11 changed files with 324 additions and 8511 deletions
--- a/add-openeuler-control-rules.patch
+++ b/add-openeuler-control-rules.patch
--- a/add-openeuler-support.patch
+++ b/add-openeuler-support.patch
@ -1,451 +0,0 @@
 From a67afa8ba2bd385c1c645972fb7a2340d9d6f5bb Mon Sep 17 00:00:00 2001
 From: "steven.y.gui" <steven_ygui@163.com>
 Date: Mon, 19 Feb 2024 18:59:26 +0800
 Subject: [PATCH] add openeuler support
 ---
 CMakeLists.txt                                | 10 ++++++
 controls/std_openeuler.yml                    | 34 +++++++++++++++++++
 .../services/ftp/package_ftp_removed/rule.yml |  2 +-
 .../package_telnet-server_removed/rule.yml    |  2 +-
 .../telnet/package_telnet_removed/rule.yml    |  2 +-
 .../tftp/package_tftp-server_removed/rule.yml |  2 +-
 .../tftp/package_tftp_removed/rule.yml        |  2 +-
 products/openeuler2203/CMakeLists.txt         |  6 ++++
 products/openeuler2203/product.yml            | 29 ++++++++++++++++
 .../openeuler2203/profiles/standard.profile   | 14 ++++++++
 .../openeuler2203/transforms/constants.xslt   |  9 +++++
 products/openeuler2403/CMakeLists.txt         |  6 ++++
 products/openeuler2403/product.yml            | 19 +++++++++++
 .../openeuler2403/profiles/standard.profile   | 14 ++++++++
 .../openeuler2403/transforms/constants.xslt   |  9 +++++
 .../oval/installed_OS_is_openeuler2203.xml    | 26 ++++++++++++++
 .../oval/installed_OS_is_openeuler2403.xml    | 26 ++++++++++++++
 .../oval/sysctl_kernel_ipv6_disable.xml       |  1 +
 ssg/constants.py                              |  6 ++++
 19 files changed, 214 insertions(+), 5 deletions(-)
 create mode 100644 controls/std_openeuler.yml
 create mode 100644 products/openeuler2203/CMakeLists.txt
 create mode 100644 products/openeuler2203/product.yml
 create mode 100644 products/openeuler2203/profiles/standard.profile
 create mode 100644 products/openeuler2203/transforms/constants.xslt
 create mode 100644 products/openeuler2403/CMakeLists.txt
 create mode 100644 products/openeuler2403/product.yml
 create mode 100644 products/openeuler2403/profiles/standard.profile
 create mode 100644 products/openeuler2403/transforms/constants.xslt
 create mode 100644 shared/checks/oval/installed_OS_is_openeuler2203.xml
 create mode 100644 shared/checks/oval/installed_OS_is_openeuler2403.xml
 diff --git a/CMakeLists.txt b/CMakeLists.txt
 index 7d1cffd..d911d05 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
@@ -83,6 +83,8 @@ option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${
 option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL9 "If enabled, the Oracle Linux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 +option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT})
 +option(SSG_PRODUCT_OPENEULER2403 "If enabled, the openEuler 24.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -277,6 +279,8 @@ message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}")
 message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}")
 message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}")
 message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}")
 +message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}")
 +message(STATUS "openEuler 24.03 LTS: ${SSG_PRODUCT_OPENEULER2403}")
 message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
 message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
 message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}")
@@ -374,6 +378,12 @@ endif()
 if (SSG_PRODUCT_OL9)
     add_subdirectory("products/ol9" "ol9")
 endif()
 +if (SSG_PRODUCT_OPENEULER2203)
 +    add_subdirectory("products/openeuler2203" "openeuler2203")
 +endif()
 +if (SSG_PRODUCT_OPENEULER2403)
 +    add_subdirectory("products/openeuler2403" "openeuler2403")
 +endif()
 if (SSG_PRODUCT_OPENSUSE)
     add_subdirectory("products/opensuse" "opensuse")
 endif()
 diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml
 new file mode 100644
 index 0000000..5599b04
 --- /dev/null
 +++ b/controls/std_openeuler.yml
@@ -0,0 +1,34 @@
 +---
 +policy: 'Standard Benchmark for openEuler'
 +title: 'Standard Benchmark for openEuler'
 +id: std_openeuler
 +version: '1.0'
 +levels:
 +  - id: base
 +
 +controls:
 +  - id: 1.2.1_ftp_not_installed
 +    title: Ensure FTP is not installed
 +    levels:
 +      - base
 +    status: automated
 +    rules:
 +      - package_ftp_removed
 +
 +  - id: 1.2.2_tftp_server_not_installed
 +    title: Ensure TFTP Server is not installed
 +    levels:
 +      - base
 +    status: automated
 +    rules:
 +      - package_tftp_removed
 +      - package_tftp-server_removed
 +
 +  - id: 1.2.3_telnet_server_not_installed
 +    title: Ensure Telnet Server is not installed
 +    levels:
 +      - base
 +    status: automated
 +    rules:
 +      - package_telnet_removed
 +      - package_telnet-server_removed
 diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
 index 1129ce7..ea1c772 100644
 --- a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
 +++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 -prodtype: rhel9
 +prodtype: openeuler2203,openeuler2403,rhel9
 title: 'Remove ftp Package'
 diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
 index 6b59559..26848b4 100644
 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
 +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 title: 'Uninstall telnet-server Package'
 diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
 index 2571d50..8c77862 100644
 --- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
 +++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 title: 'Remove telnet Clients'
 diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
 index 93fd712..60c05ed 100644
 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
 +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 title: 'Uninstall tftp-server Package'
 diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
 index 35e0a2f..6c078d3 100644
 --- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
 +++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15
 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
 title: 'Remove tftp Daemon'
 diff --git a/products/openeuler2203/CMakeLists.txt b/products/openeuler2203/CMakeLists.txt
 new file mode 100644
 index 0000000..258e195
 --- /dev/null
 +++ b/products/openeuler2203/CMakeLists.txt
@@ -0,0 +1,6 @@
 +# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way.
 +if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
 +    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
 +endif()
 +
 +ssg_build_product("openeuler2203")
 diff --git a/products/openeuler2203/product.yml b/products/openeuler2203/product.yml
 new file mode 100644
 index 0000000..89e9f8b
 --- /dev/null
 +++ b/products/openeuler2203/product.yml
@@ -0,0 +1,29 @@
 +product: openeuler2203
 +full_name: openEuler 2203
 +type: platform
 +
 +benchmark_id: OPENEULER2203
 +benchmark_root: "../../linux_os/guide"
 +
 +profiles_root: "./profiles"
 +
 +pkg_manager: "dnf"
 +
 +init_system: "systemd"
 +
 +cpes_root: "../../shared/applicability"
 +cpes:
 +  - openeuler2203lts:
 +      name: "cpe:/o:openEuler:openEuler:22.03LTS:ga:server"
 +      title: "openEuler 22.03 LTS"
 +      check_id: installed_OS_is_openeuler2203
 +
 +  - openeuler2203lts-sp1:
 +      name: "cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server"
 +      title: "openEuler 22.03 LTS SP1"
 +      check_id: installed_OS_is_openeuler2203
 +
 +  - openeuler2203lts-sp2:
 +      name: "cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server"
 +      title: "openEuler 22.03 LTS SP2"
 +      check_id: installed_OS_is_openeuler2203
 diff --git a/products/openeuler2203/profiles/standard.profile b/products/openeuler2203/profiles/standard.profile
 new file mode 100644
 index 0000000..8a7ae9c
 --- /dev/null
 +++ b/products/openeuler2203/profiles/standard.profile
@@ -0,0 +1,14 @@
 +documentation_complete: true
 +
 +metadata:
 +    version: 1.0
 +
 +title: 'Standard System Security Profile for openEuler 22.03 LTS'
 +
 +description: |-
 +    This profile contains rules to ensure standard security baseline
 +    of an openEuler system. Regardless of your system's workload
 +    all of these checks should pass.
 +
 +selections:
 +    - std_openeuler:all:base
 diff --git a/products/openeuler2203/transforms/constants.xslt b/products/openeuler2203/transforms/constants.xslt
 new file mode 100644
 index 0000000..666c119
 --- /dev/null
 +++ b/products/openeuler2203/transforms/constants.xslt
@@ -0,0 +1,9 @@
 +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 +
 +<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
 +
 +<xsl:variable name="product_long_name">openEuler2203</xsl:variable>
 +<xsl:variable name="product_short_name">openEuler2203</xsl:variable>
 +<xsl:variable name="prod_type">openeuler2203</xsl:variable>
 +
 +</xsl:stylesheet>
 diff --git a/products/openeuler2403/CMakeLists.txt b/products/openeuler2403/CMakeLists.txt
 new file mode 100644
 index 0000000..4f7da6b
 --- /dev/null
 +++ b/products/openeuler2403/CMakeLists.txt
@@ -0,0 +1,6 @@
 +# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way.
 +if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
 +    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
 +endif()
 +
 +ssg_build_product("openeuler2403")
 diff --git a/products/openeuler2403/product.yml b/products/openeuler2403/product.yml
 new file mode 100644
 index 0000000..c27aaa8
 --- /dev/null
 +++ b/products/openeuler2403/product.yml
@@ -0,0 +1,19 @@
 +product: openeuler2403
 +full_name: openEuler2403
 +type: platform
 +
 +benchmark_id: OPENEULER2403
 +benchmark_root: "../../linux_os/guide"
 +
 +profiles_root: "./profiles"
 +
 +pkg_manager: "dnf"
 +
 +init_system: "systemd"
 +
 +cpes_root: "../../shared/applicability"
 +cpes:
 +  - openeuler2403:
 +      name: "cpe:/o:openEuler:openEuler:24.03LTS:ga:server"
 +      title: "openEuler 24.03 LTS"
 +      check_id: installed_OS_is_openeuler2403
 diff --git a/products/openeuler2403/profiles/standard.profile b/products/openeuler2403/profiles/standard.profile
 new file mode 100644
 index 0000000..e4e9450
 --- /dev/null
 +++ b/products/openeuler2403/profiles/standard.profile
@@ -0,0 +1,14 @@
 +documentation_complete: true
 +
 +metadata:
 +    version: 1.0
 +
 +title: 'Standard System Security Profile for openEuler'
 +
 +description: |-
 +    This profile contains rules to ensure standard security baseline
 +    of all openEuler systems. Regardless of your system's workload
 +    all of these checks should pass.
 +
 +selections:
 +    - std_openeuler:all:base
 diff --git a/products/openeuler2403/transforms/constants.xslt b/products/openeuler2403/transforms/constants.xslt
 new file mode 100644
 index 0000000..60286a9
 --- /dev/null
 +++ b/products/openeuler2403/transforms/constants.xslt
@@ -0,0 +1,9 @@
 +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 +
 +<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
 +
 +<xsl:variable name="product_long_name">openEuler2403</xsl:variable>
 +<xsl:variable name="product_short_name">openEuler2403</xsl:variable>
 +<xsl:variable name="prod_type">openeuler2403</xsl:variable>
 +
 +</xsl:stylesheet>
 diff --git a/shared/checks/oval/installed_OS_is_openeuler2203.xml b/shared/checks/oval/installed_OS_is_openeuler2203.xml
 new file mode 100644
 index 0000000..6a1ce97
 --- /dev/null
 +++ b/shared/checks/oval/installed_OS_is_openeuler2203.xml
@@ -0,0 +1,26 @@
 +<def-group>
 +  <definition class="inventory" id="installed_OS_is_openeuler2203" version="1">
 +    <metadata>
 +      <title>openEuler 22.03 LTS</title>
 +      <affected family="unix">
 +        <platform>multi_platform_all</platform>
 +      </affected>
 +      <description>The operating system installed on the system is openEuler 22.03 LTS.</description>
 +    </metadata>
 +    <criteria operator="AND">
 +      <criterion comment="openEuler 22.03 LTS is installed" test_ref="test_openeuler2203_installed" />
 +    </criteria>
 +  </definition>
 +
 +  <linux:rpminfo_test check="all" check_existence="all_exist" comment="openEuler 22.03 LTS is installed" id="test_openeuler2203_installed" version="1">
 +    <linux:object object_ref="obj_openeuler2203_installed" />
 +    <linux:state state_ref="state_openeuler2203_installed" />
 +  </linux:rpminfo_test>
 +  <linux:rpminfo_state id="state_openeuler2203_installed" version="1">
 +    <linux:version operation="pattern match">^22\.03.*$</linux:version>
 +  </linux:rpminfo_state>
 +  <linux:rpminfo_object id="obj_openeuler2203_installed" version="1">
 +    <linux:name>openEuler-release</linux:name>
 +  </linux:rpminfo_object>
 +
 +</def-group>
 diff --git a/shared/checks/oval/installed_OS_is_openeuler2403.xml b/shared/checks/oval/installed_OS_is_openeuler2403.xml
 new file mode 100644
 index 0000000..31c6084
 --- /dev/null
 +++ b/shared/checks/oval/installed_OS_is_openeuler2403.xml
@@ -0,0 +1,26 @@
 +<def-group>
 +  <definition class="inventory" id="installed_OS_is_openeuler2403" version="1">
 +    <metadata>
 +      <title>openEuler</title>
 +      <affected family="unix">
 +        <platform>multi_platform_all</platform>
 +      </affected>
 +      <description>The operating system installed on the system is openEuler 24.03 LTS</description>
 +    </metadata>
 +    <criteria operator="AND">
 +      <criterion comment="openEuler 24.03 LTS is installed" test_ref="test_openeuler2403_installed" />
 +    </criteria>
 +  </definition>
 +
 +  <linux:rpminfo_test check="all" check_existence="all_exist" comment="openEuler 24.03 LTS is installed" id="test_openeuler2403_installed" version="1">
 +    <linux:object object_ref="obj_openeuler2403_installed" />
 +    <linux:state state_ref="state_openeuler2403_installed" />
 +  </linux:rpminfo_test>
 +  <linux:rpminfo_state id="state_openeuler2403_installed" version="1">
 +    <linux:version operation="pattern match">^24\.03.*$</linux:version>
 +  </linux:rpminfo_state>
 +  <linux:rpminfo_object id="obj_openeuler2403_installed" version="1">
 +    <linux:name>openEuler-release</linux:name>
 +  </linux:rpminfo_object>
 +
 +</def-group>
 diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
 index affb977..593ecda 100644
 --- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
 +++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
@@ -8,6 +8,7 @@
 	<platform>multi_platform_debian</platform>
 	<platform>multi_platform_example</platform>
 	<platform>multi_platform_fedora</platform>
 +	<platform>multi_platform_openeuler</platform>
 	<platform>multi_platform_opensuse</platform>
 	<platform>multi_platform_ol</platform>
 	<platform>multi_platform_rhcos</platform>
 diff --git a/ssg/constants.py b/ssg/constants.py
 index f66ba00..ff5bb02 100644
 --- a/ssg/constants.py
 +++ b/ssg/constants.py
@@ -50,6 +50,7 @@ product_directories = [
     'ocp4',
     'rhcos4',
     'ol7', 'ol8', 'ol9',
 +    'openeuler2203', 'openeuler2403',
     'opensuse',
     'rhel7', 'rhel8', 'rhel9',
     'rhv4',
@@ -207,6 +208,8 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
     "Oracle Linux 7": "ol7",
     "Oracle Linux 8": "ol8",
     "Oracle Linux 9": "ol9",
 +    "openEuler 2203": "openeuler2203",
 +    "openEuler 2403": "openeuler2403",
     "openSUSE": "opensuse",
     "Red Hat Enterprise Linux 7": "rhel7",
     "Red Hat Enterprise Linux 8": "rhel8",
@@ -266,6 +269,7 @@ REFERENCES = dict(
 MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
 +                       "openeuler",
                        "opensuse", "sle", "ol", "ocp", "rhcos",
                        "example", "eks", "alinux", "uos", "anolis"]
@@ -276,6 +280,7 @@ MULTI_PLATFORM_MAPPING = {
     "multi_platform_example": ["example"],
     "multi_platform_eks": ["eks"],
     "multi_platform_fedora": ["fedora"],
 +    "multi_platform_openeuler": ["openeuler2203", "openeuler2403"],
     "multi_platform_opensuse": ["opensuse"],
     "multi_platform_ol": ["ol7", "ol8", "ol9"],
     "multi_platform_ocp": ["ocp4"],
@@ -447,6 +452,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
     'uos': 'UnionTech OS Server',
     'eap': 'JBoss Enterprise Application Platform',
     'fuse': 'JBoss Fuse',
 +    'openeuler': 'openEuler',
     'opensuse': 'openSUSE',
     'sle': 'SUSE Linux Enterprise',
     'example': 'Example',
 -- 
 2.21.0.windows.1
--- a/backport-fix-deprecated-getiterator-function.patch
+++ b/backport-fix-deprecated-getiterator-function.patch
@ -0,0 +1,55 @@
 From b0adc1d53780def4a95e310b6d26bb91ee97177e Mon Sep 17 00:00:00 2001
 From: Vojtech Polasek <vpolasek@redhat.com>
 Date: Mon, 8 Jun 2020 13:27:41 +0200
 Subject: [PATCH] fix deprecated getiterator function
 Signed-off-by: HuaxinLu <luhuaxin1@huawei.com>
 ---
 ssg/build_cpe.py    | 6 +++---
 ssg/id_translate.py | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/ssg/build_cpe.py b/ssg/build_cpe.py
 index 2e5d24a5da..8c046777a5 100644
 --- a/ssg/build_cpe.py
 +++ b/ssg/build_cpe.py
@@ -17,7 +17,7 @@ def extract_subelement(objects, sub_elem_type):
     """
     for obj in objects:
 -        for subelement in obj.getiterator():
 +        for subelement in obj.iter():
             if subelement.get(sub_elem_type):
                 sub_element = subelement.get(sub_elem_type)
                 return sub_element
@@ -44,12 +44,12 @@ def extract_referred_nodes(tree_with_refs, tree_with_ids, attrname):
     reflist = []
     elementlist = []
 -    for element in tree_with_refs.getiterator():
 +    for element in tree_with_refs.iter():
         value = element.get(attrname)
         if value is not None:
             reflist.append(value)
 -    for element in tree_with_ids.getiterator():
 +    for element in tree_with_ids.iter():
         if element.get("id") in reflist:
             elementlist.append(element)
 diff --git a/ssg/id_translate.py b/ssg/id_translate.py
 index 72b07be181..ba92259049 100644
 --- a/ssg/id_translate.py
 +++ b/ssg/id_translate.py
@@ -64,7 +64,7 @@ class IDTranslator(object):
         )
     def translate(self, tree, store_defname=False):
 -        for element in tree.getiterator():
 +        for element in tree.iter():
             idname = element.get("id")
             if idname:
                 # store the old name if requested (for OVAL definitions)
 -- 
 2.30.0
--- a/backport-fix-deprecated-instance-of-element.getchildren.patch
+++ b/backport-fix-deprecated-instance-of-element.getchildren.patch
@ -0,0 +1,40 @@
 From e435bf2dc59d652710104a1c59332e410b12bb64 Mon Sep 17 00:00:00 2001
 From: Vojtech Polasek <vpolasek@redhat.com>
 Date: Mon, 8 Jun 2020 12:33:48 +0200
 Subject: [PATCH] fix deprecated instance of element.getchildren
 Signed-off-by: HuaxinLu <luhuaxin1@huawei.com>
 ---
 ssg/build_remediations.py | 2 +-
 ssg/build_stig.py         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
 index fdde0f268a..c18d6bd549 100644
 --- a/ssg/build_remediations.py
 +++ b/ssg/build_remediations.py
@@ -735,7 +735,7 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
         # First concat output form of modified fix text (including text appended
         # to all children of the fix)
         modfix = [fix.text]
 -        for child in fix.getchildren():
 +        for child in list(fix):
             if child is not None and child.text is not None:
                 modfix.append(child.text)
         modfixtext = "".join(modfix)
 diff --git a/ssg/build_stig.py b/ssg/build_stig.py
 index 528285f3d1..6122981fcb 100644
 --- a/ssg/build_stig.py
 +++ b/ssg/build_stig.py
@@ -38,7 +38,7 @@ def add_references(reference, destination):
         for ref in refs:
             if (ref.get('href').startswith(stig_refs) and
                     ref.text in dictionary):
 -                index = rule.getchildren().index(ref)
 +                index = list(rule).index(ref)
                 new_ref = ET.Element(
                     '{%s}reference' % XCCDF11_NS, {'href': stig_ns})
                 new_ref.text = dictionary[ref.text]
 -- 
 2.30.0
--- a/backport-fix-for-older-python-versions-lacking-.iter-method.patch
+++ b/backport-fix-for-older-python-versions-lacking-.iter-method.patch
@ -0,0 +1,124 @@
 From 435ad2a81f4d56da42a2b24cad9e0e04d0523fd4 Mon Sep 17 00:00:00 2001
 From: Vojtech Polasek <vpolasek@redhat.com>
 Date: Tue, 9 Jun 2020 18:55:42 +0200
 Subject: [PATCH] fix for older python versions lacking .iter method
 Signed-off-by: HuaxinLu <luhuaxin1@huawei.com>
 ---
 build-scripts/verify_references.py            |  8 +++++-
 .../pcidss/transform_benchmark_to_pcidss.py   |  8 +++++-
 ssg/build_cpe.py                              | 28 +++++++++++++++++--
 ssg/id_translate.py                           |  9 +++++-
 4 files changed, 47 insertions(+), 6 deletions(-)
 diff --git a/build-scripts/verify_references.py b/build-scripts/verify_references.py
 index 95d387f46f..003aa4c48c 100755
 --- a/build-scripts/verify_references.py
 +++ b/build-scripts/verify_references.py
@@ -179,7 +179,13 @@ def main():
     check_content_refs = xccdftree.findall(".//{%s}check-content-ref"
                                            % xccdf_ns)
 -    xccdf_parent_map = dict((c, p) for p in xccdftree.iter() for c in p)
 +    # decide on usage of .iter or .getiterator method of elementtree class.
 +    # getiterator is deprecated in Python 3.9, but iter is not available in
 +    # older versions
 +    if getattr(xccdftree, 'iter', None) == None:
 +        xccdf_parent_map = dict((c, p) for p in xccdftree.getiterator() for c in p)
 +    else:
 +        xccdf_parent_map = dict((c, p) for p in xccdftree.iter() for c in p)
     # now we can actually do the verification work here
     if options.rules_with_invalid_checks or options.all_checks:
         for check_content_ref in check_content_refs:
 diff --git a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
 index c94b12c45c..05df5a9889 100755
 --- a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
 +++ b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
@@ -111,7 +111,13 @@ def main():
             benchmark.findall(".//{%s}Value" % (XCCDF_NAMESPACE)):
         values.append(value)
 -    parent_map = dict((c, p) for p in benchmark.iter() for c in p)
 +    # decide on usage of .iter or .getiterator method of elementtree class.
 +    # getiterator is deprecated in Python 3.9, but iter is not available in
 +    # older versions
 +    if getattr(benchmark, "iter", None) == None:
 +        parent_map = dict((c, p) for p in benchmark.getiterator() for c in p)
 +    else:
 +        parent_map = dict((c, p) for p in benchmark.iter() for c in p)
     for rule in \
             benchmark.findall(".//{%s}Rule" % (XCCDF_NAMESPACE)):
         parent_map[rule].remove(rule)
 diff --git a/ssg/build_cpe.py b/ssg/build_cpe.py
 index 8c046777a5..26f182395e 100644
 --- a/ssg/build_cpe.py
 +++ b/ssg/build_cpe.py
@@ -17,7 +17,14 @@ def extract_subelement(objects, sub_elem_type):
     """
     for obj in objects:
 -        for subelement in obj.iter():
 +        # decide on usage of .iter or .getiterator method of elementtree class.
 +        # getiterator is deprecated in Python 3.9, but iter is not available in
 +        # older versions
 +        if getattr(obj, "iter", None) == None:
 +            obj_iterator = obj.getiterator()
 +        else:
 +            obj_iterator = obj.iter()
 +        for subelement in obj_iterator:
             if subelement.get(sub_elem_type):
                 sub_element = subelement.get(sub_elem_type)
                 return sub_element
@@ -44,12 +51,27 @@ def extract_referred_nodes(tree_with_refs, tree_with_ids, attrname):
     reflist = []
     elementlist = []
 -    for element in tree_with_refs.iter():
 +
 +    # decide on usage of .iter or .getiterator method of elementtree class.
 +    # getiterator is deprecated in Python 3.9, but iter is not available in
 +    # older versions
 +    if getattr(tree_with_refs, "iter", None) == None:
 +        tree_with_refs_iterator = tree_with_refs.getiterator()
 +    else:
 +        tree_with_refs_iterator = tree_with_refs.iter()
 +    for element in tree_with_refs_iterator:
         value = element.get(attrname)
         if value is not None:
             reflist.append(value)
 -    for element in tree_with_ids.iter():
 +    # decide on usage of .iter or .getiterator method of elementtree class.
 +    # getiterator is deprecated in Python 3.9, but iter is not available in
 +    # older versions
 +    if getattr(tree_with_ids, "iter", None) == None:
 +        tree_with_ids_iterator = tree_with_ids.getiterator()
 +    else:
 +        tree_with_ids_iterator = tree_with_ids.iter()
 +    for element in tree_with_ids_iterator:
         if element.get("id") in reflist:
             elementlist.append(element)
 diff --git a/ssg/id_translate.py b/ssg/id_translate.py
 index ba92259049..520c47fbfd 100644
 --- a/ssg/id_translate.py
 +++ b/ssg/id_translate.py
@@ -64,7 +64,14 @@ class IDTranslator(object):
         )
     def translate(self, tree, store_defname=False):
 -        for element in tree.iter():
 +        # decide on usage of .iter or .getiterator method of elementtree class.
 +        # getiterator is deprecated in Python 3.9, but iter is not available in
 +        # older versions
 +        if getattr(tree, "iter", None) == None:
 +            tree_iterator = tree.getiterator()
 +        else:
 +            tree_iterator = tree.iter()
 +        for element in tree_iterator:
             idname = element.get("id")
             if idname:
                 # store the old name if requested (for OVAL definitions)
 -- 
 2.30.0
--- a/backport-fix-python-imports-of-ElementTree.patch
+++ b/backport-fix-python-imports-of-ElementTree.patch
@ -0,0 +1,43 @@
 From 27dc7ecafe8ab5c2e0bbbb2fcdc399bece5c250e Mon Sep 17 00:00:00 2001
 From: Vojtech Polasek <vpolasek@redhat.com>
 Date: Mon, 8 Jun 2020 12:02:16 +0200
 Subject: [PATCH] fix python imports of ElementTree
 Signed-off-by: HuaxinLu <luhuaxin1@huawei.com>
 ---
 shared/transforms/pcidss/transform_benchmark_to_pcidss.py | 5 ++++-
 ssg/xml.py                                                | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)
 diff --git a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
 index 3023e0435f..0ceaf727d3 100755
 --- a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
 +++ b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
@@ -20,7 +20,10 @@
 #      Martin Preisler <mpreisle@redhat.com>
 import logging
 -from xml.etree import cElementTree as ElementTree
 +try:
 +    from xml.etree import cElementTree as ElementTree
 +except ImportError:
 +    from xml.etree import ElementTree as ElementTree
 import json
 import sys
 import os
 diff --git a/ssg/xml.py b/ssg/xml.py
 index 736875a9d2..71c1381c23 100644
 --- a/ssg/xml.py
 +++ b/ssg/xml.py
@@ -9,7 +9,7 @@ from .constants import xml_version, oval_header, timestamp, PREFIX_TO_NS
 try:
     from xml.etree import cElementTree as ElementTree
 except ImportError:
 -    import cElementTree as ElementTree
 +    from xml.etree import ElementTree as ElementTree
 def oval_generated_header(product_name, schema_version, ssg_version):
 -- 
 2.30.0
--- a/backport-fix-remaining-getchildren-and-getiterator-functions.patch
+++ b/backport-fix-remaining-getchildren-and-getiterator-functions.patch
@ -0,0 +1,54 @@
 From a0da16c5eeb9a7414f7f2a37a6b270c8d04b2ddf Mon Sep 17 00:00:00 2001
 From: Vojtech Polasek <vpolasek@redhat.com>
 Date: Mon, 8 Jun 2020 14:01:55 +0200
 Subject: [PATCH] fix remaining getchildren and getiterator functions
 Signed-off-by: HuaxinLu <luhuaxin1@huawei.com>
 ---
 build-scripts/sds_move_ocil_to_checks.py                  | 2 +-
 build-scripts/verify_references.py                        | 2 +-
 shared/transforms/pcidss/transform_benchmark_to_pcidss.py | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)
 diff --git a/build-scripts/sds_move_ocil_to_checks.py b/build-scripts/sds_move_ocil_to_checks.py
 index 5f5139659e..64dc19084d 100755
 --- a/build-scripts/sds_move_ocil_to_checks.py
 +++ b/build-scripts/sds_move_ocil_to_checks.py
@@ -106,7 +106,7 @@ def move_ocil_content_from_ds_extended_component_to_ds_component(datastreamtree,
     timestamp = extendedcomp.get('timestamp')
     # Get children elements of <ds:extended-component> containing OCIL content
 -    extchildren = extendedcomp.getchildren()
 +    extchildren = list(extendedcomp)
     # There should be just one OCIL subcomponent in <ds:extended-component>
     if len(extchildren) != 1:
         sys.stderr.write("ds:extended-component contains more than one element!"
 diff --git a/build-scripts/verify_references.py b/build-scripts/verify_references.py
 index 69b3e2d1f7..95d387f46f 100755
 --- a/build-scripts/verify_references.py
 +++ b/build-scripts/verify_references.py
@@ -179,7 +179,7 @@ def main():
     check_content_refs = xccdftree.findall(".//{%s}check-content-ref"
                                            % xccdf_ns)
 -    xccdf_parent_map = dict((c, p) for p in xccdftree.getiterator() for c in p)
 +    xccdf_parent_map = dict((c, p) for p in xccdftree.iter() for c in p)
     # now we can actually do the verification work here
     if options.rules_with_invalid_checks or options.all_checks:
         for check_content_ref in check_content_refs:
 diff --git a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
 index 0ceaf727d3..c94b12c45c 100755
 --- a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
 +++ b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
@@ -111,7 +111,7 @@ def main():
             benchmark.findall(".//{%s}Value" % (XCCDF_NAMESPACE)):
         values.append(value)
 -    parent_map = dict((c, p) for p in benchmark.getiterator() for c in p)
 +    parent_map = dict((c, p) for p in benchmark.iter() for c in p)
     for rule in \
             benchmark.findall(".//{%s}Rule" % (XCCDF_NAMESPACE)):
         parent_map[rule].remove(rule)
 -- 
 2.30.0
--- a/optimize-rules-for-openEuler.patch
+++ b/optimize-rules-for-openEuler.patch
--- a/scap-security-guide-0.1.49.tar.bz2
+++ b/scap-security-guide-0.1.49.tar.bz2
--- a/scap-security-guide-0.1.68.tar.bz2
+++ b/scap-security-guide-0.1.68.tar.bz2
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -1,14 +1,16 @@
 Name:		scap-security-guide
-Version:	0.1.68
+Version:	0.1.49
-Release:	4
+Release:	2
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
-Patch0001: add-openeuler-support.patch
+Patch0001:backport-fix-python-imports-of-ElementTree.patch
-Patch0002: add-openeuler-control-rules.patch
+Patch0002:backport-fix-deprecated-instance-of-element.getchildren.patch
-Patch0003: optimize-rules-for-openEuler.patch
+Patch0003:backport-fix-deprecated-getiterator-function.patch
 Patch0004:backport-fix-remaining-getchildren-and-getiterator-functions.patch
 Patch0005:backport-fix-for-older-python-versions-lacking-.iter-method.patch
 BuildArch:	noarch
 BuildRequires: 	libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
@ -41,7 +43,7 @@ mkdir build
 %build
 cd build
-%cmake -DSSG_SCE_ENABLED=ON ../
+%cmake ../
 %make_build
 %install
@ -52,7 +54,6 @@ cd build
 %{_datadir}/xml/scap/ssg/content
 %{_datadir}/%{name}/kickstart
 %{_datadir}/%{name}/ansible
 %{_datadir}/%{name}/tailoring
 %{_datadir}/%{name}/bash
 %lang(en) %{_mandir}/man8/scap-security-guide.8.*
 %doc %{_docdir}/%{name}/LICENSE
@ -64,21 +65,6 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 %changelog
 * Sat Feb 24 2024 wangqingsan <wangqingsan@huawei.com> - 0.1.68-4
 - optimiz rules for openEuler
 * Mon Feb 19 2024 steven <steven_ygui@163.com> - 0.1.68-3
 - add openEuler 2403 LTS supporting and remove openEuler general version supporting
 * Mon Oct 9 2023 steven <steven_ygui@163.com> - 0.1.68-2
 - add openeuler supporting and add 100+ control rules
 * Tue Jul 18 2023 xu_ping <707078654@qq.com> - 0.1.68-1
 - Upgrade to 0.1.68
 * Fri Dec 30 2022 xuxinyu <xuxinyu@xfusion.com> - 0.1.49-3
 - Fix test scenarios for OSPP profile
 * Sat Feb 26 2022 HuaxinLu <luhuaxin1@huawei.com> - 0.1.49-2
 - fix for python upgrade