Added rule for tracking user sessions and locking screen when status changes

i9-inf1390 changed/i9-inf1390/scap-security-guide-0.1.73-1.el9_4.inferit.2
Sergey Cherevko 4 months ago
parent 3b4beaf3e2
commit 8ba4485703
Signed by: scherevko
GPG Key ID: D87CBBC16D2E4A72

@ -0,0 +1,541 @@
From 76c7cb36ce7552702001d11aad0f53aca069b8a6 Mon Sep 17 00:00:00 2001
From: Sergey Cherevko <s.cherevko@msvsphere-os.ru>
Date: Mon, 16 Sep 2024 18:15:46 +0300
Subject: [PATCH] Add session-monitor rule
---
CMakeLists.txt | 5 +
build_product | 1 +
components/session-monitor.yml | 6 +
.../rule.yml | 36 ++++++
.../service_session-monitor_enabled/rule.yml | 40 +++++++
products/msvsphere9/CMakeLists.txt | 8 ++
.../cpe/msvsphere9-cpe-dictionary.xml | 10 ++
.../ssg-msvsphere9-session-monitor-ks.cfg | 108 ++++++++++++++++++
products/msvsphere9/product.yml | 26 +++++
.../profiles/session-monitor.profile | 13 +++
products/msvsphere9/transforms/constants.xslt | 16 +++
.../msvsphere9/transforms/table-style.xslt | 5 +
.../transforms/xccdf-apply-overlay-stig.xslt | 8 ++
.../transforms/xccdf2table-cce.xslt | 9 ++
.../xccdf2table-profileccirefs.xslt | 9 ++
.../oval/installed_OS_is_msvsphere9.xml | 34 ++++++
ssg/constants.py | 6 +-
17 files changed, 339 insertions(+), 1 deletion(-)
create mode 100644 components/session-monitor.yml
create mode 100644 linux_os/guide/services/base/package_session-monitor_installed/rule.yml
create mode 100644 linux_os/guide/services/base/service_session-monitor_enabled/rule.yml
create mode 100644 products/msvsphere9/CMakeLists.txt
create mode 100644 products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml
create mode 100644 products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
create mode 100644 products/msvsphere9/product.yml
create mode 100644 products/msvsphere9/profiles/session-monitor.profile
create mode 100644 products/msvsphere9/transforms/constants.xslt
create mode 100644 products/msvsphere9/transforms/table-style.xslt
create mode 100644 products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
create mode 100644 products/msvsphere9/transforms/xccdf2table-cce.xslt
create mode 100644 products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
create mode 100644 shared/checks/oval/installed_OS_is_msvsphere9.xml
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5d4bc725..3197125e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -88,6 +88,7 @@ option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be buil
option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_EKS "If enabled, the EKS SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE)
+option(SSG_PRODUCT_MSVSPHERE9 "If enabled, the MSVSphere SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_MACOS1015 "If enabled, the Apple macOS 10.15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -317,6 +318,7 @@ message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}")
message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}")
message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
+message(STATUS "MSVSphere 9: ${SSG_PRODUCT_MSVSPHERE9}")
message(STATUS "EKS: ${SSG_PRODUCT_EKS}")
message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}")
message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}")
@@ -402,6 +404,9 @@ endif()
if(SSG_PRODUCT_EXAMPLE)
add_subdirectory("products/example" "example")
endif()
+if(SSG_PRODUCT_MSVSPHERE9)
+ add_subdirectory("products/msvsphere9" "msvsphere9")
+endif()
if(SSG_PRODUCT_EKS)
add_subdirectory("products/eks" "eks")
endif()
diff --git a/build_product b/build_product
index e6fb8699..14f9c29e 100755
--- a/build_product
+++ b/build_product
@@ -354,6 +354,7 @@ all_cmake_products=(
DEBIAN11
DEBIAN12
EXAMPLE
+ MSVSPHERE9
EKS
FEDORA
FIREFOX
diff --git a/components/session-monitor.yml b/components/session-monitor.yml
new file mode 100644
index 00000000..af38d9b3
--- /dev/null
+++ b/components/session-monitor.yml
@@ -0,0 +1,6 @@
+name: session-monitor
+packages:
+- session-monitor
+rules:
+- package_session-monitor_installed
+- service_session-monitor_enabled
diff --git a/linux_os/guide/services/base/package_session-monitor_installed/rule.yml b/linux_os/guide/services/base/package_session-monitor_installed/rule.yml
new file mode 100644
index 00000000..479c7a83
--- /dev/null
+++ b/linux_os/guide/services/base/package_session-monitor_installed/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+
+title: 'Install the session-monitor package'
+
+description: |-
+ Monitor user sessions and lock screen on state change.
+ Useful if screen was changed.
+ {{{ describe_package_install(package="session-monitor") }}}
+
+rationale: |-
+ Monitor user sessions and lock screen on state change
+
+severity: low
+
+identifiers:
+ cce@rhel7: CCE-82403-7
+ cce@rhel8: CCE-82404-5
+
+references:
+ cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9
+ cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.06,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
+ isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
+ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 6.1,SR 6.2,SR 7.6'
+ iso27001-2013: A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.15.2.2,A.9.1.2
+ nist: AU-12(a),CM-6(a)
+ nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3
+
+ocil_clause: 'the package is not installed'
+
+ocil: '{{{ ocil_package(package="session-monitor") }}}'
+
+template:
+ name: package_installed
+ vars:
+ pkgname: session-monitor
diff --git a/linux_os/guide/services/base/service_session-monitor_enabled/rule.yml b/linux_os/guide/services/base/service_session-monitor_enabled/rule.yml
new file mode 100644
index 00000000..35942027
--- /dev/null
+++ b/linux_os/guide/services/base/service_session-monitor_enabled/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+
+title: 'Enable Process Accounting (session-monitor)'
+
+description: |-
+ Monitor user sessions and lock screen on state change.
+ Useful if screen was changed.
+ {{{ describe_package_install(package="session-monitor") }}}
+
+rationale: |-
+ Monitor user sessions and lock screen on state change
+
+severity: low
+
+identifiers:
+ cce@rhel7: CCE-80265-2
+ cce@rhel8: CCE-82401-1
+
+references:
+ cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9
+ cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.06,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
+ isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
+ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 6.1,SR 6.2,SR 7.6'
+ iso27001-2013: A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.15.2.2,A.9.1.2
+ nist: AU-12(a),CM-6(a)
+ nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3
+
+ocil_clause: |-
+ {{{ ocil_clause_service_disabled(service="session-monitor") }}}
+
+ocil: |-
+ {{{ ocil_service_disabled(service="session-monitor") }}}
+
+platform: machine
+
+template:
+ name: service_enabled
+ vars:
+ servicename: session-monitor
diff --git a/products/msvsphere9/CMakeLists.txt b/products/msvsphere9/CMakeLists.txt
new file mode 100644
index 00000000..cc479a30
--- /dev/null
+++ b/products/msvsphere9/CMakeLists.txt
@@ -0,0 +1,8 @@
+# Sometimes our users will try to do: "cd msvsphere9; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "msvsphere9")
+
+ssg_build_product(${PRODUCT})
diff --git a/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml b/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml
new file mode 100644
index 00000000..78a20f6a
--- /dev/null
+++ b/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
+ <cpe-item name="cpe:/o:ncsd:msvsphere:9">
+ <title xml:lang="en-us">MSVSphere 9</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_msvsphere9</check>
+ </cpe-item>
+</cpe-list>
diff --git a/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
new file mode 100644
index 00000000..d6916013
--- /dev/null
+++ b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
@@ -0,0 +1,108 @@
+# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for Red Hat Enterprise Linux 8
+# Version: 0.0.1
+# Date: 2021-01-28
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+# For more information see the following documentation:
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang ru_RU.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard --vckeymap us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# Set the system time zone (required)
+timezone --utc Europe/Moscow
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+# grub2-mkpasswd-pbkdf2
+# to see how to create encrypted password form for different plaintext password
+bootloader
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#
+# Important
+# Applying a security policy is not necessary on all systems. This screen should only be used
+# when a specific policy is mandated by your organization rules or government regulations.
+# Unlike most other commands, this add-on does not accept regular options, but uses key-value
+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+# Values can be optionally enclosed in single quotes (') or double quotes (").
+#
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_session-monitor
+%end
+
+# Packages selection (%packages section is required)
+%packages
+%end
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/msvsphere9/product.yml b/products/msvsphere9/product.yml
new file mode 100644
index 00000000..f2b7f0f0
--- /dev/null
+++ b/products/msvsphere9/product.yml
@@ -0,0 +1,26 @@
+product: msvsphere9
+full_name: MSVSphere 9
+type: platform
+
+families:
+ - rhel
+ - rhel-like
+
+major_version_ordinal: 9
+
+benchmark_id: MSVSPHERE-9
+benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+cpes_root: "../../shared/applicability"
+cpes:
+ - msvsphere9:
+ name: "cpe:/o:ncsd:msvsphere:9"
+ title: "MSVSphere 9"
+ check_id: installed_OS_is_msvsphere9
diff --git a/products/msvsphere9/profiles/session-monitor.profile b/products/msvsphere9/profiles/session-monitor.profile
new file mode 100644
index 00000000..d261ebf5
--- /dev/null
+++ b/products/msvsphere9/profiles/session-monitor.profile
@@ -0,0 +1,13 @@
+documentation_complete: true
+
+title: 'Session-monitor profile for MSVSphere 9'
+
+description: |-
+ This profile contains the rule needed to monitor
+ user sessions and lock the screen when
+ the status changes
+
+selections:
+ - accounts_password_minlen_login_defs
+ - package_session-monitor_installed
+ - service_session-monitor_enabled
diff --git a/products/msvsphere9/transforms/constants.xslt b/products/msvsphere9/transforms/constants.xslt
new file mode 100644
index 00000000..e85de907
--- /dev/null
+++ b/products/msvsphere9/transforms/constants.xslt
@@ -0,0 +1,16 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">MSVSphere 9</xsl:variable>
+<xsl:variable name="product_short_name">MSVSphere9</xsl:variable>
+<xsl:variable name="product_stig_id_name">MSVSPHERE_STIG</xsl:variable>
+<xsl:variable name="prod_type">msvsphere9</xsl:variable>
+
+<!-- Define URI of official Center for Internet Security Benchmark for MSVSphere 9 -->
+<xsl:variable name="cisuri">https://benchmarks.cisecurity.org/tools2/linux/CIS_MSVSphere_Benchmark_v1.0.pdf</xsl:variable>
+
+<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
+<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
+
+</xsl:stylesheet>
diff --git a/products/msvsphere9/transforms/table-style.xslt b/products/msvsphere9/transforms/table-style.xslt
new file mode 100644
index 00000000..8b6caeab
--- /dev/null
+++ b/products/msvsphere9/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
new file mode 100644
index 00000000..f2f1d725
--- /dev/null
+++ b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document()/xccdf:overlays" />
+
+</xsl:stylesheet>
diff --git a/products/msvsphere9/transforms/xccdf2table-cce.xslt b/products/msvsphere9/transforms/xccdf2table-cce.xslt
new file mode 100644
index 00000000..f156a669
--- /dev/null
+++ b/products/msvsphere9/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt b/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
new file mode 100644
index 00000000..30419e92
--- /dev/null
+++ b/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/shared/checks/oval/installed_OS_is_msvsphere9.xml b/shared/checks/oval/installed_OS_is_msvsphere9.xml
new file mode 100644
index 00000000..7db019aa
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_msvsphere9.xml
@@ -0,0 +1,34 @@
+<def-group>
+ <definition class="inventory" id="installed_OS_is_msvsphere9" version="3">
+ <metadata>
+ <title>MSVSphere 9</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <reference ref_id="cpe:/o:ncsd:msvsphere:9" source="CPE" />
+ <description>The operating system installed on the system is MSVSphere 9</description>
+ </metadata>
+ <criteria comment="current OS is 9" operator="AND">
+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
+ <criterion comment="MSVSphere is installed" test_ref="test_msvsphere" />
+ <criterion comment="MSVSphere 9 is installed" test_ref="test_msvsphere9" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/msvsphere exists" id="test_msvsphere" version="1">
+ <unix:object object_ref="obj_msvsphere" />
+ </unix:file_test>
+ <unix:file_object comment="check /etc/msvsphere file" id="obj_msvsphere" version="1">
+ <unix:filepath>/etc/msvsphere</unix:filepath>
+ </unix:file_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Custom OS version" id="test_msvsphere9" version="1">
+ <ind:object object_ref="obj_msvsphere9" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_msvsphere9" version="1" comment="Check MSVSphere version">
+ <ind:filepath>/etc/msvsphere</ind:filepath>
+ <ind:pattern operation="pattern match">^9.[0-9]+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index c0285809..5bc2ea24 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -45,6 +45,7 @@ product_directories = [
'chromium',
'debian10', 'debian11', 'debian12',
'example',
+ 'msvsphere9',
'eks',
'fedora',
'firefox',
@@ -205,6 +206,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
"Debian 11": "debian11",
"Debian 12": "debian12",
"Example": "example",
+ "MSVSphere 9": "msvsphere9",
"Amazon Elastic Kubernetes Service": "eks",
"Fedora": "fedora",
"Firefox": "firefox",
@@ -278,7 +280,7 @@ REFERENCES = dict(
)
-MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+MULTI_PLATFORM_LIST = ["rhel", "fedora", "msvsphere", "rhv", "debian", "ubuntu",
"openeuler",
"opensuse", "sle", "ol", "ocp", "rhcos",
"example", "eks", "alinux", "uos", "anolis", "openembedded"]
@@ -290,6 +292,7 @@ MULTI_PLATFORM_MAPPING = {
"multi_platform_example": ["example"],
"multi_platform_eks": ["eks"],
"multi_platform_fedora": ["fedora"],
+ "multi_platform_msvsphere": ["msvsphere9"],
"multi_platform_openeuler": ["openeuler2203"],
"multi_platform_opensuse": ["opensuse"],
"multi_platform_ol": ["ol7", "ol8", "ol9"],
@@ -455,6 +458,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
'anolis': 'Anolis OS',
'chromium': 'Google Chromium Browser',
'fedora': 'Fedora',
+ 'msvsphere': 'MSVSphere',
'firefox': 'Mozilla Firefox',
'macos': 'Apple macOS',
'rhel': 'Red Hat Enterprise Linux',
--
2.43.5

@ -6,7 +6,7 @@
Name: scap-security-guide
Version: 0.1.73
Release: 1%{?dist}.inferit.1
Release: 1%{?dist}.inferit.2
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/
@ -14,7 +14,8 @@ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{versio
BuildArch: noarch
# MSVSphere
Patch1000: scap-security-guide-0.1.73-add-msvsphere9-product.patch
#Patch1000: scap-security-guide-0.1.73-add-msvsphere9-product.patch
Patch1000: 0001-Add-session-monitor-rule.patch
BuildRequires: libxslt
BuildRequires: expat
@ -95,7 +96,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%files doc
%doc %{_docdir}/%{name}/guides/*.html
%doc %{_docdir}/%{name}/tables/*.html
##%%doc %{_docdir}/%{name}/tables/*.html
%if %{defined rhel}
%files rule-playbooks
@ -104,6 +105,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif
%changelog
* Fri Sep 13 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 0.1.73-1.inferit.2
- Added rule for tracking user sessions and locking screen when status changes
* Thu Aug 29 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 0.1.73-1.inferit.1
- Fixup: try to add MSVSphere security profiles

Loading…
Cancel
Save