++
 .../oval/installed_OS_is_openeuler2403.xml    | 26 ++++++++++++++
 .../oval/sysctl_kernel_ipv6_disable.xml       |  1 +
 ssg/constants.py                              |  6 ++++
 19 files changed, 214 insertions(+), 5 deletions(-)
 create mode 100644 controls/std_openeuler.yml
 create mode 100644 products/openeuler2203/CMakeLists.txt
 create mode 100644 products/openeuler2203/product.yml
 create mode 100644 products/openeuler2203/profiles/standard.profile
 create mode 100644 products/openeuler2203/transforms/constants.xslt
 create mode 100644 products/openeuler2403/CMakeLists.txt
 create mode 100644 products/openeuler2403/product.yml
 create mode 100644 products/openeuler2403/profiles/standard.profile
 create mode 100644 products/openeuler2403/transforms/constants.xslt
 create mode 100644 shared/checks/oval/installed_OS_is_openeuler2203.xml
 create mode 100644 shared/checks/oval/installed_OS_is_openeuler2403.xml

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7d1cffd..d911d05 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -83,6 +83,8 @@ option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${
 option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL9 "If enabled, the Oracle Linux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_OPENEULER2403 "If enabled, the openEuler 24.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -277,6 +279,8 @@ message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}")
 message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}")
 message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}")
 message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}")
+message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}")
+message(STATUS "openEuler 24.03 LTS: ${SSG_PRODUCT_OPENEULER2403}")
 message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
 message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
 message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}")
@@ -374,6 +378,12 @@ endif()
 if (SSG_PRODUCT_OL9)
     add_subdirectory("products/ol9" "ol9")
 endif()
+if (SSG_PRODUCT_OPENEULER2203)
+    add_subdirectory("products/openeuler2203" "openeuler2203")
+endif()
+if (SSG_PRODUCT_OPENEULER2403)
+    add_subdirectory("products/openeuler2403" "openeuler2403")
+endif()
 if (SSG_PRODUCT_OPENSUSE)
     add_subdirectory("products/opensuse" "opensuse")
 endif()
diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml
new file mode 100644
index 0000000..5599b04
--- /dev/null
+++ b/controls/std_openeuler.yml
@@ -0,0 +1,34 @@
+---
+policy: 'Standard Benchmark for openEuler'
+title: 'Standard Benchmark for openEuler'
+id: std_openeuler
+version: '1.0'
+levels:
+  - id: base
+
+controls:
+  - id: 1.2.1_ftp_not_installed
+    title: Ensure FTP is not installed
+    levels:
+      - base
+    status: automated
+    rules:
+      - package_ftp_removed
+
+  - id: 1.2.2_tftp_server_not_installed
+    title: Ensure TFTP Server is not installed
+    levels:
+      - base
+    status: automated
+    rules:
+      - package_tftp_removed
+      - package_tftp-server_removed
+
+  - id: 1.2.3_telnet_server_not_installed
+    title: Ensure Telnet Server is not installed
+    levels:
+      - base
+    status: automated
+    rules:
+      - package_telnet_removed
+      - package_telnet-server_removed
diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
index 1129ce7..ea1c772 100644
--- a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
+++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel9
+prodtype: openeuler2203,openeuler2403,rhel9
 
 title: 'Remove ftp Package'
 
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index 6b59559..26848b4 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 
 title: 'Uninstall telnet-server Package'
 
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
index 2571d50..8c77862 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Remove telnet Clients'
 
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index 93fd712..60c05ed 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 
 title: 'Uninstall tftp-server Package'
 
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
index 35e0a2f..6c078d3 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
 
 title: 'Remove tftp Daemon'
 
diff --git a/products/openeuler2203/CMakeLists.txt b/products/openeuler2203/CMakeLists.txt
new file mode 100644
index 0000000..258e195
--- /dev/null
+++ b/products/openeuler2203/CMakeLists.txt
@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+ssg_build_product("openeuler2203")
diff --git a/products/openeuler2203/product.yml b/products/openeuler2203/product.yml
new file mode 100644
index 0000000..89e9f8b
--- /dev/null
+++ b/products/openeuler2203/product.yml
@@ -0,0 +1,29 @@
+product: openeuler2203
+full_name: openEuler 2203
+type: platform
+
+benchmark_id: OPENEULER2203
+benchmark_root: "../../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - openeuler2203lts:
+      name: "cpe:/o:openEuler:openEuler:22.03LTS:ga:server"
+      title: "openEuler 22.03 LTS"
+      check_id: installed_OS_is_openeuler2203
+
+  - openeuler2203lts-sp1:
+      name: "cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server"
+      title: "openEuler 22.03 LTS SP1"
+      check_id: installed_OS_is_openeuler2203
+
+  - openeuler2203lts-sp2:
+      name: "cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server"
+      title: "openEuler 22.03 LTS SP2"
+      check_id: installed_OS_is_openeuler2203
diff --git a/products/openeuler2203/profiles/standard.profile b/products/openeuler2203/profiles/standard.profile
new file mode 100644
index 0000000..8a7ae9c
--- /dev/null
+++ b/products/openeuler2203/profiles/standard.profile
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0
+
+title: 'Standard System Security Profile for openEuler 22.03 LTS'
+
+description: |-
+    This profile contains rules to ensure standard security baseline
+    of an openEuler system. Regardless of your system's workload
+    all of these checks should pass.
+
+selections:
+    - std_openeuler:all:base
diff --git a/products/openeuler2203/transforms/constants.xslt b/products/openeuler2203/transforms/constants.xslt
new file mode 100644
index 0000000..666c119
--- /dev/null
+++ b/products/openeuler2203/transforms/constants.xslt
@@ -0,0 +1,9 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">openEuler2203</xsl:variable>
+<xsl:variable name="product_short_name">openEuler2203</xsl:variable>
+<xsl:variable name="prod_type">openeuler2203</xsl:variable>
+
+</xsl:stylesheet>
diff --git a/products/openeuler2403/CMakeLists.txt b/products/openeuler2403/CMakeLists.txt
new file mode 100644
index 0000000..4f7da6b
--- /dev/null
+++ b/products/openeuler2403/CMakeLists.txt
@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+ssg_build_product("openeuler2403")
diff --git a/products/openeuler2403/product.yml b/products/openeuler2403/product.yml
new file mode 100644
index 0000000..c27aaa8
--- /dev/null
+++ b/products/openeuler2403/product.yml
@@ -0,0 +1,19 @@
+product: openeuler2403
+full_name: openEuler2403
+type: platform
+
+benchmark_id: OPENEULER2403
+benchmark_root: "../../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - openeuler2403:
+      name: "cpe:/o:openEuler:openEuler:24.03LTS:ga:server"
+      title: "openEuler 24.03 LTS"
+      check_id: installed_OS_is_openeuler2403
diff --git a/products/openeuler2403/profiles/standard.profile b/products/openeuler2403/profiles/standard.profile
new file mode 100644
index 0000000..e4e9450
--- /dev/null
+++ b/products/openeuler2403/profiles/standard.profile
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0
+
+title: 'Standard System Security Profile for openEuler'
+
+description: |-
+    This profile contains rules to ensure standard security baseline
+    of all openEuler systems. Regardless of your system's workload
+    all of these checks should pass.
+
+selections:
+    - std_openeuler:all:base
diff --git a/products/openeuler2403/transforms/constants.xslt b/products/openeuler2403/transforms/constants.xslt
new file mode 100644
index 0000000..60286a9
--- /dev/null
+++ b/products/openeuler2403/transforms/constants.xslt
@@ -0,0 +1,9 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">openEuler2403</xsl:variable>
+<xsl:variable name="product_short_name">openEuler2403</xsl:variable>
+<xsl:variable name="prod_type">openeuler2403</xsl:variable>
+
+</xsl:stylesheet>
diff --git a/shared/checks/oval/installed_OS_is_openeuler2203.xml b/shared/checks/oval/installed_OS_is_openeuler2203.xml
new file mode 100644
index 0000000..6a1ce97
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_openeuler2203.xml
@@ -0,0 +1,26 @@
+<def-group>
+  <definition class="inventory" id="installed_OS_is_openeuler2203" version="1">
+    <metadata>
+      <title>openEuler 22.03 LTS</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>The operating system installed on the system is openEuler 22.03 LTS.</description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion comment="openEuler 22.03 LTS is installed" test_ref="test_openeuler2203_installed" />
+    </criteria>
+  </definition>
+
+  <linux:rpminfo_test check="all" check_existence="all_exist" comment="openEuler 22.03 LTS is installed" id="test_openeuler2203_installed" version="1">
+    <linux:object object_ref="obj_openeuler2203_installed" />
+    <linux:state state_ref="state_openeuler2203_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_openeuler2203_installed" version="1">
+    <linux:version operation="pattern match">^22\.03.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_openeuler2203_installed" version="1">
+    <linux:name>openEuler-release</linux:name>
+  </linux:rpminfo_object>
+
+</def-group>
diff --git a/shared/checks/oval/installed_OS_is_openeuler2403.xml b/shared/checks/oval/installed_OS_is_openeuler2403.xml
new file mode 100644
index 0000000..31c6084
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_openeuler2403.xml
@@ -0,0 +1,26 @@
+<def-group>
+  <definition class="inventory" id="installed_OS_is_openeuler2403" version="1">
+    <metadata>
+      <title>openEuler</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>The operating system installed on the system is openEuler 24.03 LTS</description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion comment="openEuler 24.03 LTS is installed" test_ref="test_openeuler2403_installed" />
+    </criteria>
+  </definition>
+
+  <linux:rpminfo_test check="all" check_existence="all_exist" comment="openEuler 24.03 LTS is installed" id="test_openeuler2403_installed" version="1">
+    <linux:object object_ref="obj_openeuler2403_installed" />
+    <linux:state state_ref="state_openeuler2403_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_openeuler2403_installed" version="1">
+    <linux:version operation="pattern match">^24\.03.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_openeuler2403_installed" version="1">
+    <linux:name>openEuler-release</linux:name>
+  </linux:rpminfo_object>
+
+</def-group>
diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
index affb977..593ecda 100644
--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
@@ -8,6 +8,7 @@
 	<platform>multi_platform_debian</platform>
 	<platform>multi_platform_example</platform>
 	<platform>multi_platform_fedora</platform>
+	<platform>multi_platform_openeuler</platform>
 	<platform>multi_platform_opensuse</platform>
 	<platform>multi_platform_ol</platform>
 	<platform>multi_platform_rhcos</platform>
diff --git a/ssg/constants.py b/ssg/constants.py
index f66ba00..ff5bb02 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -50,6 +50,7 @@ product_directories = [
     'ocp4',
     'rhcos4',
     'ol7', 'ol8', 'ol9',
+    'openeuler2203', 'openeuler2403',
     'opensuse',
     'rhel7', 'rhel8', 'rhel9',
     'rhv4',
@@ -207,6 +208,8 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
     "Oracle Linux 7": "ol7",
     "Oracle Linux 8": "ol8",
     "Oracle Linux 9": "ol9",
+    "openEuler 2203": "openeuler2203",
+    "openEuler 2403": "openeuler2403",
     "openSUSE": "opensuse",
     "Red Hat Enterprise Linux 7": "rhel7",
     "Red Hat Enterprise Linux 8": "rhel8",
@@ -266,6 +269,7 @@ REFERENCES = dict(
 
 
 MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+                       "openeuler",
                        "opensuse", "sle", "ol", "ocp", "rhcos",
                        "example", "eks", "alinux", "uos", "anolis"]
 
@@ -276,6 +280,7 @@ MULTI_PLATFORM_MAPPING = {
     "multi_platform_example": ["example"],
     "multi_platform_eks": ["eks"],
     "multi_platform_fedora": ["fedora"],
+    "multi_platform_openeuler": ["openeuler2203", "openeuler2403"],
     "multi_platform_opensuse": ["opensuse"],
     "multi_platform_ol": ["ol7", "ol8", "ol9"],
     "multi_platform_ocp": ["ocp4"],
@@ -447,6 +452,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
     'uos': 'UnionTech OS Server',
     'eap': 'JBoss Enterprise Application Platform',
     'fuse': 'JBoss Fuse',
+    'openeuler': 'openEuler',
     'opensuse': 'openSUSE',
     'sle': 'SUSE Linux Enterprise',
     'example': 'Example',
-- 
2.21.0.windows.1