From 23af3a843a1cd99f58dd193472ed54d52d94e7bf Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Mon, 24 Apr 2023 07:35:50 +0300
Subject: [PATCH 1/3] SLE add ability to configure emergency via dropin

For SLE platforms add the possibilty to configure the emergency target auth via drop-in configuration file,
rather than directly in the /usr/lib/systemd.. unit
---
 .../ansible/shared.yml                        | 12 +++-
 .../bash/shared.sh                            | 11 ++++
 .../oval/shared.xml                           | 56 +++++++++++++++++--
 3 files changed, 72 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml
index 2cebcfdc5d3..a3490a60d13 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml
@@ -4,13 +4,23 @@
 # complexity = low
 # disruption = low
 
+{{% if 'sle' in product %}}
+- name: Require emergency mode password
+  ansible.builtin.blockinfile:
+      create: yes
+      dest: /etc/systemd/system/emergency.service.d/10-oscap.conf
+      block: |
+        [Service]
+        ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+{{% else %}}
 - name: Require emergency mode password
   lineinfile:
       create: yes
       dest: /usr/lib/systemd/system/emergency.service
       regexp: "^#?ExecStart="
-      {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9","sle12", "sle15"] -%}}
+      {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] -%}}
       line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency"
       {{%- else -%}}
       line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
       {{%- endif %}}
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh
index 410d611cfa4..2a65ef992e5 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh
@@ -1,6 +1,11 @@
 # platform = multi_platform_all
 
+{{% if 'sle' in product %}}
+service_dropin_cfg_dir="/etc/systemd/system/emergency.service.d"
+service_dropin_file="${service_dropin_cfg_dir}/10-oscap.conf"
+{{% else %}}
 service_file="/usr/lib/systemd/system/emergency.service"
+{{% endif %}}
 
 {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}}
 sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency"
@@ -8,8 +13,14 @@ sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency"
 sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
 {{%- endif %}}
 
+{{% if 'sle' in product %}}
+mkdir -p "${service_dropin_cfg_dir}"
+echo "[Service]" >> "${service_dropin_file}"
+echo "ExecStart=-$sulogin" >> "${service_dropin_file}"
+{{% else %}}
 if grep "^ExecStart=.*" "$service_file" ; then
     sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file"
 else
     echo "ExecStart=-$sulogin" >> "$service_file"
 fi
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
index a9c7188b6cb..25b2e735eef 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
@@ -2,13 +2,25 @@
   <definition class="compliance" id="require_emergency_target_auth" version="1">
     {{{ oval_metadata("The requirement for a password to boot into emergency mode
       should be configured correctly.") }}}
-    <criteria operator="AND">
-      <criterion comment="Conditions are satisfied"
-      test_ref="test_require_emergency_service" />
-      <criterion test_ref="test_require_emergency_service_emergency_target" />
-      <criterion test_ref="test_no_custom_emergency_target" negate="true"/>
-      <criterion test_ref="test_no_custom_emergency_service" negate="true"/>
+{{% if 'sle' in product %}}
+    <criteria operator="OR">
+{{% endif %}}
+      <criteria operator="AND">
+        <criterion comment="Conditions are satisfied"
+          test_ref="test_require_emergency_service" />
+        <criterion test_ref="test_require_emergency_service_emergency_target" />
+        <criterion test_ref="test_no_custom_emergency_target" negate="true"/>
+        <criterion test_ref="test_no_custom_emergency_service" negate="true"/>
+      </criteria>
+{{% if 'sle' in product %}}
+      <criteria operator="OR">
+        <criterion comment="Check /usr/lib/* configuration"
+          test_ref="test_require_emergency_service" />
+        <criterion comment="Check drop-in configuration"
+          test_ref="test_require_emergency_service_dropin" />
+      </criteria>
     </criteria>
+{{% endif %}}
   </definition>
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
     comment="Tests that
@@ -32,6 +44,23 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+{{% if 'sle' in product %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+    comment="Tests that
+    /usr/lib/systemd/systemd-sulogin-shell
+    was not removed from the default systemd emergency.service to ensure that a
+  password must be entered to access single user mode"
+  id="test_require_emergency_service_dropin" version="1">
+    <ind:object object_ref="obj_require_emergency_service_dropin" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_require_emergency_service_dropin" version="1">
+    <ind:path>/etc/systemd/system/emergency.service.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
     comment="Tests that the systemd emergency.service is in the emergency.target"
     id="test_require_emergency_service_emergency_target" version="1">
@@ -66,4 +95,19 @@
     <unix:path operation="equals">/etc/systemd/system</unix:path>
     <unix:filename operation="pattern match">^emergency.target$</unix:filename>
   </unix:file_object>
+
+  <unix:file_test check="all" check_existence="at_least_one_exists"
+    comment="look for emergency.target in /etc/systemd/system/emergency.service.d"
+    id="test_no_custom_emergency_target_dropin" version="1">
+    <unix:object object_ref="object_no_custom_emergency_target_dropin" />
+  </unix:file_test>
+
+  <unix:file_object id="object_no_custom_emergency_target_dropin"
+    comment="look for emergency.target in /etc/systemd/system/emergency.service.d"
+    version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down"
+      recurse_file_system="all" />
+    <unix:path operation="equals">/etc/systemd/system/emergency.service.d</unix:path>
+    <unix:filename operation="pattern match">^*.conf$</unix:filename>
+  </unix:file_object>
 </def-group>

From d1fe359bba6deebd0482096bcfafa4ee1849f591 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Tue, 9 May 2023 11:22:26 +0300
Subject: [PATCH 2/3] Improve indentation in oval definitions

---
 .../oval/shared.xml                              | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
index 25b2e735eef..5093160780d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
@@ -30,8 +30,8 @@
     /sbin/sulogin
     {{%- endif %}}
     was not removed from the default systemd emergency.service to ensure that a
-  password must be entered to access single user mode"
-  id="test_require_emergency_service" version="1">
+    password must be entered to access single user mode"
+    id="test_require_emergency_service" version="1">
     <ind:object object_ref="obj_require_emergency_service" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_require_emergency_service" version="1">
@@ -49,8 +49,8 @@
     comment="Tests that
     /usr/lib/systemd/systemd-sulogin-shell
     was not removed from the default systemd emergency.service to ensure that a
-  password must be entered to access single user mode"
-  id="test_require_emergency_service_dropin" version="1">
+    password must be entered to access single user mode"
+    id="test_require_emergency_service_dropin" version="1">
     <ind:object object_ref="obj_require_emergency_service_dropin" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_require_emergency_service_dropin" version="1">
@@ -78,19 +78,19 @@
     <unix:object object_ref="object_no_custom_emergency_service" />
   </unix:file_test>
   <unix:file_object comment="look for emergency.service in /etc/systemd/system"
-  id="object_no_custom_emergency_service" version="1">
+    id="object_no_custom_emergency_service" version="1">
     <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all" />
     <unix:path operation="equals">/etc/systemd/system</unix:path>
     <unix:filename operation="pattern match">^emergency.service$</unix:filename>
   </unix:file_object>
 
   <unix:file_test check="all" check_existence="at_least_one_exists"
-  comment="look for emergency.target in /etc/systemd/system"
-  id="test_no_custom_emergency_target" version="1">
+    comment="look for emergency.target in /etc/systemd/system"
+    id="test_no_custom_emergency_target" version="1">
     <unix:object object_ref="object_no_custom_emergency_target" />
   </unix:file_test>
   <unix:file_object comment="look for emergency.target in /etc/systemd/system"
-  id="object_no_custom_emergency_target" version="1">
+    id="object_no_custom_emergency_target" version="1">
     <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all" />
     <unix:path operation="equals">/etc/systemd/system</unix:path>
     <unix:filename operation="pattern match">^emergency.target$</unix:filename>

From 02f4dc86be873993668fc890f073b6b7a3373648 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Tue, 9 May 2023 11:24:13 +0300
Subject: [PATCH 3/3] Remove deadcode

Thanks @marcusburghardt for raising the flag
---
 .../require_emergency_target_auth/oval/shared.xml | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
index 5093160780d..fadfa300c22 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
@@ -95,19 +95,4 @@
     <unix:path operation="equals">/etc/systemd/system</unix:path>
     <unix:filename operation="pattern match">^emergency.target$</unix:filename>
   </unix:file_object>
-
-  <unix:file_test check="all" check_existence="at_least_one_exists"
-    comment="look for emergency.target in /etc/systemd/system/emergency.service.d"
-    id="test_no_custom_emergency_target_dropin" version="1">
-    <unix:object object_ref="object_no_custom_emergency_target_dropin" />
-  </unix:file_test>
-
-  <unix:file_object id="object_no_custom_emergency_target_dropin"
-    comment="look for emergency.target in /etc/systemd/system/emergency.service.d"
-    version="1">
-    <unix:behaviors recurse="directories" recurse_direction="down"
-      recurse_file_system="all" />
-    <unix:path operation="equals">/etc/systemd/system/emergency.service.d</unix:path>
-    <unix:filename operation="pattern match">^*.conf$</unix:filename>
-  </unix:file_object>
 </def-group>