Added rule for tracking user sessions and locking screen when status changes

2 months ago · 8ba4485703
parent 3b4beaf3e2
commit 8ba4485703
3 changed files with 548 additions and 20744 deletions
--- a/SOURCES/0001-Add-session-monitor-rule.patch
+++ b/SOURCES/0001-Add-session-monitor-rule.patch
@ -0,0 +1,541 @@
+From 76c7cb36ce7552702001d11aad0f53aca069b8a6 Mon Sep 17 00:00:00 2001
+From: Sergey Cherevko <s.cherevko@msvsphere-os.ru>
+Date: Mon, 16 Sep 2024 18:15:46 +0300
+Subject: [PATCH] Add session-monitor rule
+
+---
+ CMakeLists.txt                                |   5 +
+ build_product                                 |   1 +
+ components/session-monitor.yml                |   6 +
+ .../rule.yml                                  |  36 ++++++
+ .../service_session-monitor_enabled/rule.yml  |  40 +++++++
+ products/msvsphere9/CMakeLists.txt            |   8 ++
+ .../cpe/msvsphere9-cpe-dictionary.xml         |  10 ++
+ .../ssg-msvsphere9-session-monitor-ks.cfg     | 108 ++++++++++++++++++
+ products/msvsphere9/product.yml               |  26 +++++
+ .../profiles/session-monitor.profile          |  13 +++
+ products/msvsphere9/transforms/constants.xslt |  16 +++
+ .../msvsphere9/transforms/table-style.xslt    |   5 +
+ .../transforms/xccdf-apply-overlay-stig.xslt  |   8 ++
+ .../transforms/xccdf2table-cce.xslt           |   9 ++
+ .../xccdf2table-profileccirefs.xslt           |   9 ++
+ .../oval/installed_OS_is_msvsphere9.xml       |  34 ++++++
+ ssg/constants.py                              |   6 +-
+ 17 files changed, 339 insertions(+), 1 deletion(-)
+ create mode 100644 components/session-monitor.yml
+ create mode 100644 linux_os/guide/services/base/package_session-monitor_installed/rule.yml
+ create mode 100644 linux_os/guide/services/base/service_session-monitor_enabled/rule.yml
+ create mode 100644 products/msvsphere9/CMakeLists.txt
+ create mode 100644 products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml
+ create mode 100644 products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
+ create mode 100644 products/msvsphere9/product.yml
+ create mode 100644 products/msvsphere9/profiles/session-monitor.profile
+ create mode 100644 products/msvsphere9/transforms/constants.xslt
+ create mode 100644 products/msvsphere9/transforms/table-style.xslt
+ create mode 100644 products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
+ create mode 100644 products/msvsphere9/transforms/xccdf2table-cce.xslt
+ create mode 100644 products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
+ create mode 100644 shared/checks/oval/installed_OS_is_msvsphere9.xml
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 5d4bc725..3197125e 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -88,6 +88,7 @@ option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be buil
+ option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_EKS "If enabled, the EKS SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE)
+option(SSG_PRODUCT_MSVSPHERE9 "If enabled, the MSVSphere SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_MACOS1015 "If enabled, the Apple macOS 10.15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+@@ -317,6 +318,7 @@ message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
+ message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}")
+ message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}")
+ message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
+message(STATUS "MSVSphere 9: ${SSG_PRODUCT_MSVSPHERE9}")
+ message(STATUS "EKS: ${SSG_PRODUCT_EKS}")
+ message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}")
+ message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}")
+@@ -402,6 +404,9 @@ endif()
+ if(SSG_PRODUCT_EXAMPLE)
+     add_subdirectory("products/example" "example")
+ endif()
+if(SSG_PRODUCT_MSVSPHERE9)
+    add_subdirectory("products/msvsphere9" "msvsphere9")
+endif()
+ if(SSG_PRODUCT_EKS)
+     add_subdirectory("products/eks" "eks")
+ endif()
+diff --git a/build_product b/build_product
+index e6fb8699..14f9c29e 100755
+--- a/build_product
+++ b/build_product
+@@ -354,6 +354,7 @@ all_cmake_products=(
+ 	DEBIAN11
+ 	DEBIAN12
+ 	EXAMPLE
+	MSVSPHERE9
+ 	EKS
+ 	FEDORA
+ 	FIREFOX
+diff --git a/components/session-monitor.yml b/components/session-monitor.yml
+new file mode 100644
+index 00000000..af38d9b3
+--- /dev/null
+++ b/components/session-monitor.yml
+@@ -0,0 +1,6 @@
+name: session-monitor
+packages:
+- session-monitor
+rules:
+- package_session-monitor_installed
+- service_session-monitor_enabled
+diff --git a/linux_os/guide/services/base/package_session-monitor_installed/rule.yml b/linux_os/guide/services/base/package_session-monitor_installed/rule.yml
+new file mode 100644
+index 00000000..479c7a83
+--- /dev/null
+++ b/linux_os/guide/services/base/package_session-monitor_installed/rule.yml
+@@ -0,0 +1,36 @@
+documentation_complete: true
+
+
+title: 'Install the session-monitor package'
+
+description: |-
+    Monitor user sessions and lock screen on state change.
+    Useful if screen was changed.
+    {{{ describe_package_install(package="session-monitor") }}}
+
+rationale: |-
+    Monitor user sessions and lock screen on state change
+
+severity: low
+
+identifiers:
+    cce@rhel7: CCE-82403-7
+    cce@rhel8: CCE-82404-5
+
+references:
+    cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9
+    cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.06,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
+    isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
+    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 6.1,SR 6.2,SR 7.6'
+    iso27001-2013: A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.15.2.2,A.9.1.2
+    nist: AU-12(a),CM-6(a)
+    nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3
+
+ocil_clause: 'the package is not installed'
+
+ocil: '{{{ ocil_package(package="session-monitor") }}}'
+
+template:
+    name: package_installed
+    vars:
+        pkgname: session-monitor
+diff --git a/linux_os/guide/services/base/service_session-monitor_enabled/rule.yml b/linux_os/guide/services/base/service_session-monitor_enabled/rule.yml
+new file mode 100644
+index 00000000..35942027
+--- /dev/null
+++ b/linux_os/guide/services/base/service_session-monitor_enabled/rule.yml
+@@ -0,0 +1,40 @@
+documentation_complete: true
+
+
+title: 'Enable Process Accounting (session-monitor)'
+
+description: |-
+    Monitor user sessions and lock screen on state change.
+    Useful if screen was changed.
+    {{{ describe_package_install(package="session-monitor") }}}
+
+rationale: |-
+    Monitor user sessions and lock screen on state change
+
+severity: low
+
+identifiers:
+    cce@rhel7: CCE-80265-2
+    cce@rhel8: CCE-82401-1
+
+references:
+    cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9
+    cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.06,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
+    isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
+    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 6.1,SR 6.2,SR 7.6'
+    iso27001-2013: A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.15.2.2,A.9.1.2
+    nist: AU-12(a),CM-6(a)
+    nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3
+
+ocil_clause: |-
+    {{{ ocil_clause_service_disabled(service="session-monitor") }}}
+
+ocil: |-
+    {{{ ocil_service_disabled(service="session-monitor") }}}
+
+platform: machine
+
+template:
+    name: service_enabled
+    vars:
+        servicename: session-monitor
+diff --git a/products/msvsphere9/CMakeLists.txt b/products/msvsphere9/CMakeLists.txt
+new file mode 100644
+index 00000000..cc479a30
+--- /dev/null
+++ b/products/msvsphere9/CMakeLists.txt
+@@ -0,0 +1,8 @@
+# Sometimes our users will try to do: "cd msvsphere9; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "msvsphere9")
+
+ssg_build_product(${PRODUCT})
+diff --git a/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml b/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml
+new file mode 100644
+index 00000000..78a20f6a
+--- /dev/null
+++ b/products/msvsphere9/cpe/msvsphere9-cpe-dictionary.xml
+@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
+      <cpe-item name="cpe:/o:ncsd:msvsphere:9">
+            <title xml:lang="en-us">MSVSphere 9</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_msvsphere9</check>
+      </cpe-item>
+</cpe-list>
+diff --git a/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
+new file mode 100644
+index 00000000..d6916013
+--- /dev/null
+++ b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
+@@ -0,0 +1,108 @@
+# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for Red Hat Enterprise Linux 8
+# Version: 0.0.1
+# Date: 2021-01-28
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+# For more information see the following documentation:
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang ru_RU.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard --vckeymap us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# Set the system time zone (required)
+timezone --utc Europe/Moscow
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+#   grub2-mkpasswd-pbkdf2
+# to see how to create encrypted password form for different plaintext password
+bootloader
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_session-monitor
+%end
+
+# Packages selection (%packages section is required)
+%packages
+%end
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
+diff --git a/products/msvsphere9/product.yml b/products/msvsphere9/product.yml
+new file mode 100644
+index 00000000..f2b7f0f0
+--- /dev/null
+++ b/products/msvsphere9/product.yml
+@@ -0,0 +1,26 @@
+product: msvsphere9
+full_name: MSVSphere 9
+type: platform
+
+families:
+  - rhel
+  - rhel-like
+
+major_version_ordinal: 9
+
+benchmark_id: MSVSPHERE-9
+benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - msvsphere9:
+      name: "cpe:/o:ncsd:msvsphere:9"
+      title: "MSVSphere 9"
+      check_id: installed_OS_is_msvsphere9
+diff --git a/products/msvsphere9/profiles/session-monitor.profile b/products/msvsphere9/profiles/session-monitor.profile
+new file mode 100644
+index 00000000..d261ebf5
+--- /dev/null
+++ b/products/msvsphere9/profiles/session-monitor.profile
+@@ -0,0 +1,13 @@
+documentation_complete: true
+
+title: 'Session-monitor profile for MSVSphere 9'
+
+description: |-
+    This profile contains the rule needed to monitor
+    user sessions and lock the screen when
+    the status changes
+
+selections:
+    - accounts_password_minlen_login_defs
+    - package_session-monitor_installed
+    - service_session-monitor_enabled
+diff --git a/products/msvsphere9/transforms/constants.xslt b/products/msvsphere9/transforms/constants.xslt
+new file mode 100644
+index 00000000..e85de907
+--- /dev/null
+++ b/products/msvsphere9/transforms/constants.xslt
+@@ -0,0 +1,16 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">MSVSphere 9</xsl:variable>
+<xsl:variable name="product_short_name">MSVSphere9</xsl:variable>
+<xsl:variable name="product_stig_id_name">MSVSPHERE_STIG</xsl:variable>
+<xsl:variable name="prod_type">msvsphere9</xsl:variable>
+
+<!-- Define URI of official Center for Internet Security Benchmark for MSVSphere 9 -->
+<xsl:variable name="cisuri">https://benchmarks.cisecurity.org/tools2/linux/CIS_MSVSphere_Benchmark_v1.0.pdf</xsl:variable>
+
+<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
+<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
+
+</xsl:stylesheet>
+diff --git a/products/msvsphere9/transforms/table-style.xslt b/products/msvsphere9/transforms/table-style.xslt
+new file mode 100644
+index 00000000..8b6caeab
+--- /dev/null
+++ b/products/msvsphere9/transforms/table-style.xslt
+@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
+diff --git a/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
+new file mode 100644
+index 00000000..f2f1d725
+--- /dev/null
+++ b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
+@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document()/xccdf:overlays" />
+
+</xsl:stylesheet>
+diff --git a/products/msvsphere9/transforms/xccdf2table-cce.xslt b/products/msvsphere9/transforms/xccdf2table-cce.xslt
+new file mode 100644
+index 00000000..f156a669
+--- /dev/null
+++ b/products/msvsphere9/transforms/xccdf2table-cce.xslt
+@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
+diff --git a/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt b/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
+new file mode 100644
+index 00000000..30419e92
+--- /dev/null
+++ b/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
+@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
+diff --git a/shared/checks/oval/installed_OS_is_msvsphere9.xml b/shared/checks/oval/installed_OS_is_msvsphere9.xml
+new file mode 100644
+index 00000000..7db019aa
+--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_msvsphere9.xml
+@@ -0,0 +1,34 @@
+<def-group>
+  <definition class="inventory" id="installed_OS_is_msvsphere9" version="3">
+    <metadata>
+      <title>MSVSphere 9</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:ncsd:msvsphere:9" source="CPE" />
+      <description>The operating system installed on the system is MSVSphere 9</description>
+    </metadata>
+    <criteria comment="current OS is 9" operator="AND">
+      <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
+      <criterion comment="MSVSphere is installed" test_ref="test_msvsphere" />
+      <criterion comment="MSVSphere 9 is installed" test_ref="test_msvsphere9" />
+    </criteria>
+  </definition>
+
+  <unix:file_test check="all" check_existence="all_exist" comment="/etc/msvsphere exists" id="test_msvsphere" version="1">
+    <unix:object object_ref="obj_msvsphere" />
+  </unix:file_test>
+  <unix:file_object comment="check /etc/msvsphere file" id="obj_msvsphere" version="1">
+    <unix:filepath>/etc/msvsphere</unix:filepath>
+  </unix:file_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Custom OS version" id="test_msvsphere9" version="1">
+    <ind:object object_ref="obj_msvsphere9" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_msvsphere9" version="1" comment="Check MSVSphere version">
+    <ind:filepath>/etc/msvsphere</ind:filepath>
+    <ind:pattern operation="pattern match">^9.[0-9]+$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index c0285809..5bc2ea24 100644
+--- a/ssg/constants.py
+++ b/ssg/constants.py
+@@ -45,6 +45,7 @@ product_directories = [
+     'chromium',
+     'debian10', 'debian11', 'debian12',
+     'example',
+    'msvsphere9',
+     'eks',
+     'fedora',
+     'firefox',
+@@ -205,6 +206,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
+     "Debian 11": "debian11",
+     "Debian 12": "debian12",
+     "Example": "example",
+    "MSVSphere 9": "msvsphere9",
+     "Amazon Elastic Kubernetes Service": "eks",
+     "Fedora": "fedora",
+     "Firefox": "firefox",
+@@ -278,7 +280,7 @@ REFERENCES = dict(
+ )
+ 
+ 
+-MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+MULTI_PLATFORM_LIST = ["rhel", "fedora", "msvsphere", "rhv", "debian", "ubuntu",
+                        "openeuler",
+                        "opensuse", "sle", "ol", "ocp", "rhcos",
+                        "example", "eks", "alinux", "uos", "anolis", "openembedded"]
+@@ -290,6 +292,7 @@ MULTI_PLATFORM_MAPPING = {
+     "multi_platform_example": ["example"],
+     "multi_platform_eks": ["eks"],
+     "multi_platform_fedora": ["fedora"],
+    "multi_platform_msvsphere": ["msvsphere9"],
+     "multi_platform_openeuler": ["openeuler2203"],
+     "multi_platform_opensuse": ["opensuse"],
+     "multi_platform_ol": ["ol7", "ol8", "ol9"],
+@@ -455,6 +458,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
+     'anolis': 'Anolis OS',
+     'chromium': 'Google Chromium Browser',
+     'fedora': 'Fedora',
+    'msvsphere': 'MSVSphere',
+     'firefox': 'Mozilla Firefox',
+     'macos': 'Apple macOS',
+     'rhel': 'Red Hat Enterprise Linux',
+-- 
+2.43.5
+
--- a/SOURCES/scap-security-guide-0.1.73-add-msvsphere9-product.patch
+++ b/SOURCES/scap-security-guide-0.1.73-add-msvsphere9-product.patch
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -6,7 +6,7 @@

 Name:		scap-security-guide
 Version:	0.1.73
-Release:	1%{?dist}.inferit.1
+Release:	1%{?dist}.inferit.2
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@ -14,7 +14,8 @@ Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{versio
 BuildArch:	noarch

 # MSVSphere
-Patch1000:      scap-security-guide-0.1.73-add-msvsphere9-product.patch
+#Patch1000:      scap-security-guide-0.1.73-add-msvsphere9-product.patch
+Patch1000:      0001-Add-session-monitor-rule.patch

 BuildRequires:	libxslt
 BuildRequires:	expat
@ -95,7 +96,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md

 %files doc
 %doc %{_docdir}/%{name}/guides/*.html
-%doc %{_docdir}/%{name}/tables/*.html
+##%%doc %{_docdir}/%{name}/tables/*.html

 %if %{defined rhel}
 %files rule-playbooks
@ -104,6 +105,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif

 %changelog
+* Fri Sep 13 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 0.1.73-1.inferit.2
+- Added rule for tracking user sessions and locking screen when status changes
+
 * Thu Aug 29 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 0.1.73-1.inferit.1
 - Fixup: try to add MSVSphere security profiles