i9-inf1390
changed/i9-inf1390/scap-security-guide-0.1.73-1.el9_4.inferit.2
parent
3b4beaf3e2
commit
8ba4485703
@ -0,0 +1,541 @@
|
|||||||
|
From 76c7cb36ce7552702001d11aad0f53aca069b8a6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergey Cherevko <s.cherevko@msvsphere-os.ru>
|
||||||
|
Date: Mon, 16 Sep 2024 18:15:46 +0300
|
||||||
|
Subject: [PATCH] Add session-monitor rule
|
||||||
|
|
||||||
|
---
|
||||||
|
CMakeLists.txt | 5 +
|
||||||
|
build_product | 1 +
|
||||||
|
components/session-monitor.yml | 6 +
|
||||||
|
.../rule.yml | 36 ++++++
|
||||||
|
.../service_session-monitor_enabled/rule.yml | 40 +++++++
|
||||||
|
products/msvsphere9/CMakeLists.txt | 8 ++
|
||||||
|
.../cpe/msvsphere9-cpe-dictionary.xml | 10 ++
|
||||||
|
.../ssg-msvsphere9-session-monitor-ks.cfg | 108 ++++++++++++++++++
|
||||||
|
products/msvsphere9/product.yml | 26 +++++
|
||||||
|
.../profiles/session-monitor.profile | 13 +++
|
||||||
|
products/msvsphere9/transforms/constants.xslt | 16 +++
|
||||||
|
.../msvsphere9/transforms/table-style.xslt | 5 +
|
||||||
|
.../transforms/xccdf-apply-overlay-stig.xslt | 8 ++
|
||||||
|
.../transforms/xccdf2table-cce.xslt | 9 ++
|
||||||
|
.../xccdf2table-profileccirefs.xslt | 9 ++
|
||||||
|
.../oval/installed_OS_is_msvsphere9.xml | 34 ++++++
|
||||||
|
ssg/constants.py | 6 +-
|
||||||
|
17 files changed, 339 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 components/session-monitor.yml
|
||||||
|
create mode 100644 linux_os/guide/services/base/package_session-monitor_installed/rule.yml
|
||||||
|
create mode 100644 linux_os/guide/services/base/service_session-monitor_enabled/rule.yml
|
||||||
|
create mode 100644 products/msvsphere9/CMakeLists.txt
|
||||||
|
create mode 100644 products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml
|
||||||
|
create mode 100644 products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
|
||||||
|
create mode 100644 products/msvsphere9/product.yml
|
||||||
|
create mode 100644 products/msvsphere9/profiles/session-monitor.profile
|
||||||
|
create mode 100644 products/msvsphere9/transforms/constants.xslt
|
||||||
|
create mode 100644 products/msvsphere9/transforms/table-style.xslt
|
||||||
|
create mode 100644 products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
|
||||||
|
create mode 100644 products/msvsphere9/transforms/xccdf2table-cce.xslt
|
||||||
|
create mode 100644 products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
|
||||||
|
create mode 100644 shared/checks/oval/installed_OS_is_msvsphere9.xml
|
||||||
|
|
||||||
|
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||||
|
index 5d4bc725..3197125e 100644
|
||||||
|
--- a/CMakeLists.txt
|
||||||
|
+++ b/CMakeLists.txt
|
||||||
|
@@ -88,6 +88,7 @@ option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be buil
|
||||||
|
option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
||||||
|
option(SSG_PRODUCT_EKS "If enabled, the EKS SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
||||||
|
option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE)
|
||||||
|
+option(SSG_PRODUCT_MSVSPHERE9 "If enabled, the MSVSphere SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
||||||
|
option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
||||||
|
option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
||||||
|
option(SSG_PRODUCT_MACOS1015 "If enabled, the Apple macOS 10.15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
||||||
|
@@ -317,6 +318,7 @@ message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
|
||||||
|
message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}")
|
||||||
|
message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}")
|
||||||
|
message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
|
||||||
|
+message(STATUS "MSVSphere 9: ${SSG_PRODUCT_MSVSPHERE9}")
|
||||||
|
message(STATUS "EKS: ${SSG_PRODUCT_EKS}")
|
||||||
|
message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}")
|
||||||
|
message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}")
|
||||||
|
@@ -402,6 +404,9 @@ endif()
|
||||||
|
if(SSG_PRODUCT_EXAMPLE)
|
||||||
|
add_subdirectory("products/example" "example")
|
||||||
|
endif()
|
||||||
|
+if(SSG_PRODUCT_MSVSPHERE9)
|
||||||
|
+ add_subdirectory("products/msvsphere9" "msvsphere9")
|
||||||
|
+endif()
|
||||||
|
if(SSG_PRODUCT_EKS)
|
||||||
|
add_subdirectory("products/eks" "eks")
|
||||||
|
endif()
|
||||||
|
diff --git a/build_product b/build_product
|
||||||
|
index e6fb8699..14f9c29e 100755
|
||||||
|
--- a/build_product
|
||||||
|
+++ b/build_product
|
||||||
|
@@ -354,6 +354,7 @@ all_cmake_products=(
|
||||||
|
DEBIAN11
|
||||||
|
DEBIAN12
|
||||||
|
EXAMPLE
|
||||||
|
+ MSVSPHERE9
|
||||||
|
EKS
|
||||||
|
FEDORA
|
||||||
|
FIREFOX
|
||||||
|
diff --git a/components/session-monitor.yml b/components/session-monitor.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..af38d9b3
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/components/session-monitor.yml
|
||||||
|
@@ -0,0 +1,6 @@
|
||||||
|
+name: session-monitor
|
||||||
|
+packages:
|
||||||
|
+- session-monitor
|
||||||
|
+rules:
|
||||||
|
+- package_session-monitor_installed
|
||||||
|
+- service_session-monitor_enabled
|
||||||
|
diff --git a/linux_os/guide/services/base/package_session-monitor_installed/rule.yml b/linux_os/guide/services/base/package_session-monitor_installed/rule.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..479c7a83
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/base/package_session-monitor_installed/rule.yml
|
||||||
|
@@ -0,0 +1,36 @@
|
||||||
|
+documentation_complete: true
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+title: 'Install the session-monitor package'
|
||||||
|
+
|
||||||
|
+description: |-
|
||||||
|
+ Monitor user sessions and lock screen on state change.
|
||||||
|
+ Useful if screen was changed.
|
||||||
|
+ {{{ describe_package_install(package="session-monitor") }}}
|
||||||
|
+
|
||||||
|
+rationale: |-
|
||||||
|
+ Monitor user sessions and lock screen on state change
|
||||||
|
+
|
||||||
|
+severity: low
|
||||||
|
+
|
||||||
|
+identifiers:
|
||||||
|
+ cce@rhel7: CCE-82403-7
|
||||||
|
+ cce@rhel8: CCE-82404-5
|
||||||
|
+
|
||||||
|
+references:
|
||||||
|
+ cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9
|
||||||
|
+ cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.06,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
||||||
|
+ isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
|
||||||
|
+ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 6.1,SR 6.2,SR 7.6'
|
||||||
|
+ iso27001-2013: A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.15.2.2,A.9.1.2
|
||||||
|
+ nist: AU-12(a),CM-6(a)
|
||||||
|
+ nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3
|
||||||
|
+
|
||||||
|
+ocil_clause: 'the package is not installed'
|
||||||
|
+
|
||||||
|
+ocil: '{{{ ocil_package(package="session-monitor") }}}'
|
||||||
|
+
|
||||||
|
+template:
|
||||||
|
+ name: package_installed
|
||||||
|
+ vars:
|
||||||
|
+ pkgname: session-monitor
|
||||||
|
diff --git a/linux_os/guide/services/base/service_session-monitor_enabled/rule.yml b/linux_os/guide/services/base/service_session-monitor_enabled/rule.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..35942027
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/base/service_session-monitor_enabled/rule.yml
|
||||||
|
@@ -0,0 +1,40 @@
|
||||||
|
+documentation_complete: true
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+title: 'Enable Process Accounting (session-monitor)'
|
||||||
|
+
|
||||||
|
+description: |-
|
||||||
|
+ Monitor user sessions and lock screen on state change.
|
||||||
|
+ Useful if screen was changed.
|
||||||
|
+ {{{ describe_package_install(package="session-monitor") }}}
|
||||||
|
+
|
||||||
|
+rationale: |-
|
||||||
|
+ Monitor user sessions and lock screen on state change
|
||||||
|
+
|
||||||
|
+severity: low
|
||||||
|
+
|
||||||
|
+identifiers:
|
||||||
|
+ cce@rhel7: CCE-80265-2
|
||||||
|
+ cce@rhel8: CCE-82401-1
|
||||||
|
+
|
||||||
|
+references:
|
||||||
|
+ cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9
|
||||||
|
+ cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.06,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
||||||
|
+ isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
|
||||||
|
+ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 6.1,SR 6.2,SR 7.6'
|
||||||
|
+ iso27001-2013: A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.15.2.2,A.9.1.2
|
||||||
|
+ nist: AU-12(a),CM-6(a)
|
||||||
|
+ nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3
|
||||||
|
+
|
||||||
|
+ocil_clause: |-
|
||||||
|
+ {{{ ocil_clause_service_disabled(service="session-monitor") }}}
|
||||||
|
+
|
||||||
|
+ocil: |-
|
||||||
|
+ {{{ ocil_service_disabled(service="session-monitor") }}}
|
||||||
|
+
|
||||||
|
+platform: machine
|
||||||
|
+
|
||||||
|
+template:
|
||||||
|
+ name: service_enabled
|
||||||
|
+ vars:
|
||||||
|
+ servicename: session-monitor
|
||||||
|
diff --git a/products/msvsphere9/CMakeLists.txt b/products/msvsphere9/CMakeLists.txt
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..cc479a30
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/products/msvsphere9/CMakeLists.txt
|
||||||
|
@@ -0,0 +1,8 @@
|
||||||
|
+# Sometimes our users will try to do: "cd msvsphere9; cmake ." That needs to error in a nice way.
|
||||||
|
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
|
||||||
|
+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
|
||||||
|
+endif()
|
||||||
|
+
|
||||||
|
+set(PRODUCT "msvsphere9")
|
||||||
|
+
|
||||||
|
+ssg_build_product(${PRODUCT})
|
||||||
|
diff --git a/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml b/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..78a20f6a
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
+<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"
|
||||||
|
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
+ xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
|
||||||
|
+ <cpe-item name="cpe:/o:ncsd:msvsphere:9">
|
||||||
|
+ <title xml:lang="en-us">MSVSphere 9</title>
|
||||||
|
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||||
|
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_msvsphere9</check>
|
||||||
|
+ </cpe-item>
|
||||||
|
+</cpe-list>
|
||||||
|
diff --git a/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..d6916013
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
|
||||||
|
@@ -0,0 +1,108 @@
|
||||||
|
+# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for Red Hat Enterprise Linux 8
|
||||||
|
+# Version: 0.0.1
|
||||||
|
+# Date: 2021-01-28
|
||||||
|
+#
|
||||||
|
+# Based on:
|
||||||
|
+# https://pykickstart.readthedocs.io/en/latest/
|
||||||
|
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||||
|
+# For more information see the following documentation:
|
||||||
|
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
|
||||||
|
+
|
||||||
|
+# Specify installation method to use for installation
|
||||||
|
+# To use a different one comment out the 'url' one below, update
|
||||||
|
+# the selected choice with proper options & un-comment it
|
||||||
|
+#
|
||||||
|
+# Install from an installation tree on a remote server via FTP or HTTP:
|
||||||
|
+# --url the URL to install from
|
||||||
|
+#
|
||||||
|
+# Example:
|
||||||
|
+#
|
||||||
|
+# url --url=http://192.168.122.1/image
|
||||||
|
+#
|
||||||
|
+# Modify concrete URL in the above example appropriately to reflect the actual
|
||||||
|
+# environment machine is to be installed in
|
||||||
|
+#
|
||||||
|
+# Other possible / supported installation methods:
|
||||||
|
+# * install from the first CD-ROM/DVD drive on the system:
|
||||||
|
+#
|
||||||
|
+# cdrom
|
||||||
|
+#
|
||||||
|
+# * install from a directory of ISO images on a local drive:
|
||||||
|
+#
|
||||||
|
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||||
|
+#
|
||||||
|
+# * install from provided NFS server:
|
||||||
|
+#
|
||||||
|
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||||
|
+#
|
||||||
|
+# Set language to use during installation and the default language to use on the installed system (required)
|
||||||
|
+lang ru_RU.UTF-8
|
||||||
|
+
|
||||||
|
+# Set system keyboard type / layout (required)
|
||||||
|
+keyboard --vckeymap us
|
||||||
|
+
|
||||||
|
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||||
|
+# --onboot enable device at a boot time
|
||||||
|
+# --device device to be activated and / or configured with the network command
|
||||||
|
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||||
|
+# --noipv6 disable IPv6 on this device
|
||||||
|
+network --onboot yes --bootproto dhcp
|
||||||
|
+
|
||||||
|
+# Set the system's root password (required)
|
||||||
|
+# Plaintext password is: server
|
||||||
|
+# Refer to e.g.
|
||||||
|
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||||
|
+# to see how to create encrypted password form for different plaintext password
|
||||||
|
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
|
||||||
|
+
|
||||||
|
+# Set the system time zone (required)
|
||||||
|
+timezone --utc Europe/Moscow
|
||||||
|
+
|
||||||
|
+# Specify how the bootloader should be installed (required)
|
||||||
|
+# Plaintext password is: password
|
||||||
|
+# Refer to e.g.
|
||||||
|
+# grub2-mkpasswd-pbkdf2
|
||||||
|
+# to see how to create encrypted password form for different plaintext password
|
||||||
|
+bootloader
|
||||||
|
+
|
||||||
|
+# Initialize (format) all disks (optional)
|
||||||
|
+zerombr
|
||||||
|
+
|
||||||
|
+# The following partition layout scheme assumes disk of size 20GB or larger
|
||||||
|
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||||
|
+#
|
||||||
|
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||||
|
+# --linux erase all Linux partitions
|
||||||
|
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||||
|
+clearpart --linux --initlabel
|
||||||
|
+
|
||||||
|
+# Create primary system partitions (required for installs)
|
||||||
|
+autopart
|
||||||
|
+
|
||||||
|
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
|
||||||
|
+# content - security policies - on the installed system.This add-on has been enabled by default
|
||||||
|
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
|
||||||
|
+# functionality will automatically be installed. However, by default, no policies are enforced,
|
||||||
|
+# meaning that no checks are performed during or after installation unless specifically configured.
|
||||||
|
+#
|
||||||
|
+# Important
|
||||||
|
+# Applying a security policy is not necessary on all systems. This screen should only be used
|
||||||
|
+# when a specific policy is mandated by your organization rules or government regulations.
|
||||||
|
+# Unlike most other commands, this add-on does not accept regular options, but uses key-value
|
||||||
|
+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
|
||||||
|
+# Values can be optionally enclosed in single quotes (') or double quotes (").
|
||||||
|
+#
|
||||||
|
+# For more details and configuration options see
|
||||||
|
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
|
||||||
|
+%addon org_fedora_oscap
|
||||||
|
+ content-type = scap-security-guide
|
||||||
|
+ profile = xccdf_org.ssgproject.content_profile_session-monitor
|
||||||
|
+%end
|
||||||
|
+
|
||||||
|
+# Packages selection (%packages section is required)
|
||||||
|
+%packages
|
||||||
|
+%end
|
||||||
|
+
|
||||||
|
+# Reboot after the installation is complete (optional)
|
||||||
|
+# --eject attempt to eject CD or DVD media before rebooting
|
||||||
|
+reboot --eject
|
||||||
|
diff --git a/products/msvsphere9/product.yml b/products/msvsphere9/product.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..f2b7f0f0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/products/msvsphere9/product.yml
|
||||||
|
@@ -0,0 +1,26 @@
|
||||||
|
+product: msvsphere9
|
||||||
|
+full_name: MSVSphere 9
|
||||||
|
+type: platform
|
||||||
|
+
|
||||||
|
+families:
|
||||||
|
+ - rhel
|
||||||
|
+ - rhel-like
|
||||||
|
+
|
||||||
|
+major_version_ordinal: 9
|
||||||
|
+
|
||||||
|
+benchmark_id: MSVSPHERE-9
|
||||||
|
+benchmark_root: "../../linux_os/guide"
|
||||||
|
+components_root: "../../components"
|
||||||
|
+
|
||||||
|
+profiles_root: "./profiles"
|
||||||
|
+
|
||||||
|
+pkg_manager: "dnf"
|
||||||
|
+
|
||||||
|
+init_system: "systemd"
|
||||||
|
+
|
||||||
|
+cpes_root: "../../shared/applicability"
|
||||||
|
+cpes:
|
||||||
|
+ - msvsphere9:
|
||||||
|
+ name: "cpe:/o:ncsd:msvsphere:9"
|
||||||
|
+ title: "MSVSphere 9"
|
||||||
|
+ check_id: installed_OS_is_msvsphere9
|
||||||
|
diff --git a/products/msvsphere9/profiles/session-monitor.profile b/products/msvsphere9/profiles/session-monitor.profile
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..d261ebf5
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/products/msvsphere9/profiles/session-monitor.profile
|
||||||
|
@@ -0,0 +1,13 @@
|
||||||
|
+documentation_complete: true
|
||||||
|
+
|
||||||
|
+title: 'Session-monitor profile for MSVSphere 9'
|
||||||
|
+
|
||||||
|
+description: |-
|
||||||
|
+ This profile contains the rule needed to monitor
|
||||||
|
+ user sessions and lock the screen when
|
||||||
|
+ the status changes
|
||||||
|
+
|
||||||
|
+selections:
|
||||||
|
+ - accounts_password_minlen_login_defs
|
||||||
|
+ - package_session-monitor_installed
|
||||||
|
+ - service_session-monitor_enabled
|
||||||
|
diff --git a/products/msvsphere9/transforms/constants.xslt b/products/msvsphere9/transforms/constants.xslt
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..e85de907
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/products/msvsphere9/transforms/constants.xslt
|
||||||
|
@@ -0,0 +1,16 @@
|
||||||
|
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||||||
|
+
|
||||||
|
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
|
||||||
|
+
|
||||||
|
+<xsl:variable name="product_long_name">MSVSphere 9</xsl:variable>
|
||||||
|
+<xsl:variable name="product_short_name">MSVSphere9</xsl:variable>
|
||||||
|
+<xsl:variable name="product_stig_id_name">MSVSPHERE_STIG</xsl:variable>
|
||||||
|
+<xsl:variable name="prod_type">msvsphere9</xsl:variable>
|
||||||
|
+
|
||||||
|
+<!-- Define URI of official Center for Internet Security Benchmark for MSVSphere 9 -->
|
||||||
|
+<xsl:variable name="cisuri">https://benchmarks.cisecurity.org/tools2/linux/CIS_MSVSphere_Benchmark_v1.0.pdf</xsl:variable>
|
||||||
|
+
|
||||||
|
+<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
|
||||||
|
+<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
|
||||||
|
+
|
||||||
|
+</xsl:stylesheet>
|
||||||
|
diff --git a/products/msvsphere9/transforms/table-style.xslt b/products/msvsphere9/transforms/table-style.xslt
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..8b6caeab
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/products/msvsphere9/transforms/table-style.xslt
|
||||||
|
@@ -0,0 +1,5 @@
|
||||||
|
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||||||
|
+
|
||||||
|
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
|
||||||
|
+
|
||||||
|
+</xsl:stylesheet>
|
||||||
|
diff --git a/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..f2f1d725
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
|
||||||
|
@@ -0,0 +1,8 @@
|
||||||
|
+<?xml version="1.0"?>
|
||||||
|
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
|
||||||
|
+
|
||||||
|
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
|
||||||
|
+<xsl:include href="constants.xslt"/>
|
||||||
|
+<xsl:variable name="overlays" select="document()/xccdf:overlays" />
|
||||||
|
+
|
||||||
|
+</xsl:stylesheet>
|
||||||
|
diff --git a/products/msvsphere9/transforms/xccdf2table-cce.xslt b/products/msvsphere9/transforms/xccdf2table-cce.xslt
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..f156a669
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/products/msvsphere9/transforms/xccdf2table-cce.xslt
|
||||||
|
@@ -0,0 +1,9 @@
|
||||||
|
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
|
||||||
|
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
|
||||||
|
+
|
||||||
|
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
|
||||||
|
+
|
||||||
|
+<xsl:include href="constants.xslt"/>
|
||||||
|
+<xsl:include href="table-style.xslt"/>
|
||||||
|
+
|
||||||
|
+</xsl:stylesheet>
|
||||||
|
diff --git a/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt b/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..30419e92
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
|
||||||
|
@@ -0,0 +1,9 @@
|
||||||
|
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
|
||||||
|
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
||||||
|
+
|
||||||
|
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
|
||||||
|
+
|
||||||
|
+<xsl:include href="constants.xslt"/>
|
||||||
|
+<xsl:include href="table-style.xslt"/>
|
||||||
|
+
|
||||||
|
+</xsl:stylesheet>
|
||||||
|
diff --git a/shared/checks/oval/installed_OS_is_msvsphere9.xml b/shared/checks/oval/installed_OS_is_msvsphere9.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..7db019aa
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/shared/checks/oval/installed_OS_is_msvsphere9.xml
|
||||||
|
@@ -0,0 +1,34 @@
|
||||||
|
+<def-group>
|
||||||
|
+ <definition class="inventory" id="installed_OS_is_msvsphere9" version="3">
|
||||||
|
+ <metadata>
|
||||||
|
+ <title>MSVSphere 9</title>
|
||||||
|
+ <affected family="unix">
|
||||||
|
+ <platform>multi_platform_all</platform>
|
||||||
|
+ </affected>
|
||||||
|
+ <reference ref_id="cpe:/o:ncsd:msvsphere:9" source="CPE" />
|
||||||
|
+ <description>The operating system installed on the system is MSVSphere 9</description>
|
||||||
|
+ </metadata>
|
||||||
|
+ <criteria comment="current OS is 9" operator="AND">
|
||||||
|
+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
|
||||||
|
+ <criterion comment="MSVSphere is installed" test_ref="test_msvsphere" />
|
||||||
|
+ <criterion comment="MSVSphere 9 is installed" test_ref="test_msvsphere9" />
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+
|
||||||
|
+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/msvsphere exists" id="test_msvsphere" version="1">
|
||||||
|
+ <unix:object object_ref="obj_msvsphere" />
|
||||||
|
+ </unix:file_test>
|
||||||
|
+ <unix:file_object comment="check /etc/msvsphere file" id="obj_msvsphere" version="1">
|
||||||
|
+ <unix:filepath>/etc/msvsphere</unix:filepath>
|
||||||
|
+ </unix:file_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Custom OS version" id="test_msvsphere9" version="1">
|
||||||
|
+ <ind:object object_ref="obj_msvsphere9" />
|
||||||
|
+ </ind:textfilecontent54_test>
|
||||||
|
+ <ind:textfilecontent54_object id="obj_msvsphere9" version="1" comment="Check MSVSphere version">
|
||||||
|
+ <ind:filepath>/etc/msvsphere</ind:filepath>
|
||||||
|
+ <ind:pattern operation="pattern match">^9.[0-9]+$</ind:pattern>
|
||||||
|
+ <ind:instance datatype="int">1</ind:instance>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+</def-group>
|
||||||
|
diff --git a/ssg/constants.py b/ssg/constants.py
|
||||||
|
index c0285809..5bc2ea24 100644
|
||||||
|
--- a/ssg/constants.py
|
||||||
|
+++ b/ssg/constants.py
|
||||||
|
@@ -45,6 +45,7 @@ product_directories = [
|
||||||
|
'chromium',
|
||||||
|
'debian10', 'debian11', 'debian12',
|
||||||
|
'example',
|
||||||
|
+ 'msvsphere9',
|
||||||
|
'eks',
|
||||||
|
'fedora',
|
||||||
|
'firefox',
|
||||||
|
@@ -205,6 +206,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
|
||||||
|
"Debian 11": "debian11",
|
||||||
|
"Debian 12": "debian12",
|
||||||
|
"Example": "example",
|
||||||
|
+ "MSVSphere 9": "msvsphere9",
|
||||||
|
"Amazon Elastic Kubernetes Service": "eks",
|
||||||
|
"Fedora": "fedora",
|
||||||
|
"Firefox": "firefox",
|
||||||
|
@@ -278,7 +280,7 @@ REFERENCES = dict(
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
-MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
|
||||||
|
+MULTI_PLATFORM_LIST = ["rhel", "fedora", "msvsphere", "rhv", "debian", "ubuntu",
|
||||||
|
"openeuler",
|
||||||
|
"opensuse", "sle", "ol", "ocp", "rhcos",
|
||||||
|
"example", "eks", "alinux", "uos", "anolis", "openembedded"]
|
||||||
|
@@ -290,6 +292,7 @@ MULTI_PLATFORM_MAPPING = {
|
||||||
|
"multi_platform_example": ["example"],
|
||||||
|
"multi_platform_eks": ["eks"],
|
||||||
|
"multi_platform_fedora": ["fedora"],
|
||||||
|
+ "multi_platform_msvsphere": ["msvsphere9"],
|
||||||
|
"multi_platform_openeuler": ["openeuler2203"],
|
||||||
|
"multi_platform_opensuse": ["opensuse"],
|
||||||
|
"multi_platform_ol": ["ol7", "ol8", "ol9"],
|
||||||
|
@@ -455,6 +458,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
|
||||||
|
'anolis': 'Anolis OS',
|
||||||
|
'chromium': 'Google Chromium Browser',
|
||||||
|
'fedora': 'Fedora',
|
||||||
|
+ 'msvsphere': 'MSVSphere',
|
||||||
|
'firefox': 'Mozilla Firefox',
|
||||||
|
'macos': 'Apple macOS',
|
||||||
|
'rhel': 'Red Hat Enterprise Linux',
|
||||||
|
--
|
||||||
|
2.43.5
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue