!112 security-tool add grub2 password for legacy

From: @zhangruifang2020 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

do-not-create-allow-file-while-the-command-does-not-.patch

@@ -0,0 +1,99 @@
+From 66e565d8feb88d0729d81c4705d567cfaee97ff0 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Thu, 18 Mar 2021 10:51:25 +0800
+Subject: [PATCH] do not create allow file while the command does not exist
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ security-tool.sh | 37 +++++++++++++++++++++++++++++++++++++
+ security.conf    | 12 +++---------
+ 2 files changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/security-tool.sh b/security-tool.sh
+index c6bc4e7..e8619f5 100644
+--- a/security-tool.sh
++++ b/security-tool.sh
+@@ -675,6 +675,35 @@ function fn_handle_ln()
+     return $?
+ }
+ 
++#=============================================================================
++# Function Name: fn_handle_allow
++# Returns      : 0 on success, otherwise on fail
++#=============================================================================
++function fn_handle_allow()
++{
++    fn_test_params_num 2
++
++    local rpmname=$1
++    local prename=$2
++    local ret=0
++
++    rpm -q "$rpmname"
++    if [ $? -eq 0 ]; then
++        local denyfile="$ROOTFS/etc/$prename.deny"
++        local allowfile="$ROOTFS/etc/$prename.allow"
++        rm -rf "$denyfile"
++        touch "$allowfile"
++        chown root:root "$allowfile"
++        chmod og-rwx "$allowfile"
++
++    else
++        ret=1
++        fn_error "package $rpmname does not exist"
++    fi
++
++    return $ret
++}
++
+ 
+ #=============================================================================
+ # Function Name: fn_harden_rootfs
+@@ -759,6 +788,10 @@ function fn_harden_rootfs()
+             fn_handle_ln "$f3" "$f4" "$f5"
+             status=$?
+             ;;
++        allow)
++            fn_handle_allow "$f3" "$f4"
++            status=$?
++            ;;
+         *)
+             fn_handle_command "$f2" "$f3"
+             status=$?
+@@ -861,6 +894,10 @@ IFS=$PRE_IFS
+             fn_handle_ln "$f3" "$f4" "$f5"
+             status=$?
+             ;;
++        allow)
++            fn_handle_allow "$f3" "$f4"
++            status=$?
++            ;;
+         *)
+             fn_handle_command "$f2" "$f3"
+             status=$?
+diff --git a/security.conf b/security.conf
+index 30b9f54..72bb91e 100644
+--- a/security.conf
++++ b/security.conf
+@@ -140,15 +140,9 @@
+ 213@chown root:root @/etc/cron.monthly
+ 213@chmod og-rwx @/etc/cron.monthly
+ 
+-214@rm -f @/etc/at.deny
+-214@touch @/etc/at.allow
+-214@chown root:root @/etc/at.allow
+-214@chmod og-rwx @/etc/at.allow
+-
+-215@rm -f @/etc/cron.deny
+-215@touch @/etc/cron.allow
+-215@chown root:root @/etc/cron.allow
+-215@chmod og-rwx @/etc/cron.allow
++# limit command permissions
++214@allow@at@at
++215@allow@cronie@cron
+ 
+ #rpm initscripts drop /etc/sysconfig/init defaultly
+ 216@touch @/etc/sysconfig/init
+-- 
+1.8.3.1
+

security-tool-add-grub2-password-for-legacy.patch

@@ -0,0 +1,25 @@
+From 28be480fbcfe18f008948642493cbba612c8c685 Mon Sep 17 00:00:00 2001
+From: yueyuankun <yueyuankun@kylinos.cn>
+Date: Fri, 9 Jun 2023 17:17:17 +0800
+Subject: [PATCH] add grub2 password for legacy
+
+---
+ security-tool.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/security-tool.sh b/security-tool.sh
+index 0877081..5939f44 100644
+--- a/security-tool.sh
++++ b/security-tool.sh
+@@ -948,6 +948,8 @@ function fn_harden_grub2()
+     echo -e "cat <<EOF\nset superusers="root"\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08\nEOF\n" >> /etc/grub.d/00_header
+     if [ -d /boot/efi/EFI/openEuler -a -d /sys/firmware/efi ]; then
+         grub2-mkconfig -o /boot/efi/EFI/openEuler/grub.cfg
++    else
++        grub2-mkconfig -o /boot/grub2/grub.cfg
+     fi
+ }
+ # Function Name: fn_harden_sysctl
+-- 
+2.33.0
+

security-tool.spec

@@ -1,7 +1,7 @@
 Summary: openEuler Security Tool
 Name   : security-tool
 Version: 2.0
-Release: 1.72
+Release: 1.77
 Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz
 License: Mulan PSL v2
 URL: https://gitee.com/openeuler/security-tool
@@ -13,7 +13,9 @@ Requires(preun): systemd-units
 Requires(postun): systemd-units
 BuildRequires: xauth
 
-Patch: Use-secure-MACs-and-KexAlgorithms.patch
+Patch0: Use-secure-MACs-and-KexAlgorithms.patch
+Patch1: do-not-create-allow-file-while-the-command-does-not-.patch
+Patch2: security-tool-add-grub2-password-for-legacy.patch
 
 %description
 openEuler Security Tool
@@ -49,7 +51,7 @@ rm -rf $RPM_BUILD_ROOT
 %pre
 
 %post
-sed -i 's/password-auth$/password-auth-crond/g' /etc/pam.d/crond
+sed -i 's/system-auth$/password-auth-crond/g' /etc/pam.d/crond
 
 if [ $1 -ge 2 ]
 then
@@ -72,7 +74,7 @@ systemctl enable openEuler-security.service
 %systemd_preun openEuler-security.service
 if [ $1 -eq 0 ]
 then
-    sed -i 's/password-auth-crond$/password-auth/g' /etc/pam.d/crond
+    sed -i 's/password-auth-crond$/system-auth/g' /etc/pam.d/crond
 fi
 
 %postun
@@ -118,6 +120,21 @@ fi
 %attr(0500,root,root) %{_sbindir}/security-tool.sh
 
 %changelog
+* Tue Jun 11 2024 zhangruifang <zhangruifang@h-partners.com> - 2.0-1.77
+- security-tool add grub2 password for legacy
+
+* Mon Aug 29 2022 liweiganga <liweiganga@uniontech.com> - 2.0-1.76
+- fix sed keyword error in /etc/pam.d/crond
+
+* Tue Jun 29 2021 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.75
+- rebuild package version
+
+* Thu May 27 2021 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.74
+- rewrite patch: do not create allow file while the command does not exist
+
+* Wed Mar 17 2021 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.73
+- do not create allow file while the command does not exist
+
 * Wed Feb zhujianwei <zhujianwei7@huawei.com> - 2.0-1.72
 - rebuild