From 0a5dc24cfe827ab5f7da557e5f72723a3b283542 Mon Sep 17 00:00:00 2001 From: Sergey Cherevko Date: Thu, 26 Sep 2024 21:10:13 +0300 Subject: [PATCH] Next try... --- SOURCES/0001-Add-session-monitor-rule.patch | 1203 +++++++++++++++++-- SPECS/scap-security-guide.spec | 7 +- 2 files changed, 1126 insertions(+), 84 deletions(-) diff --git a/SOURCES/0001-Add-session-monitor-rule.patch b/SOURCES/0001-Add-session-monitor-rule.patch index 1339502..0ff5bbe 100644 --- a/SOURCES/0001-Add-session-monitor-rule.patch +++ b/SOURCES/0001-Add-session-monitor-rule.patch @@ -1,41 +1,57 @@ -From 6bd2cb26d40246bf7645355018e4b8154018d1e4 Mon Sep 17 00:00:00 2001 +From b23be587f5dff05eb8d9eb5c48fb661de9922fd0 Mon Sep 17 00:00:00 2001 From: Sergey Cherevko -Date: Mon, 23 Sep 2024 11:56:30 +0300 +Date: Thu, 26 Sep 2024 19:36:57 +0300 Subject: [PATCH] Add session-monitor rule --- CMakeLists.txt | 5 + build_product | 1 + components/session-monitor.yml | 6 + - .../rule.yml | 27 +++++ - .../service_session-monitor_enabled/rule.yml | 40 +++++++ - products/msvsphere9/CMakeLists.txt | 8 ++ - .../cpe/msvsphere9-cpe-dictionary.xml | 10 ++ - .../ssg-msvsphere9-session-monitor-ks.cfg | 112 ++++++++++++++++++ - products/msvsphere9/product.yml | 26 ++++ - .../profiles/session-monitor.profile | 33 ++++++ - products/msvsphere9/transforms/constants.xslt | 16 +++ + .../rule.yml | 27 + + .../service_session-monitor_enabled/rule.yml | 27 + + products/msvsphere9/CMakeLists.txt | 26 + + .../ssg-msvsphere9-session-monitor-ks.cfg | 124 ++++ + .../kickstart/ssg-msvsphere9-stig_gui-ks.cfg | 144 +++++ + products/msvsphere9/overlays/srg_support.xml | 173 ++++++ + products/msvsphere9/product.yml | 26 + + products/msvsphere9/profiles/default.profile | 555 ++++++++++++++++++ + .../profiles/session-monitor.profile | 12 + + products/msvsphere9/profiles/stig.profile | 30 + + products/msvsphere9/profiles/stig_gui.profile | 49 ++ + products/msvsphere9/transforms/constants.xslt | 18 + .../msvsphere9/transforms/table-style.xslt | 5 + - .../transforms/xccdf-apply-overlay-stig.xslt | 8 ++ - .../transforms/xccdf2table-cce.xslt | 9 ++ - .../xccdf2table-profileccirefs.xslt | 9 ++ - .../oval/installed_OS_is_msvsphere9.xml | 34 ++++++ + .../transforms/xccdf-apply-overlay-stig.xslt | 8 + + .../transforms/xccdf2table-cce.xslt | 9 + + .../xccdf2table-profileccirefs.xslt | 9 + + .../oval/installed_OS_is_msvsphere9.xml | 34 ++ + .../oval/sysctl_kernel_ipv6_disable.xml | 1 + + .../disa-stig-msvsphere9-v1r1-xccdf-scap.xml | 1 + + ...disa-stig-msvsphere9-v1r3-xccdf-manual.xml | 1 + ssg/constants.py | 6 +- - 17 files changed, 354 insertions(+), 1 deletion(-) + .../guide/selinux_state/ansible/shared.yml | 2 +- + .../guide/selinux_state/bash/shared.sh | 2 +- + .../unit/ssg_test_suite/data/correct.pass.sh | 2 +- + 27 files changed, 1299 insertions(+), 4 deletions(-) create mode 100644 components/session-monitor.yml create mode 100644 linux_os/guide/system/software/system-tools/package_session-monitor_installed/rule.yml create mode 100644 linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml create mode 100644 products/msvsphere9/CMakeLists.txt - create mode 100644 products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml create mode 100644 products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg + create mode 100644 products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg + create mode 100644 products/msvsphere9/overlays/srg_support.xml create mode 100644 products/msvsphere9/product.yml + create mode 100644 products/msvsphere9/profiles/default.profile create mode 100644 products/msvsphere9/profiles/session-monitor.profile + create mode 100644 products/msvsphere9/profiles/stig.profile + create mode 100644 products/msvsphere9/profiles/stig_gui.profile create mode 100644 products/msvsphere9/transforms/constants.xslt create mode 100644 products/msvsphere9/transforms/table-style.xslt create mode 100644 products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt create mode 100644 products/msvsphere9/transforms/xccdf2table-cce.xslt create mode 100644 products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt create mode 100644 shared/checks/oval/installed_OS_is_msvsphere9.xml + create mode 120000 shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml + create mode 120000 shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml diff --git a/CMakeLists.txt b/CMakeLists.txt index 5d4bc725..3197125e 100644 @@ -126,10 +142,10 @@ index 00000000..c2b5f232 + pkgname: session-monitor diff --git a/linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml b/linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml new file mode 100644 -index 00000000..35942027 +index 00000000..9374fcc3 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml -@@ -0,0 +1,40 @@ +@@ -0,0 +1,27 @@ +documentation_complete: true + + @@ -145,19 +161,6 @@ index 00000000..35942027 + +severity: low + -+identifiers: -+ cce@rhel7: CCE-80265-2 -+ cce@rhel8: CCE-82401-1 -+ -+references: -+ cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9 -+ cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.06,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 -+ isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 -+ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 6.1,SR 6.2,SR 7.6' -+ iso27001-2013: A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.15.2.2,A.9.1.2 -+ nist: AU-12(a),CM-6(a) -+ nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3 -+ +ocil_clause: |- + {{{ ocil_clause_service_disabled(service="session-monitor") }}} + @@ -172,10 +175,10 @@ index 00000000..35942027 + servicename: session-monitor diff --git a/products/msvsphere9/CMakeLists.txt b/products/msvsphere9/CMakeLists.txt new file mode 100644 -index 00000000..cc479a30 +index 00000000..ca7ee52f --- /dev/null +++ b/products/msvsphere9/CMakeLists.txt -@@ -0,0 +1,8 @@ +@@ -0,0 +1,26 @@ +# Sometimes our users will try to do: "cd msvsphere9; cmake ." That needs to error in a nice way. +if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") @@ -184,28 +187,30 @@ index 00000000..cc479a30 +set(PRODUCT "msvsphere9") + +ssg_build_product(${PRODUCT}) -diff --git a/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml b/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml -new file mode 100644 -index 00000000..78a20f6a ---- /dev/null -+++ b/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml -@@ -0,0 +1,10 @@ -+ -+ -+ -+ MSVSphere 9 -+ -+ installed_OS_is_msvsphere9 -+ -+ ++ ++ssg_build_html_cce_table(${PRODUCT}) ++ ++ssg_build_html_srgmap_tables(${PRODUCT}) ++ ++if(SSG_SRG_XLSX_EXPORT) ++ ssg_build_xlsx_srg_export(${PRODUCT} "srg_gpos") ++endif() ++ ++ssg_build_html_stig_tables(${PRODUCT}) ++ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig") ++ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig_gui") ++ ++#ssg_build_html_stig_tables(${PRODUCT} "ospp") ++ ++if(SSG_CENTOS_DERIVATIVES_ENABLED) ++ ssg_build_derivative_product(${PRODUCT} "centos" "cs9") ++endif() diff --git a/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg new file mode 100644 -index 00000000..840f33b5 +index 00000000..447b36a5 --- /dev/null +++ b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg -@@ -0,0 +1,112 @@ +@@ -0,0 +1,124 @@ +# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for Red Hat Enterprise Linux 8 +# Version: 0.0.1 +# Date: 2021-01-28 @@ -254,7 +259,8 @@ index 00000000..840f33b5 +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device -+network --onboot yes --bootproto dhcp ++##network --onboot yes --bootproto dhcp ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server @@ -263,6 +269,16 @@ index 00000000..840f33b5 +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ +# Set the system time zone (required) +timezone --utc Europe/Moscow + @@ -302,7 +318,8 @@ index 00000000..840f33b5 +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program -+%addon org_fedora_oscap ++##%addon org_fedora_oscap ++%addon com_redha_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_session-monitor +%end @@ -318,6 +335,335 @@ index 00000000..840f33b5 +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject +diff --git a/products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg b/products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg +new file mode 100644 +index 00000000..89744815 +--- /dev/null ++++ b/products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg +@@ -0,0 +1,144 @@ ++# SCAP Security Guide STIG with GUI profile kickstart for AlmaLinux 9 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg ++# For more information see the following documentation: ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++# Set language to use during installation and the default language to use on the installed system (required) ++lang ru_RU.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard --vckeymap us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++network --onboot yes --bootproto dhcp ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. ++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# to see how to create encrypted password form for different plaintext password ++rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc Europe/Moscow ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. ++# grub2-mkpasswd-pbkdf2 ++# to see how to create encrypted password form for different plaintext password ++bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec" ++logvol swap --name=swap --vgname=VolGroup --size=2016 ++ ++# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) ++# content - security policies - on the installed system.This add-on has been enabled by default ++# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this ++# functionality will automatically be installed. However, by default, no policies are enforced, ++# meaning that no checks are performed during or after installation unless specifically configured. ++# ++# Important ++# Applying a security policy is not necessary on all systems. This screen should only be used ++# when a specific policy is mandated by your organization rules or government regulations. ++# Unlike most other commands, this add-on does not accept regular options, but uses key-value ++# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. ++# Values can be optionally enclosed in single quotes (') or double quotes ("). ++# ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_stig_gui ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++@Server with GUI ++ ++%end ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/msvsphere9/overlays/srg_support.xml b/products/msvsphere9/overlays/srg_support.xml +new file mode 100644 +index 00000000..e5334dee +--- /dev/null ++++ b/products/msvsphere9/overlays/srg_support.xml +@@ -0,0 +1,173 @@ ++ diff --git a/products/msvsphere9/product.yml b/products/msvsphere9/product.yml new file mode 100644 index 00000000..f2b7f0f0 @@ -350,12 +696,573 @@ index 00000000..f2b7f0f0 + name: "cpe:/o:ncsd:msvsphere:9" + title: "MSVSphere 9" + check_id: installed_OS_is_msvsphere9 +diff --git a/products/msvsphere9/profiles/default.profile b/products/msvsphere9/profiles/default.profile +new file mode 100644 +index 00000000..567393e8 +--- /dev/null ++++ b/products/msvsphere9/profiles/default.profile +@@ -0,0 +1,555 @@ ++documentation_complete: true ++ ++hidden: true ++ ++title: Default Profile for MSVSphere 9 ++ ++description: |- ++ This profile contains all the rules that once belonged to the ++ rhel9 product via 'prodtype'. This profile won't ++ be rendered into an XCCDF Profile entity, nor it will select any ++ of these rules by default. The only purpose of this profile ++ is to keep a rule in the product's XCCDF Benchmark. ++ ++selections: ++ - sebool_nfsd_anon_write ++ - sebool_squid_connect_any ++ - sebool_polipo_connect_all_unreserved ++ - audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write ++ - auditd_data_disk_full_action ++ - mount_option_var_tmp_bind ++ - sebool_selinuxuser_use_ssh_chroot ++ - sebool_condor_tcp_network_connect ++ - sebool_xserver_object_manager ++ - mount_option_home_grpquota ++ - sebool_mpd_enable_homedirs ++ - sebool_logadm_exec_content ++ - auditd_audispd_encrypt_sent_records ++ - audit_rules_unsuccessful_file_modification_openat_rule_order ++ - sebool_logwatch_can_network_connect_mail ++ - sebool_mpd_use_nfs ++ - sebool_virt_use_sanlock ++ - kernel_module_vfat_disabled ++ - sebool_xguest_use_bluetooth ++ - sebool_puppetagent_manage_all_files ++ - sshd_use_strong_rng ++ - grub2_uefi_admin_username ++ - sebool_staff_use_svirt ++ - audit_rules_successful_file_modification_lsetxattr ++ - sebool_daemons_enable_cluster_mode ++ - package_krb5-workstation_removed ++ - package_samba-common_installed ++ - sebool_httpd_enable_cgi ++ - accounts_passwords_pam_faillock_silent ++ - xwindows_remove_packages ++ - sebool_httpd_can_network_memcache ++ - sebool_git_system_use_nfs ++ - sudoers_no_root_target ++ - sebool_httpd_can_connect_zabbix ++ - sebool_samba_portmapper ++ - audit_rules_etc_shadow_open ++ - sebool_httpd_graceful_shutdown ++ - sebool_ftpd_use_fusefs ++ - service_cups_disabled ++ - sebool_selinuxuser_ping ++ - sebool_unconfined_chrome_sandbox_transition ++ - dconf_gnome_screensaver_lock_locked ++ - package_ntpdate_removed ++ - package_avahi_removed ++ - file_groupowner_efi_user_cfg ++ - set_loopback_traffic ++ - ntpd_specify_multiple_servers ++ - sebool_gitosis_can_sendmail ++ - audit_rules_unsuccessful_file_modification_renameat ++ - sebool_pcp_read_generic_logs ++ - sebool_httpd_run_ipa ++ - sebool_selinuxuser_share_music ++ - file_groupowner_var_log_syslog ++ - service_netfs_disabled ++ - sebool_dbadm_manage_user_files ++ - sebool_smbd_anon_write ++ - auditd_audispd_configure_remote_server ++ - service_ypserv_disabled ++ - sebool_nagios_run_sudo ++ - sebool_dbadm_exec_content ++ - package_ntp_installed ++ - package_cron_installed ++ - dconf_gnome_screensaver_idle_activation_locked ++ - audit_rules_successful_file_modification_unlinkat ++ - package_audit-audispd-plugins_installed ++ - sebool_xserver_clients_write_xshm ++ - sebool_xdm_exec_bootloader ++ - sebool_httpd_serve_cobbler_files ++ - sebool_use_ecryptfs_home_dirs ++ - sebool_container_connect_any ++ - sebool_sge_domain_can_network_connect ++ - sebool_staff_exec_content ++ - file_permissions_home_dirs ++ - audit_rules_privileged_commands_newgidmap ++ - sebool_ssh_chroot_rw_homedirs ++ - sebool_virt_use_xserver ++ - sebool_mozilla_plugin_use_spice ++ - sebool_tmpreaper_use_nfs ++ - sebool_httpd_can_connect_ldap ++ - sudoers_default_includedir ++ - sebool_mmap_low_allowed ++ - sebool_glance_use_fusefs ++ - sebool_httpd_dontaudit_search_dirs ++ - sebool_named_tcp_bind_http_port ++ - auditd_audispd_network_failure_action ++ - sebool_wine_mmap_zero_ignore ++ - sebool_cluster_use_execmem ++ - audit_rules_privileged_commands_usernetctl ++ - dconf_gnome_disable_user_admin ++ - service_rlogin_disabled ++ - sebool_ftpd_use_nfs ++ - sebool_httpd_use_fusefs ++ - service_iptables_enabled ++ - sebool_tor_bind_all_unreserved_ports ++ - sebool_virt_sandbox_use_all_caps ++ - sebool_httpd_use_openstack ++ - sebool_icecast_use_any_tcp_ports ++ - audit_rules_unsuccessful_file_modification_rename ++ - sebool_openshift_use_nfs ++ - sebool_mailman_use_fusefs ++ - sebool_nfs_export_all_rw ++ - sebool_httpd_dbus_avahi ++ - mount_option_smb_client_signing ++ - audit_rules_successful_file_modification_open_o_trunc_write ++ - sebool_mplayer_execstack ++ - sebool_virt_sandbox_use_mknod ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order ++ - package_pam_pwquality_installed ++ - sebool_fcron_crond ++ - sebool_httpd_read_user_content ++ - sebool_samba_domain_controller ++ - service_sshd_disabled ++ - zipl_page_poison_argument ++ - file_owner_efi_user_cfg ++ - sebool_cobbler_anon_write ++ - audit_rules_successful_file_modification_openat_o_trunc_write ++ - audit_rules_successful_file_modification_removexattr ++ - sebool_xdm_write_home ++ - sebool_httpd_mod_auth_pam ++ - audit_rules_successful_file_modification_fchownat ++ - service_httpd_disabled ++ - package_nfs-utils_removed ++ - sebool_pppd_for_user ++ - sebool_rsync_export_all_ro ++ - audit_rules_successful_file_modification_open_o_creat ++ - install_hids ++ - sebool_authlogin_radius ++ - sebool_swift_can_network ++ - audit_rules_file_deletion_events ++ - sshd_disable_pubkey_auth ++ - sebool_tor_can_network_relay ++ - sebool_virt_use_samba ++ - sebool_spamassassin_can_network ++ - package_syslogng_installed ++ - sebool_selinuxuser_postgresql_connect_enabled ++ - sebool_virt_sandbox_use_sys_admin ++ - sebool_irssi_use_full_network ++ - sebool_sysadm_exec_content ++ - sebool_polipo_use_cifs ++ - sebool_samba_load_libgfapi ++ - package_rpcbind_removed ++ - sebool_samba_run_unconfined ++ - sebool_webadm_manage_user_files ++ - sebool_zoneminder_run_sudo ++ - sebool_ftpd_anon_write ++ - sebool_rsync_anon_write ++ - mount_option_proc_hidepid ++ - sebool_nfs_export_all_ro ++ - audit_rules_unsuccessful_file_modification_chown ++ - sebool_selinuxuser_udp_server ++ - sebool_cups_execmem ++ - service_ntpdate_disabled ++ - sebool_httpd_execmem ++ - sebool_httpd_sys_script_anon_write ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write ++ - sebool_ftpd_use_cifs ++ - service_atd_disabled ++ - audit_rules_etc_shadow_open_by_handle_at ++ - sebool_mysql_connect_any ++ - audit_rules_privileged_commands_pt_chown ++ - sebool_httpd_can_sendmail ++ - sebool_prosody_bind_http_port ++ - sebool_httpd_use_sasl ++ - sebool_tftp_home_dir ++ - sebool_gssd_read_tmp ++ - kernel_module_uvcvideo_disabled ++ - sebool_squid_use_tproxy ++ - sebool_httpd_ssi_exec ++ - sebool_use_lpd_server ++ - audit_rules_successful_file_modification_open_by_handle_at_o_creat ++ - sebool_unconfined_login ++ - account_use_centralized_automated_auth ++ - file_groupowner_efi_grub2_cfg ++ - sebool_xdm_bind_vnc_tcp_port ++ - sebool_deny_ptrace ++ - sebool_postgresql_selinux_transmit_client_label ++ - sysctl_net_ipv6_conf_all_disable_ipv6 ++ - sebool_smartmon_3ware ++ - dconf_gnome_login_retries ++ - audit_rules_unsuccessful_file_modification_setxattr ++ - sudo_vdsm_nopasswd ++ - sebool_global_ssp ++ - service_smb_disabled ++ - sebool_virt_rw_qemu_ga_data ++ - sebool_selinuxuser_tcp_server ++ - package_inetutils-telnetd_removed ++ - audit_rules_successful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_fchmod ++ - service_ntpd_enabled ++ - file_permissions_httpd_server_conf_files ++ - sebool_httpd_use_gpg ++ - sebool_spamd_enable_home_dirs ++ - package_openldap-servers_removed ++ - avahi_disable_publishing ++ - audit_rules_successful_file_modification_fchmod ++ - sebool_fenced_can_network_connect ++ - sebool_virt_use_nfs ++ - sebool_lsmd_plugin_connect_any ++ - account_passwords_pam_faillock_dir ++ - sebool_authlogin_yubikey ++ - sebool_authlogin_nsswitch_use_ldap ++ - dconf_gnome_disable_geolocation ++ - sebool_httpd_run_preupgrade ++ - sebool_httpd_use_cifs ++ - sebool_telepathy_tcp_connect_generic_network_ports ++ - zipl_slub_debug_argument ++ - sebool_entropyd_use_audio ++ - grub2_kernel_trust_cpu_rng ++ - sebool_httpd_enable_ftp_server ++ - sebool_postgresql_selinux_users_ddl ++ - package_ypbind_removed ++ - xwindows_runlevel_target ++ - package_talk-server_removed ++ - kernel_module_ipv6_option_disabled ++ - sebool_cobbler_use_nfs ++ - sebool_mozilla_plugin_can_network_connect ++ - sebool_ftpd_full_access ++ - sebool_mcelog_foreground ++ - sebool_xguest_exec_content ++ - sebool_daemons_dump_core ++ - audit_rules_successful_file_modification_renameat ++ - service_rngd_enabled ++ - kernel_module_cfg80211_disabled ++ - sebool_git_cgi_use_cifs ++ - sebool_virt_sandbox_use_netlink ++ - enable_dconf_user_profile ++ - service_dhcpd_disabled ++ - kernel_module_jffs2_disabled ++ - sebool_openvpn_run_unconfined ++ - sebool_gluster_anon_write ++ - audit_rules_successful_file_modification_open ++ - sebool_secure_mode_insmod ++ - sebool_nscd_use_shm ++ - sebool_ksmtuned_use_cifs ++ - sebool_nagios_run_pnp4nagios ++ - sebool_selinuxuser_direct_dri_enabled ++ - sebool_haproxy_connect_any ++ - audit_rules_etc_shadow_openat ++ - sebool_pppd_can_insmod ++ - sebool_glance_api_can_network ++ - accounts_passwords_pam_faillock_enforce_local ++ - sebool_mozilla_plugin_use_bluejeans ++ - sebool_mozilla_read_content ++ - sebool_virt_use_usb ++ - sebool_virt_use_execmem ++ - sebool_virt_read_qemu_ga_data ++ - service_vsftpd_disabled ++ - ssh_private_keys_have_passcode ++ - sebool_user_exec_content ++ - sebool_gluster_export_all_ro ++ - sebool_mcelog_server ++ - sebool_mount_anyfile ++ - sebool_sge_use_nfs ++ - sebool_daemons_use_tty ++ - sebool_mcelog_client ++ - sebool_rsync_client ++ - sebool_privoxy_connect_any ++ - postfix_client_configure_relayhost ++ - sebool_httpd_builtin_scripting ++ - etc_system_fips_exists ++ - iptables_sshd_disabled ++ - grub2_ipv6_disable_argument ++ - dconf_gnome_disable_thumbnailers ++ - sebool_varnishd_connect_any ++ - kernel_module_hfsplus_disabled ++ - audit_rules_for_ospp ++ - package_rsh_removed ++ - dconf_gnome_enable_smartcard_auth ++ - service_oddjobd_disabled ++ - service_postfix_enabled ++ - package_openssh-server_removed ++ - sebool_httpd_can_connect_mythtv ++ - audit_rules_successful_file_modification_lchown ++ - sebool_tftp_anon_write ++ - sebool_cobbler_can_network_connect ++ - sebool_samba_export_all_ro ++ - service_cron_enabled ++ - file_permissions_efi_user_cfg ++ - service_rhnsd_disabled ++ - audit_rules_successful_file_modification_unlink ++ - no_all_squash_exports ++ - sebool_use_samba_home_dirs ++ - audit_rules_etc_gshadow_openat ++ - service_ufw_enabled ++ - harden_sshd_macs_openssh_conf_crypto_policy ++ - dir_permissions_binary_dirs ++ - sebool_xend_run_blktap ++ - dconf_gnome_disable_wifi_notification ++ - package_nis_removed ++ - service_xinetd_disabled ++ - audit_rules_etc_passwd_open ++ - dhcp_client_restrict_options ++ - sebool_openvpn_can_network_connect ++ - kernel_module_freevxfs_disabled ++ - account_emergency_expire_date ++ - sebool_unconfined_mozilla_plugin_transition ++ - audit_rules_unsuccessful_file_modification_lremovexattr ++ - file_permissions_var_log_syslog ++ - sebool_git_cgi_enable_homedirs ++ - audit_rules_etc_passwd_open_by_handle_at ++ - audit_rules_privileged_commands_at ++ - sebool_virt_use_fusefs ++ - kernel_module_iwlmvm_disabled ++ - service_ntp_enabled ++ - file_owner_var_log_syslog ++ - service_ip6tables_enabled ++ - sebool_logging_syslogd_run_nagios_plugins ++ - sebool_mozilla_plugin_use_gps ++ - service_slapd_disabled ++ - audit_rules_unsuccessful_file_modification_open_o_trunc_write ++ - sebool_ftpd_connect_all_unreserved ++ - configure_user_data_backups ++ - dir_ownership_binary_dirs ++ - sebool_mcelog_exec_scripts ++ - sysctl_net_ipv4_tcp_invalid_ratelimit ++ - sebool_xserver_execmem ++ - sysctl_net_ipv6_conf_default_disable_ipv6 ++ - sebool_cron_userdomain_transition ++ - sebool_collectd_tcp_network_connect ++ - sebool_httpd_enable_homedirs ++ - sebool_httpd_unified ++ - audit_rules_privileged_commands_newuidmap ++ - sebool_zabbix_can_network ++ - audit_rules_unsuccessful_file_modification_chmod ++ - sebool_gpg_web_anon_write ++ - fapolicyd_prevent_home_folder_access ++ - no_legacy_plus_entries_etc_passwd ++ - sebool_sanlock_use_nfs ++ - sebool_racoon_read_shadow ++ - audit_rules_successful_file_modification_fsetxattr ++ - audit_rules_successful_file_modification_fremovexattr ++ - package_krb5-server_removed ++ - file_permissions_httpd_server_conf_d_files ++ - audit_rules_successful_file_modification_rename ++ - sebool_guest_exec_content ++ - kernel_module_rds_disabled ++ - sebool_selinuxuser_mysql_connect_enabled ++ - sebool_antivirus_use_jit ++ - sebool_ksmtuned_use_nfs ++ - service_qpidd_disabled ++ - audit_rules_successful_file_modification_setxattr ++ - sebool_polipo_session_bind_all_unreserved_ports ++ - sebool_secure_mode_policyload ++ - sebool_webadm_read_user_files ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat ++ - audit_rules_unsuccessful_file_modification_fsetxattr ++ - kernel_module_hfs_disabled ++ - sebool_git_session_users ++ - sebool_exim_manage_user_files ++ - configure_gnutls_tls_crypto_policy ++ - sshd_enable_gssapi_auth ++ - sebool_minidlna_read_generic_user_content ++ - audit_rules_etc_group_openat ++ - sebool_httpd_can_network_connect_cobbler ++ - auditd_data_disk_error_action ++ - audit_rules_unsuccessful_file_modification_fchownat ++ - sebool_openvpn_enable_homedirs ++ - zipl_enable_selinux ++ - audit_rules_unsuccessful_file_modification_open_o_creat ++ - kernel_config_ipv6 ++ - audit_rules_successful_file_modification_chown ++ - audit_rules_successful_file_modification_fchmodat ++ - sebool_dhcpc_exec_iptables ++ - file_permissions_efi_grub2_cfg ++ - audit_rules_unsuccessful_file_modification_removexattr ++ - sebool_telepathy_connect_all_ports ++ - sebool_postgresql_can_rsync ++ - audit_rules_unsuccessful_file_modification_openat_o_trunc_write ++ - rpm_verify_permissions ++ - package_telnetd_removed ++ - sebool_httpd_setrlimit ++ - harden_sshd_macs_opensshserver_conf_crypto_policy ++ - service_dovecot_disabled ++ - service_cockpit_disabled ++ - no_legacy_plus_entries_etc_group ++ - mount_option_boot_noauto ++ - sebool_git_cgi_use_nfs ++ - sebool_git_system_use_cifs ++ - sebool_httpd_use_nfs ++ - audit_rules_unsuccessful_file_modification_lchown ++ - dconf_gnome_disable_wifi_create ++ - audit_rules_successful_file_modification_fchown ++ - sebool_git_system_enable_homedirs ++ - sebool_httpd_can_check_spam ++ - sebool_mpd_use_cifs ++ - sebool_xen_use_nfs ++ - sebool_samba_enable_home_dirs ++ - service_named_disabled ++ - service_syslogng_enabled ++ - sebool_sanlock_use_fusefs ++ - account_passwords_pam_faillock_audit ++ - sebool_ssh_keysign ++ - sebool_zebra_write_config ++ - auditd_data_retention_num_logs ++ - sebool_kerberos_enabled ++ - sebool_irc_use_any_tcp_ports ++ - package_xinetd_removed ++ - audit_rules_etc_gshadow_open_by_handle_at ++ - sebool_samba_export_all_rw ++ - audit_rules_successful_file_modification_truncate ++ - dhcp_server_minimize_served_info ++ - file_permissions_httpd_server_modules_files ++ - audit_rules_successful_file_modification_open_by_handle_at ++ - sebool_tmpreaper_use_samba ++ - sebool_xdm_sysadm_login ++ - sebool_samba_create_home_dirs ++ - sebool_login_console_enabled ++ - sebool_secadm_exec_content ++ - audit_rules_successful_file_modification_chmod ++ - sebool_nis_enabled ++ - sebool_cvs_read_shadow ++ - audit_rules_unsuccessful_file_modification_lsetxattr ++ - sebool_xend_run_qemu ++ - sebool_virt_use_comm ++ - installed_OS_is_FIPS_certified ++ - sebool_httpd_can_network_connect ++ - sebool_virt_sandbox_use_audit ++ - sshd_disable_root_password_login ++ - package_telnetd-ssl_removed ++ - sebool_puppetmaster_use_db ++ - audit_rules_successful_file_modification_ftruncate ++ - fapolicy_default_deny ++ - dconf_gnome_disable_power_settings ++ - sebool_mozilla_plugin_bind_unreserved_ports ++ - package_MFEhiplsm_installed ++ - sebool_fenced_can_ssh ++ - sebool_glance_use_execmem ++ - audit_rules_etc_passwd_openat ++ - sebool_rsync_full_access ++ - snmpd_no_rwusers ++ - mount_option_home_usrquota ++ - sebool_logging_syslogd_can_sendmail ++ - sebool_ftpd_use_passive_mode ++ - sebool_cluster_can_network_connect ++ - sebool_cdrecord_read_content ++ - sebool_antivirus_can_scan_system ++ - rsyslog_logging_configured ++ - sebool_httpd_manage_ipa ++ - sebool_samba_share_nfs ++ - sebool_domain_kernel_load_modules ++ - package_389-ds-base_removed ++ - sebool_logging_syslogd_use_tty ++ - audit_rules_etc_group_open ++ - sebool_secure_mode ++ - set_iptables_default_rule_forward ++ - service_rdisc_disabled ++ - zipl_vsyscall_argument ++ - audit_rules_unsuccessful_file_modification_openat_o_creat ++ - sebool_awstats_purge_apache_log_files ++ - sebool_httpd_tmp_exec ++ - package_postfix_installed ++ - sebool_sanlock_use_samba ++ - force_opensc_card_drivers ++ - audit_rules_successful_file_modification_creat ++ - sebool_domain_fd_use ++ - package_avahi-autoipd_removed ++ - sebool_httpd_can_connect_ftp ++ - sebool_httpd_anon_write ++ - sebool_dhcpd_use_ldap ++ - coreos_enable_selinux_kernel_argument ++ - sebool_postgresql_selinux_unconfined_dbadm ++ - kernel_disable_entropy_contribution_for_solid_state_drives ++ - sebool_use_fusefs_home_dirs ++ - audit_rules_successful_file_modification_lremovexattr ++ - sebool_virt_transition_userdomain ++ - package_freeradius_removed ++ - file_owner_efi_grub2_cfg ++ - sebool_httpd_tty_comm ++ - sebool_dbadm_read_user_files ++ - audit_rules_unsuccessful_file_modification_unlink ++ - auditd_audispd_disk_full_action ++ - sebool_exim_read_user_files ++ - ftp_limit_users ++ - sebool_zarafa_setrlimit ++ - kernel_module_mac80211_disabled ++ - sebool_kdumpgui_run_bootloader ++ - rsyslog_accept_remote_messages_tcp ++ - sebool_httpd_verify_dns ++ - accounts_password_pam_enforce_local ++ - usbguard_allow_hub ++ - sebool_polipo_use_nfs ++ - sebool_exim_can_connect_db ++ - sebool_unprivuser_use_svirt ++ - sebool_httpd_run_stickshift ++ - set_ipv6_loopback_traffic ++ - ftp_configure_firewall ++ - sebool_cron_can_relabel ++ - audit_rules_unsuccessful_file_modification_fremovexattr ++ - sebool_httpd_dbus_sssd ++ - sebool_xguest_connect_network ++ - package_geolite2-country_removed ++ - audit_rules_etc_group_open_by_handle_at ++ - sebool_daemons_use_tcp_wrapper ++ - sebool_use_nfs_home_dirs ++ - sshd_set_keepalive_0 ++ - sebool_conman_can_network ++ - sebool_logrotate_use_nfs ++ - audit_rules_unsuccessful_file_modification_fchown ++ - sebool_httpd_can_network_connect_db ++ - sebool_gluster_export_all_rw ++ - sebool_named_write_master_zones ++ - sebool_postfix_local_write_mail_spool ++ - sebool_xguest_mount_media ++ - sebool_selinuxuser_rw_noexattrfile ++ - sebool_cron_system_cronjob_use_shares ++ - sebool_virt_use_rawip ++ - sebool_pcp_bind_all_unreserved_ports ++ - audit_rules_etc_gshadow_open ++ - sebool_saslauthd_read_shadow ++ - sebool_mock_enable_homedirs ++ - ntpd_specify_remote_server ++ - selinux_user_login_roles ++ - audit_rules_successful_file_modification_openat_o_creat ++ - kernel_module_iwlwifi_disabled ++ - sebool_zoneminder_anon_write ++ - sshd_enable_x11_forwarding ++ - dconf_gnome_screensaver_user_info ++ - sshd_disable_rhosts_rsa ++ - sebool_neutron_can_network ++ - sebool_ftpd_connect_db ++ - sebool_httpd_mod_auth_ntlm_winbind ++ - sebool_samba_share_fusefs ++ - harden_ssh_client_crypto_policy ++ - sebool_cobbler_use_cifs ++ - sebool_httpd_can_network_relay ++ - package_geolite2-city_removed ++ - set_iptables_default_rule ++ - sebool_piranha_lvs_can_network_connect ++ - usbguard_allow_hid ++ - package_talk_removed ++ - no_legacy_plus_entries_etc_shadow ++ - sebool_git_session_bind_all_unreserved_ports ++ - rsyslog_accept_remote_messages_udp ++ - sebool_boinc_execmem ++ - audit_rules_unsuccessful_file_modification_unlinkat ++ - sebool_fips_mode ++ - audit_rules_unsuccessful_file_modification_open_rule_order ++ - audit_rules_unsuccessful_file_modification_fchmodat ++ - sebool_polipo_session_users ++ - sebool_cluster_manage_all_files ++ - configure_firewalld_ports diff --git a/products/msvsphere9/profiles/session-monitor.profile b/products/msvsphere9/profiles/session-monitor.profile new file mode 100644 -index 00000000..594d59bb +index 00000000..fdd4bf2f --- /dev/null +++ b/products/msvsphere9/profiles/session-monitor.profile -@@ -0,0 +1,33 @@ +@@ -0,0 +1,12 @@ +documentation_complete: true + +title: 'Session-monitor profile for MSVSphere 9' @@ -366,35 +1273,105 @@ index 00000000..594d59bb + the status changes + +selections: -+ - accounts_password_minlen_login_defs -+ - file_groupowner_etc_group -+ - file_groupowner_etc_gshadow -+ - file_groupowner_etc_passwd -+ - file_groupowner_etc_shadow -+ - file_owner_etc_group -+ - file_owner_etc_gshadow -+ - file_owner_etc_passwd -+ - file_owner_etc_shadow -+ - file_permissions_etc_group -+ - file_permissions_etc_gshadow -+ - file_permissions_etc_passwd -+ - file_permissions_etc_shadow -+ - no_empty_passwords -+ - sshd_disable_root_login -+ - sshd_disable_empty_passwords -+ - sshd_idle_timeout_value=5_minutes -+ - sshd_set_idle_timeout -+ - var_sshd_set_keepalive=0 -+ - sshd_set_keepalive_0 -+ - package_audit_installed + - package_session-monitor_installed + - service_session-monitor_enabled +diff --git a/products/msvsphere9/profiles/stig.profile b/products/msvsphere9/profiles/stig.profile +new file mode 100644 +index 00000000..252a98c5 +--- /dev/null ++++ b/products/msvsphere9/profiles/stig.profile +@@ -0,0 +1,30 @@ ++documentation_complete: true ++ ++metadata: ++ version: V1R3 ++ SMEs: ++ - mab879 ++ - ggbecker ++ ++reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux ++ ++title: 'DISA STIG for Red Hat Enterprise Linux 9' ++ ++description: |- ++ This profile contains configuration checks that align to the ++ DISA STIG for Red Hat Enterprise Linux 9 V1R3. ++ ++ In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this ++ configuration baseline as applicable to the operating system tier of ++ Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: ++ ++ - Red Hat Enterprise Linux Server ++ - Red Hat Enterprise Linux Workstation and Desktop ++ - Red Hat Enterprise Linux for HPC ++ - Red Hat Storage ++ - Red Hat Containers with a Red Hat Enterprise Linux 9 image ++ ++selections: ++ - stig_rhel9:all ++ # Following rules once had a prodtype incompatible with the rhel9 product ++ - '!audit_rules_immutable_login_uids' +diff --git a/products/msvsphere9/profiles/stig_gui.profile b/products/msvsphere9/profiles/stig_gui.profile +new file mode 100644 +index 00000000..9d63ff7e +--- /dev/null ++++ b/products/msvsphere9/profiles/stig_gui.profile +@@ -0,0 +1,49 @@ ++documentation_complete: true ++ ++metadata: ++ version: V1R3 ++ SMEs: ++ - mab879 ++ - ggbecker ++ ++reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux ++ ++title: 'DISA STIG with GUI for Red Hat Enterprise Linux 9' ++ ++description: |- ++ This profile contains configuration checks that align to the ++ DISA STIG for Red Hat Enterprise Linux 9 V1R3. ++ ++ ++ In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this ++ configuration baseline as applicable to the operating system tier of ++ Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: ++ ++ - Red Hat Enterprise Linux Server ++ - Red Hat Enterprise Linux Workstation and Desktop ++ - Red Hat Enterprise Linux for HPC ++ - Red Hat Storage ++ - Red Hat Containers with a Red Hat Enterprise Linux 9 image ++ ++ Warning: The installation and use of a Graphical User Interface (GUI) ++ increases your attack vector and decreases your overall security posture. If ++ your Information Systems Security Officer (ISSO) lacks a documented operational ++ requirement for a graphical user interface, please consider using the ++ standard DISA STIG for Red Hat Enterprise Linux 9 profile. ++ ++extends: stig ++ ++selections: ++ # RHEL-09-215070 ++ - '!xwindows_remove_packages' ++ ++ # RHEL-09-211030 ++ - '!xwindows_runlevel_target' ++ ++ # RHEL-09-215025 ++ - '!package_nfs-utils_removed' ++ ++ # RHEL-09-213105 ++ # Limiting user namespaces cause issues with user apps, such as Firefox and Cheese ++ # https://issues.redhat.com/browse/RHEL-10416 ++ - '!sysctl_user_max_user_namespaces' diff --git a/products/msvsphere9/transforms/constants.xslt b/products/msvsphere9/transforms/constants.xslt new file mode 100644 -index 00000000..e85de907 +index 00000000..98fd9760 --- /dev/null +++ b/products/msvsphere9/transforms/constants.xslt -@@ -0,0 +1,16 @@ +@@ -0,0 +1,18 @@ + + + @@ -405,11 +1382,13 @@ index 00000000..e85de907 +msvsphere9 + + -+https://benchmarks.cisecurity.org/tools2/linux/CIS_MSVSphere_Benchmark_v1.0.pdf -+ ++ ++ + + + ++empty ++ + diff --git a/products/msvsphere9/transforms/table-style.xslt b/products/msvsphere9/transforms/table-style.xslt new file mode 100644 @@ -424,7 +1403,7 @@ index 00000000..8b6caeab + diff --git a/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt new file mode 100644 -index 00000000..f2f1d725 +index 00000000..4789419b --- /dev/null +++ b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt @@ -0,0 +1,8 @@ @@ -433,7 +1412,7 @@ index 00000000..f2f1d725 + + + -+ ++ + + diff --git a/products/msvsphere9/transforms/xccdf2table-cce.xslt b/products/msvsphere9/transforms/xccdf2table-cce.xslt @@ -506,6 +1485,34 @@ index 00000000..7db019aa + + + +diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +index e5cf1ffb..56df0967 100644 +--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml ++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +@@ -7,6 +7,7 @@ + multi_platform_anolis + multi_platform_debian + multi_platform_example ++ multi_platform_msvsphere + multi_platform_fedora + multi_platform_openembedded + multi_platform_openeuler +diff --git a/shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml b/shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml +new file mode 120000 +index 00000000..6f97d155 +--- /dev/null ++++ b/shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml +@@ -0,0 +1 @@ ++disa-stig-rhel9-v1r1-xccdf-scap.xml +\ No newline at end of file +diff --git a/shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml b/shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml +new file mode 120000 +index 00000000..bf80a773 +--- /dev/null ++++ b/shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml +@@ -0,0 +1 @@ ++disa-stig-rhel9-v1r3-xccdf-manual.xml +\ No newline at end of file diff --git a/ssg/constants.py b/ssg/constants.py index c0285809..5bc2ea24 100644 --- a/ssg/constants.py @@ -551,6 +1558,38 @@ index c0285809..5bc2ea24 100644 'firefox': 'Mozilla Firefox', 'macos': 'Apple macOS', 'rhel': 'Red Hat Enterprise Linux', +diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml +index 1c1560a8..83bc5bd1 100644 +--- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml ++++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_msvsphere,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + # reboot = false + # strategy = restrict + # complexity = low +diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh +index 10ecee50..89067390 100644 +--- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh ++++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_msvsphere,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + # reboot = true + # strategy = restrict + # complexity = low +diff --git a/tests/unit/ssg_test_suite/data/correct.pass.sh b/tests/unit/ssg_test_suite/data/correct.pass.sh +index 8e5e284e..46e50b1a 100644 +--- a/tests/unit/ssg_test_suite/data/correct.pass.sh ++++ b/tests/unit/ssg_test_suite/data/correct.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # packages = sudo,authselect +-# platform = multi_platform_rhel,Fedora ++# platform = multi_platform_rhel,multi_platform_msvsphere,Fedora + # profiles = xccdf_org.ssgproject.content_profile_cis + # remediation = none + # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite -- 2.43.5 diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index a40e107..0f14808 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.73 -Release: 1%{?dist}.inferit.4 +Release: 1%{?dist}.inferit.5 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -96,7 +96,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %files doc %doc %{_docdir}/%{name}/guides/*.html -##%%doc %{_docdir}/%{name}/tables/*.html +%doc %{_docdir}/%{name}/tables/*.html %if %{defined rhel} %files rule-playbooks @@ -105,6 +105,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %endif %changelog +* Thu Sep 26 2024 Sergey Cherevko - 0.1.73-1.inferit.5 +- Next bump + * Mon Sep 23 2024 Sergey Cherevko - 0.1.73-1.inferit.4 - Try and bump version