From b23be587f5dff05eb8d9eb5c48fb661de9922fd0 Mon Sep 17 00:00:00 2001 From: Sergey Cherevko Date: Thu, 26 Sep 2024 19:36:57 +0300 Subject: [PATCH] Add session-monitor rule --- CMakeLists.txt | 5 + build_product | 1 + components/session-monitor.yml | 6 + .../rule.yml | 27 + .../service_session-monitor_enabled/rule.yml | 27 + products/msvsphere9/CMakeLists.txt | 26 + .../ssg-msvsphere9-session-monitor-ks.cfg | 124 ++++ .../kickstart/ssg-msvsphere9-stig_gui-ks.cfg | 144 +++++ products/msvsphere9/overlays/srg_support.xml | 173 ++++++ products/msvsphere9/product.yml | 26 + products/msvsphere9/profiles/default.profile | 555 ++++++++++++++++++ .../profiles/session-monitor.profile | 12 + products/msvsphere9/profiles/stig.profile | 30 + products/msvsphere9/profiles/stig_gui.profile | 49 ++ products/msvsphere9/transforms/constants.xslt | 18 + .../msvsphere9/transforms/table-style.xslt | 5 + .../transforms/xccdf-apply-overlay-stig.xslt | 8 + .../transforms/xccdf2table-cce.xslt | 9 + .../xccdf2table-profileccirefs.xslt | 9 + .../oval/installed_OS_is_msvsphere9.xml | 34 ++ .../oval/sysctl_kernel_ipv6_disable.xml | 1 + .../disa-stig-msvsphere9-v1r1-xccdf-scap.xml | 1 + ...disa-stig-msvsphere9-v1r3-xccdf-manual.xml | 1 + ssg/constants.py | 6 +- .../guide/selinux_state/ansible/shared.yml | 2 +- .../guide/selinux_state/bash/shared.sh | 2 +- .../unit/ssg_test_suite/data/correct.pass.sh | 2 +- 27 files changed, 1299 insertions(+), 4 deletions(-) create mode 100644 components/session-monitor.yml create mode 100644 linux_os/guide/system/software/system-tools/package_session-monitor_installed/rule.yml create mode 100644 linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml create mode 100644 products/msvsphere9/CMakeLists.txt create mode 100644 products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg create mode 100644 products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg create mode 100644 products/msvsphere9/overlays/srg_support.xml create mode 100644 products/msvsphere9/product.yml create mode 100644 products/msvsphere9/profiles/default.profile create mode 100644 products/msvsphere9/profiles/session-monitor.profile create mode 100644 products/msvsphere9/profiles/stig.profile create mode 100644 products/msvsphere9/profiles/stig_gui.profile create mode 100644 products/msvsphere9/transforms/constants.xslt create mode 100644 products/msvsphere9/transforms/table-style.xslt create mode 100644 products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt create mode 100644 products/msvsphere9/transforms/xccdf2table-cce.xslt create mode 100644 products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt create mode 100644 shared/checks/oval/installed_OS_is_msvsphere9.xml create mode 120000 shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml create mode 120000 shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml diff --git a/CMakeLists.txt b/CMakeLists.txt index 5d4bc725..3197125e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -88,6 +88,7 @@ option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be buil option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_EKS "If enabled, the EKS SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE) +option(SSG_PRODUCT_MSVSPHERE9 "If enabled, the MSVSphere SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_MACOS1015 "If enabled, the Apple macOS 10.15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -317,6 +318,7 @@ message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}") message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}") message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}") message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}") +message(STATUS "MSVSphere 9: ${SSG_PRODUCT_MSVSPHERE9}") message(STATUS "EKS: ${SSG_PRODUCT_EKS}") message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}") message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}") @@ -402,6 +404,9 @@ endif() if(SSG_PRODUCT_EXAMPLE) add_subdirectory("products/example" "example") endif() +if(SSG_PRODUCT_MSVSPHERE9) + add_subdirectory("products/msvsphere9" "msvsphere9") +endif() if(SSG_PRODUCT_EKS) add_subdirectory("products/eks" "eks") endif() diff --git a/build_product b/build_product index e6fb8699..14f9c29e 100755 --- a/build_product +++ b/build_product @@ -354,6 +354,7 @@ all_cmake_products=( DEBIAN11 DEBIAN12 EXAMPLE + MSVSPHERE9 EKS FEDORA FIREFOX diff --git a/components/session-monitor.yml b/components/session-monitor.yml new file mode 100644 index 00000000..af38d9b3 --- /dev/null +++ b/components/session-monitor.yml @@ -0,0 +1,6 @@ +name: session-monitor +packages: +- session-monitor +rules: +- package_session-monitor_installed +- service_session-monitor_enabled diff --git a/linux_os/guide/system/software/system-tools/package_session-monitor_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_session-monitor_installed/rule.yml new file mode 100644 index 00000000..c2b5f232 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/package_session-monitor_installed/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + + +title: 'Install the session-monitor package' + +description: |- + Monitor user sessions and lock screen on state change. + Useful if screen was changed. + {{{ describe_package_install(package="session-monitor") }}} + +rationale: |- + Monitor user sessions and lock screen on state change + +severity: high + +identifiers: + cce@rhel7: CCE-82403-7 + cce@rhel8: CCE-82404-5 + +ocil_clause: 'the package is not installed' + +ocil: '{{{ ocil_package(package="session-monitor") }}}' + +template: + name: package_installed + vars: + pkgname: session-monitor diff --git a/linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml b/linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml new file mode 100644 index 00000000..9374fcc3 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + + +title: 'Enable Process Accounting (session-monitor)' + +description: |- + Monitor user sessions and lock screen on state change. + Useful if screen was changed. + {{{ describe_package_install(package="session-monitor") }}} + +rationale: |- + Monitor user sessions and lock screen on state change + +severity: low + +ocil_clause: |- + {{{ ocil_clause_service_disabled(service="session-monitor") }}} + +ocil: |- + {{{ ocil_service_disabled(service="session-monitor") }}} + +platform: machine + +template: + name: service_enabled + vars: + servicename: session-monitor diff --git a/products/msvsphere9/CMakeLists.txt b/products/msvsphere9/CMakeLists.txt new file mode 100644 index 00000000..ca7ee52f --- /dev/null +++ b/products/msvsphere9/CMakeLists.txt @@ -0,0 +1,26 @@ +# Sometimes our users will try to do: "cd msvsphere9; cmake ." That needs to error in a nice way. +if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +set(PRODUCT "msvsphere9") + +ssg_build_product(${PRODUCT}) + +ssg_build_html_cce_table(${PRODUCT}) + +ssg_build_html_srgmap_tables(${PRODUCT}) + +if(SSG_SRG_XLSX_EXPORT) + ssg_build_xlsx_srg_export(${PRODUCT} "srg_gpos") +endif() + +ssg_build_html_stig_tables(${PRODUCT}) +ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig") +ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig_gui") + +#ssg_build_html_stig_tables(${PRODUCT} "ospp") + +if(SSG_CENTOS_DERIVATIVES_ENABLED) + ssg_build_derivative_product(${PRODUCT} "centos" "cs9") +endif() diff --git a/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg new file mode 100644 index 00000000..447b36a5 --- /dev/null +++ b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg @@ -0,0 +1,124 @@ +# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for Red Hat Enterprise Linux 8 +# Version: 0.0.1 +# Date: 2021-01-28 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang ru_RU.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +##network --onboot yes --bootproto dhcp +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set the system time zone (required) +timezone --utc Europe/Moscow + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +autopart + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +##%addon org_fedora_oscap +%addon com_redha_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_session-monitor +%end + +# Packages selection (%packages section is required) +%packages + +# Require 'Server with GUI' package environment to be installed +@^Server with GUI + +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg b/products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg new file mode 100644 index 00000000..89744815 --- /dev/null +++ b/products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg @@ -0,0 +1,144 @@ +# SCAP Security Guide STIG with GUI profile kickstart for AlmaLinux 9 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +# For more information see the following documentation: +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang ru_RU.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc Europe/Moscow + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password +bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_stig_gui +%end + +# Packages selection (%packages section is required) +%packages + +@Server with GUI + +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/msvsphere9/overlays/srg_support.xml b/products/msvsphere9/overlays/srg_support.xml new file mode 100644 index 00000000..e5334dee --- /dev/null +++ b/products/msvsphere9/overlays/srg_support.xml @@ -0,0 +1,173 @@ + diff --git a/products/msvsphere9/product.yml b/products/msvsphere9/product.yml new file mode 100644 index 00000000..f2b7f0f0 --- /dev/null +++ b/products/msvsphere9/product.yml @@ -0,0 +1,26 @@ +product: msvsphere9 +full_name: MSVSphere 9 +type: platform + +families: + - rhel + - rhel-like + +major_version_ordinal: 9 + +benchmark_id: MSVSPHERE-9 +benchmark_root: "../../linux_os/guide" +components_root: "../../components" + +profiles_root: "./profiles" + +pkg_manager: "dnf" + +init_system: "systemd" + +cpes_root: "../../shared/applicability" +cpes: + - msvsphere9: + name: "cpe:/o:ncsd:msvsphere:9" + title: "MSVSphere 9" + check_id: installed_OS_is_msvsphere9 diff --git a/products/msvsphere9/profiles/default.profile b/products/msvsphere9/profiles/default.profile new file mode 100644 index 00000000..567393e8 --- /dev/null +++ b/products/msvsphere9/profiles/default.profile @@ -0,0 +1,555 @@ +documentation_complete: true + +hidden: true + +title: Default Profile for MSVSphere 9 + +description: |- + This profile contains all the rules that once belonged to the + rhel9 product via 'prodtype'. This profile won't + be rendered into an XCCDF Profile entity, nor it will select any + of these rules by default. The only purpose of this profile + is to keep a rule in the product's XCCDF Benchmark. + +selections: + - sebool_nfsd_anon_write + - sebool_squid_connect_any + - sebool_polipo_connect_all_unreserved + - audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write + - auditd_data_disk_full_action + - mount_option_var_tmp_bind + - sebool_selinuxuser_use_ssh_chroot + - sebool_condor_tcp_network_connect + - sebool_xserver_object_manager + - mount_option_home_grpquota + - sebool_mpd_enable_homedirs + - sebool_logadm_exec_content + - auditd_audispd_encrypt_sent_records + - audit_rules_unsuccessful_file_modification_openat_rule_order + - sebool_logwatch_can_network_connect_mail + - sebool_mpd_use_nfs + - sebool_virt_use_sanlock + - kernel_module_vfat_disabled + - sebool_xguest_use_bluetooth + - sebool_puppetagent_manage_all_files + - sshd_use_strong_rng + - grub2_uefi_admin_username + - sebool_staff_use_svirt + - audit_rules_successful_file_modification_lsetxattr + - sebool_daemons_enable_cluster_mode + - package_krb5-workstation_removed + - package_samba-common_installed + - sebool_httpd_enable_cgi + - accounts_passwords_pam_faillock_silent + - xwindows_remove_packages + - sebool_httpd_can_network_memcache + - sebool_git_system_use_nfs + - sudoers_no_root_target + - sebool_httpd_can_connect_zabbix + - sebool_samba_portmapper + - audit_rules_etc_shadow_open + - sebool_httpd_graceful_shutdown + - sebool_ftpd_use_fusefs + - service_cups_disabled + - sebool_selinuxuser_ping + - sebool_unconfined_chrome_sandbox_transition + - dconf_gnome_screensaver_lock_locked + - package_ntpdate_removed + - package_avahi_removed + - file_groupowner_efi_user_cfg + - set_loopback_traffic + - ntpd_specify_multiple_servers + - sebool_gitosis_can_sendmail + - audit_rules_unsuccessful_file_modification_renameat + - sebool_pcp_read_generic_logs + - sebool_httpd_run_ipa + - sebool_selinuxuser_share_music + - file_groupowner_var_log_syslog + - service_netfs_disabled + - sebool_dbadm_manage_user_files + - sebool_smbd_anon_write + - auditd_audispd_configure_remote_server + - service_ypserv_disabled + - sebool_nagios_run_sudo + - sebool_dbadm_exec_content + - package_ntp_installed + - package_cron_installed + - dconf_gnome_screensaver_idle_activation_locked + - audit_rules_successful_file_modification_unlinkat + - package_audit-audispd-plugins_installed + - sebool_xserver_clients_write_xshm + - sebool_xdm_exec_bootloader + - sebool_httpd_serve_cobbler_files + - sebool_use_ecryptfs_home_dirs + - sebool_container_connect_any + - sebool_sge_domain_can_network_connect + - sebool_staff_exec_content + - file_permissions_home_dirs + - audit_rules_privileged_commands_newgidmap + - sebool_ssh_chroot_rw_homedirs + - sebool_virt_use_xserver + - sebool_mozilla_plugin_use_spice + - sebool_tmpreaper_use_nfs + - sebool_httpd_can_connect_ldap + - sudoers_default_includedir + - sebool_mmap_low_allowed + - sebool_glance_use_fusefs + - sebool_httpd_dontaudit_search_dirs + - sebool_named_tcp_bind_http_port + - auditd_audispd_network_failure_action + - sebool_wine_mmap_zero_ignore + - sebool_cluster_use_execmem + - audit_rules_privileged_commands_usernetctl + - dconf_gnome_disable_user_admin + - service_rlogin_disabled + - sebool_ftpd_use_nfs + - sebool_httpd_use_fusefs + - service_iptables_enabled + - sebool_tor_bind_all_unreserved_ports + - sebool_virt_sandbox_use_all_caps + - sebool_httpd_use_openstack + - sebool_icecast_use_any_tcp_ports + - audit_rules_unsuccessful_file_modification_rename + - sebool_openshift_use_nfs + - sebool_mailman_use_fusefs + - sebool_nfs_export_all_rw + - sebool_httpd_dbus_avahi + - mount_option_smb_client_signing + - audit_rules_successful_file_modification_open_o_trunc_write + - sebool_mplayer_execstack + - sebool_virt_sandbox_use_mknod + - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order + - package_pam_pwquality_installed + - sebool_fcron_crond + - sebool_httpd_read_user_content + - sebool_samba_domain_controller + - service_sshd_disabled + - zipl_page_poison_argument + - file_owner_efi_user_cfg + - sebool_cobbler_anon_write + - audit_rules_successful_file_modification_openat_o_trunc_write + - audit_rules_successful_file_modification_removexattr + - sebool_xdm_write_home + - sebool_httpd_mod_auth_pam + - audit_rules_successful_file_modification_fchownat + - service_httpd_disabled + - package_nfs-utils_removed + - sebool_pppd_for_user + - sebool_rsync_export_all_ro + - audit_rules_successful_file_modification_open_o_creat + - install_hids + - sebool_authlogin_radius + - sebool_swift_can_network + - audit_rules_file_deletion_events + - sshd_disable_pubkey_auth + - sebool_tor_can_network_relay + - sebool_virt_use_samba + - sebool_spamassassin_can_network + - package_syslogng_installed + - sebool_selinuxuser_postgresql_connect_enabled + - sebool_virt_sandbox_use_sys_admin + - sebool_irssi_use_full_network + - sebool_sysadm_exec_content + - sebool_polipo_use_cifs + - sebool_samba_load_libgfapi + - package_rpcbind_removed + - sebool_samba_run_unconfined + - sebool_webadm_manage_user_files + - sebool_zoneminder_run_sudo + - sebool_ftpd_anon_write + - sebool_rsync_anon_write + - mount_option_proc_hidepid + - sebool_nfs_export_all_ro + - audit_rules_unsuccessful_file_modification_chown + - sebool_selinuxuser_udp_server + - sebool_cups_execmem + - service_ntpdate_disabled + - sebool_httpd_execmem + - sebool_httpd_sys_script_anon_write + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write + - sebool_ftpd_use_cifs + - service_atd_disabled + - audit_rules_etc_shadow_open_by_handle_at + - sebool_mysql_connect_any + - audit_rules_privileged_commands_pt_chown + - sebool_httpd_can_sendmail + - sebool_prosody_bind_http_port + - sebool_httpd_use_sasl + - sebool_tftp_home_dir + - sebool_gssd_read_tmp + - kernel_module_uvcvideo_disabled + - sebool_squid_use_tproxy + - sebool_httpd_ssi_exec + - sebool_use_lpd_server + - audit_rules_successful_file_modification_open_by_handle_at_o_creat + - sebool_unconfined_login + - account_use_centralized_automated_auth + - file_groupowner_efi_grub2_cfg + - sebool_xdm_bind_vnc_tcp_port + - sebool_deny_ptrace + - sebool_postgresql_selinux_transmit_client_label + - sysctl_net_ipv6_conf_all_disable_ipv6 + - sebool_smartmon_3ware + - dconf_gnome_login_retries + - audit_rules_unsuccessful_file_modification_setxattr + - sudo_vdsm_nopasswd + - sebool_global_ssp + - service_smb_disabled + - sebool_virt_rw_qemu_ga_data + - sebool_selinuxuser_tcp_server + - package_inetutils-telnetd_removed + - audit_rules_successful_file_modification_openat + - audit_rules_unsuccessful_file_modification_fchmod + - service_ntpd_enabled + - file_permissions_httpd_server_conf_files + - sebool_httpd_use_gpg + - sebool_spamd_enable_home_dirs + - package_openldap-servers_removed + - avahi_disable_publishing + - audit_rules_successful_file_modification_fchmod + - sebool_fenced_can_network_connect + - sebool_virt_use_nfs + - sebool_lsmd_plugin_connect_any + - account_passwords_pam_faillock_dir + - sebool_authlogin_yubikey + - sebool_authlogin_nsswitch_use_ldap + - dconf_gnome_disable_geolocation + - sebool_httpd_run_preupgrade + - sebool_httpd_use_cifs + - sebool_telepathy_tcp_connect_generic_network_ports + - zipl_slub_debug_argument + - sebool_entropyd_use_audio + - grub2_kernel_trust_cpu_rng + - sebool_httpd_enable_ftp_server + - sebool_postgresql_selinux_users_ddl + - package_ypbind_removed + - xwindows_runlevel_target + - package_talk-server_removed + - kernel_module_ipv6_option_disabled + - sebool_cobbler_use_nfs + - sebool_mozilla_plugin_can_network_connect + - sebool_ftpd_full_access + - sebool_mcelog_foreground + - sebool_xguest_exec_content + - sebool_daemons_dump_core + - audit_rules_successful_file_modification_renameat + - service_rngd_enabled + - kernel_module_cfg80211_disabled + - sebool_git_cgi_use_cifs + - sebool_virt_sandbox_use_netlink + - enable_dconf_user_profile + - service_dhcpd_disabled + - kernel_module_jffs2_disabled + - sebool_openvpn_run_unconfined + - sebool_gluster_anon_write + - audit_rules_successful_file_modification_open + - sebool_secure_mode_insmod + - sebool_nscd_use_shm + - sebool_ksmtuned_use_cifs + - sebool_nagios_run_pnp4nagios + - sebool_selinuxuser_direct_dri_enabled + - sebool_haproxy_connect_any + - audit_rules_etc_shadow_openat + - sebool_pppd_can_insmod + - sebool_glance_api_can_network + - accounts_passwords_pam_faillock_enforce_local + - sebool_mozilla_plugin_use_bluejeans + - sebool_mozilla_read_content + - sebool_virt_use_usb + - sebool_virt_use_execmem + - sebool_virt_read_qemu_ga_data + - service_vsftpd_disabled + - ssh_private_keys_have_passcode + - sebool_user_exec_content + - sebool_gluster_export_all_ro + - sebool_mcelog_server + - sebool_mount_anyfile + - sebool_sge_use_nfs + - sebool_daemons_use_tty + - sebool_mcelog_client + - sebool_rsync_client + - sebool_privoxy_connect_any + - postfix_client_configure_relayhost + - sebool_httpd_builtin_scripting + - etc_system_fips_exists + - iptables_sshd_disabled + - grub2_ipv6_disable_argument + - dconf_gnome_disable_thumbnailers + - sebool_varnishd_connect_any + - kernel_module_hfsplus_disabled + - audit_rules_for_ospp + - package_rsh_removed + - dconf_gnome_enable_smartcard_auth + - service_oddjobd_disabled + - service_postfix_enabled + - package_openssh-server_removed + - sebool_httpd_can_connect_mythtv + - audit_rules_successful_file_modification_lchown + - sebool_tftp_anon_write + - sebool_cobbler_can_network_connect + - sebool_samba_export_all_ro + - service_cron_enabled + - file_permissions_efi_user_cfg + - service_rhnsd_disabled + - audit_rules_successful_file_modification_unlink + - no_all_squash_exports + - sebool_use_samba_home_dirs + - audit_rules_etc_gshadow_openat + - service_ufw_enabled + - harden_sshd_macs_openssh_conf_crypto_policy + - dir_permissions_binary_dirs + - sebool_xend_run_blktap + - dconf_gnome_disable_wifi_notification + - package_nis_removed + - service_xinetd_disabled + - audit_rules_etc_passwd_open + - dhcp_client_restrict_options + - sebool_openvpn_can_network_connect + - kernel_module_freevxfs_disabled + - account_emergency_expire_date + - sebool_unconfined_mozilla_plugin_transition + - audit_rules_unsuccessful_file_modification_lremovexattr + - file_permissions_var_log_syslog + - sebool_git_cgi_enable_homedirs + - audit_rules_etc_passwd_open_by_handle_at + - audit_rules_privileged_commands_at + - sebool_virt_use_fusefs + - kernel_module_iwlmvm_disabled + - service_ntp_enabled + - file_owner_var_log_syslog + - service_ip6tables_enabled + - sebool_logging_syslogd_run_nagios_plugins + - sebool_mozilla_plugin_use_gps + - service_slapd_disabled + - audit_rules_unsuccessful_file_modification_open_o_trunc_write + - sebool_ftpd_connect_all_unreserved + - configure_user_data_backups + - dir_ownership_binary_dirs + - sebool_mcelog_exec_scripts + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sebool_xserver_execmem + - sysctl_net_ipv6_conf_default_disable_ipv6 + - sebool_cron_userdomain_transition + - sebool_collectd_tcp_network_connect + - sebool_httpd_enable_homedirs + - sebool_httpd_unified + - audit_rules_privileged_commands_newuidmap + - sebool_zabbix_can_network + - audit_rules_unsuccessful_file_modification_chmod + - sebool_gpg_web_anon_write + - fapolicyd_prevent_home_folder_access + - no_legacy_plus_entries_etc_passwd + - sebool_sanlock_use_nfs + - sebool_racoon_read_shadow + - audit_rules_successful_file_modification_fsetxattr + - audit_rules_successful_file_modification_fremovexattr + - package_krb5-server_removed + - file_permissions_httpd_server_conf_d_files + - audit_rules_successful_file_modification_rename + - sebool_guest_exec_content + - kernel_module_rds_disabled + - sebool_selinuxuser_mysql_connect_enabled + - sebool_antivirus_use_jit + - sebool_ksmtuned_use_nfs + - service_qpidd_disabled + - audit_rules_successful_file_modification_setxattr + - sebool_polipo_session_bind_all_unreserved_ports + - sebool_secure_mode_policyload + - sebool_webadm_read_user_files + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat + - audit_rules_unsuccessful_file_modification_fsetxattr + - kernel_module_hfs_disabled + - sebool_git_session_users + - sebool_exim_manage_user_files + - configure_gnutls_tls_crypto_policy + - sshd_enable_gssapi_auth + - sebool_minidlna_read_generic_user_content + - audit_rules_etc_group_openat + - sebool_httpd_can_network_connect_cobbler + - auditd_data_disk_error_action + - audit_rules_unsuccessful_file_modification_fchownat + - sebool_openvpn_enable_homedirs + - zipl_enable_selinux + - audit_rules_unsuccessful_file_modification_open_o_creat + - kernel_config_ipv6 + - audit_rules_successful_file_modification_chown + - audit_rules_successful_file_modification_fchmodat + - sebool_dhcpc_exec_iptables + - file_permissions_efi_grub2_cfg + - audit_rules_unsuccessful_file_modification_removexattr + - sebool_telepathy_connect_all_ports + - sebool_postgresql_can_rsync + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - rpm_verify_permissions + - package_telnetd_removed + - sebool_httpd_setrlimit + - harden_sshd_macs_opensshserver_conf_crypto_policy + - service_dovecot_disabled + - service_cockpit_disabled + - no_legacy_plus_entries_etc_group + - mount_option_boot_noauto + - sebool_git_cgi_use_nfs + - sebool_git_system_use_cifs + - sebool_httpd_use_nfs + - audit_rules_unsuccessful_file_modification_lchown + - dconf_gnome_disable_wifi_create + - audit_rules_successful_file_modification_fchown + - sebool_git_system_enable_homedirs + - sebool_httpd_can_check_spam + - sebool_mpd_use_cifs + - sebool_xen_use_nfs + - sebool_samba_enable_home_dirs + - service_named_disabled + - service_syslogng_enabled + - sebool_sanlock_use_fusefs + - account_passwords_pam_faillock_audit + - sebool_ssh_keysign + - sebool_zebra_write_config + - auditd_data_retention_num_logs + - sebool_kerberos_enabled + - sebool_irc_use_any_tcp_ports + - package_xinetd_removed + - audit_rules_etc_gshadow_open_by_handle_at + - sebool_samba_export_all_rw + - audit_rules_successful_file_modification_truncate + - dhcp_server_minimize_served_info + - file_permissions_httpd_server_modules_files + - audit_rules_successful_file_modification_open_by_handle_at + - sebool_tmpreaper_use_samba + - sebool_xdm_sysadm_login + - sebool_samba_create_home_dirs + - sebool_login_console_enabled + - sebool_secadm_exec_content + - audit_rules_successful_file_modification_chmod + - sebool_nis_enabled + - sebool_cvs_read_shadow + - audit_rules_unsuccessful_file_modification_lsetxattr + - sebool_xend_run_qemu + - sebool_virt_use_comm + - installed_OS_is_FIPS_certified + - sebool_httpd_can_network_connect + - sebool_virt_sandbox_use_audit + - sshd_disable_root_password_login + - package_telnetd-ssl_removed + - sebool_puppetmaster_use_db + - audit_rules_successful_file_modification_ftruncate + - fapolicy_default_deny + - dconf_gnome_disable_power_settings + - sebool_mozilla_plugin_bind_unreserved_ports + - package_MFEhiplsm_installed + - sebool_fenced_can_ssh + - sebool_glance_use_execmem + - audit_rules_etc_passwd_openat + - sebool_rsync_full_access + - snmpd_no_rwusers + - mount_option_home_usrquota + - sebool_logging_syslogd_can_sendmail + - sebool_ftpd_use_passive_mode + - sebool_cluster_can_network_connect + - sebool_cdrecord_read_content + - sebool_antivirus_can_scan_system + - rsyslog_logging_configured + - sebool_httpd_manage_ipa + - sebool_samba_share_nfs + - sebool_domain_kernel_load_modules + - package_389-ds-base_removed + - sebool_logging_syslogd_use_tty + - audit_rules_etc_group_open + - sebool_secure_mode + - set_iptables_default_rule_forward + - service_rdisc_disabled + - zipl_vsyscall_argument + - audit_rules_unsuccessful_file_modification_openat_o_creat + - sebool_awstats_purge_apache_log_files + - sebool_httpd_tmp_exec + - package_postfix_installed + - sebool_sanlock_use_samba + - force_opensc_card_drivers + - audit_rules_successful_file_modification_creat + - sebool_domain_fd_use + - package_avahi-autoipd_removed + - sebool_httpd_can_connect_ftp + - sebool_httpd_anon_write + - sebool_dhcpd_use_ldap + - coreos_enable_selinux_kernel_argument + - sebool_postgresql_selinux_unconfined_dbadm + - kernel_disable_entropy_contribution_for_solid_state_drives + - sebool_use_fusefs_home_dirs + - audit_rules_successful_file_modification_lremovexattr + - sebool_virt_transition_userdomain + - package_freeradius_removed + - file_owner_efi_grub2_cfg + - sebool_httpd_tty_comm + - sebool_dbadm_read_user_files + - audit_rules_unsuccessful_file_modification_unlink + - auditd_audispd_disk_full_action + - sebool_exim_read_user_files + - ftp_limit_users + - sebool_zarafa_setrlimit + - kernel_module_mac80211_disabled + - sebool_kdumpgui_run_bootloader + - rsyslog_accept_remote_messages_tcp + - sebool_httpd_verify_dns + - accounts_password_pam_enforce_local + - usbguard_allow_hub + - sebool_polipo_use_nfs + - sebool_exim_can_connect_db + - sebool_unprivuser_use_svirt + - sebool_httpd_run_stickshift + - set_ipv6_loopback_traffic + - ftp_configure_firewall + - sebool_cron_can_relabel + - audit_rules_unsuccessful_file_modification_fremovexattr + - sebool_httpd_dbus_sssd + - sebool_xguest_connect_network + - package_geolite2-country_removed + - audit_rules_etc_group_open_by_handle_at + - sebool_daemons_use_tcp_wrapper + - sebool_use_nfs_home_dirs + - sshd_set_keepalive_0 + - sebool_conman_can_network + - sebool_logrotate_use_nfs + - audit_rules_unsuccessful_file_modification_fchown + - sebool_httpd_can_network_connect_db + - sebool_gluster_export_all_rw + - sebool_named_write_master_zones + - sebool_postfix_local_write_mail_spool + - sebool_xguest_mount_media + - sebool_selinuxuser_rw_noexattrfile + - sebool_cron_system_cronjob_use_shares + - sebool_virt_use_rawip + - sebool_pcp_bind_all_unreserved_ports + - audit_rules_etc_gshadow_open + - sebool_saslauthd_read_shadow + - sebool_mock_enable_homedirs + - ntpd_specify_remote_server + - selinux_user_login_roles + - audit_rules_successful_file_modification_openat_o_creat + - kernel_module_iwlwifi_disabled + - sebool_zoneminder_anon_write + - sshd_enable_x11_forwarding + - dconf_gnome_screensaver_user_info + - sshd_disable_rhosts_rsa + - sebool_neutron_can_network + - sebool_ftpd_connect_db + - sebool_httpd_mod_auth_ntlm_winbind + - sebool_samba_share_fusefs + - harden_ssh_client_crypto_policy + - sebool_cobbler_use_cifs + - sebool_httpd_can_network_relay + - package_geolite2-city_removed + - set_iptables_default_rule + - sebool_piranha_lvs_can_network_connect + - usbguard_allow_hid + - package_talk_removed + - no_legacy_plus_entries_etc_shadow + - sebool_git_session_bind_all_unreserved_ports + - rsyslog_accept_remote_messages_udp + - sebool_boinc_execmem + - audit_rules_unsuccessful_file_modification_unlinkat + - sebool_fips_mode + - audit_rules_unsuccessful_file_modification_open_rule_order + - audit_rules_unsuccessful_file_modification_fchmodat + - sebool_polipo_session_users + - sebool_cluster_manage_all_files + - configure_firewalld_ports diff --git a/products/msvsphere9/profiles/session-monitor.profile b/products/msvsphere9/profiles/session-monitor.profile new file mode 100644 index 00000000..fdd4bf2f --- /dev/null +++ b/products/msvsphere9/profiles/session-monitor.profile @@ -0,0 +1,12 @@ +documentation_complete: true + +title: 'Session-monitor profile for MSVSphere 9' + +description: |- + This profile contains the rule needed to monitor + user sessions and lock the screen when + the status changes + +selections: + - package_session-monitor_installed + - service_session-monitor_enabled diff --git a/products/msvsphere9/profiles/stig.profile b/products/msvsphere9/profiles/stig.profile new file mode 100644 index 00000000..252a98c5 --- /dev/null +++ b/products/msvsphere9/profiles/stig.profile @@ -0,0 +1,30 @@ +documentation_complete: true + +metadata: + version: V1R3 + SMEs: + - mab879 + - ggbecker + +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +title: 'DISA STIG for Red Hat Enterprise Linux 9' + +description: |- + This profile contains configuration checks that align to the + DISA STIG for Red Hat Enterprise Linux 9 V1R3. + + In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this + configuration baseline as applicable to the operating system tier of + Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: + + - Red Hat Enterprise Linux Server + - Red Hat Enterprise Linux Workstation and Desktop + - Red Hat Enterprise Linux for HPC + - Red Hat Storage + - Red Hat Containers with a Red Hat Enterprise Linux 9 image + +selections: + - stig_rhel9:all + # Following rules once had a prodtype incompatible with the rhel9 product + - '!audit_rules_immutable_login_uids' diff --git a/products/msvsphere9/profiles/stig_gui.profile b/products/msvsphere9/profiles/stig_gui.profile new file mode 100644 index 00000000..9d63ff7e --- /dev/null +++ b/products/msvsphere9/profiles/stig_gui.profile @@ -0,0 +1,49 @@ +documentation_complete: true + +metadata: + version: V1R3 + SMEs: + - mab879 + - ggbecker + +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +title: 'DISA STIG with GUI for Red Hat Enterprise Linux 9' + +description: |- + This profile contains configuration checks that align to the + DISA STIG for Red Hat Enterprise Linux 9 V1R3. + + + In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this + configuration baseline as applicable to the operating system tier of + Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: + + - Red Hat Enterprise Linux Server + - Red Hat Enterprise Linux Workstation and Desktop + - Red Hat Enterprise Linux for HPC + - Red Hat Storage + - Red Hat Containers with a Red Hat Enterprise Linux 9 image + + Warning: The installation and use of a Graphical User Interface (GUI) + increases your attack vector and decreases your overall security posture. If + your Information Systems Security Officer (ISSO) lacks a documented operational + requirement for a graphical user interface, please consider using the + standard DISA STIG for Red Hat Enterprise Linux 9 profile. + +extends: stig + +selections: + # RHEL-09-215070 + - '!xwindows_remove_packages' + + # RHEL-09-211030 + - '!xwindows_runlevel_target' + + # RHEL-09-215025 + - '!package_nfs-utils_removed' + + # RHEL-09-213105 + # Limiting user namespaces cause issues with user apps, such as Firefox and Cheese + # https://issues.redhat.com/browse/RHEL-10416 + - '!sysctl_user_max_user_namespaces' diff --git a/products/msvsphere9/transforms/constants.xslt b/products/msvsphere9/transforms/constants.xslt new file mode 100644 index 00000000..98fd9760 --- /dev/null +++ b/products/msvsphere9/transforms/constants.xslt @@ -0,0 +1,18 @@ + + + + +MSVSphere 9 +MSVSphere9 +MSVSPHERE_STIG +msvsphere9 + + + + + + + +empty + + diff --git a/products/msvsphere9/transforms/table-style.xslt b/products/msvsphere9/transforms/table-style.xslt new file mode 100644 index 00000000..8b6caeab --- /dev/null +++ b/products/msvsphere9/transforms/table-style.xslt @@ -0,0 +1,5 @@ + + + + + diff --git a/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt new file mode 100644 index 00000000..4789419b --- /dev/null +++ b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/products/msvsphere9/transforms/xccdf2table-cce.xslt b/products/msvsphere9/transforms/xccdf2table-cce.xslt new file mode 100644 index 00000000..f156a669 --- /dev/null +++ b/products/msvsphere9/transforms/xccdf2table-cce.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt b/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt new file mode 100644 index 00000000..30419e92 --- /dev/null +++ b/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/shared/checks/oval/installed_OS_is_msvsphere9.xml b/shared/checks/oval/installed_OS_is_msvsphere9.xml new file mode 100644 index 00000000..7db019aa --- /dev/null +++ b/shared/checks/oval/installed_OS_is_msvsphere9.xml @@ -0,0 +1,34 @@ + + + + MSVSphere 9 + + multi_platform_all + + + The operating system installed on the system is MSVSphere 9 + + + + + + + + + + + + + /etc/msvsphere + + + + + + + /etc/msvsphere + ^9.[0-9]+$ + 1 + + + diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml index e5cf1ffb..56df0967 100644 --- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml @@ -7,6 +7,7 @@ multi_platform_anolis multi_platform_debian multi_platform_example + multi_platform_msvsphere multi_platform_fedora multi_platform_openembedded multi_platform_openeuler diff --git a/shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml b/shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml new file mode 120000 index 00000000..6f97d155 --- /dev/null +++ b/shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml @@ -0,0 +1 @@ +disa-stig-rhel9-v1r1-xccdf-scap.xml \ No newline at end of file diff --git a/shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml b/shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml new file mode 120000 index 00000000..bf80a773 --- /dev/null +++ b/shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml @@ -0,0 +1 @@ +disa-stig-rhel9-v1r3-xccdf-manual.xml \ No newline at end of file diff --git a/ssg/constants.py b/ssg/constants.py index c0285809..5bc2ea24 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -45,6 +45,7 @@ product_directories = [ 'chromium', 'debian10', 'debian11', 'debian12', 'example', + 'msvsphere9', 'eks', 'fedora', 'firefox', @@ -205,6 +206,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = { "Debian 11": "debian11", "Debian 12": "debian12", "Example": "example", + "MSVSphere 9": "msvsphere9", "Amazon Elastic Kubernetes Service": "eks", "Fedora": "fedora", "Firefox": "firefox", @@ -278,7 +280,7 @@ REFERENCES = dict( ) -MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", +MULTI_PLATFORM_LIST = ["rhel", "fedora", "msvsphere", "rhv", "debian", "ubuntu", "openeuler", "opensuse", "sle", "ol", "ocp", "rhcos", "example", "eks", "alinux", "uos", "anolis", "openembedded"] @@ -290,6 +292,7 @@ MULTI_PLATFORM_MAPPING = { "multi_platform_example": ["example"], "multi_platform_eks": ["eks"], "multi_platform_fedora": ["fedora"], + "multi_platform_msvsphere": ["msvsphere9"], "multi_platform_openeuler": ["openeuler2203"], "multi_platform_opensuse": ["opensuse"], "multi_platform_ol": ["ol7", "ol8", "ol9"], @@ -455,6 +458,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = { 'anolis': 'Anolis OS', 'chromium': 'Google Chromium Browser', 'fedora': 'Fedora', + 'msvsphere': 'MSVSphere', 'firefox': 'Mozilla Firefox', 'macos': 'Apple macOS', 'rhel': 'Red Hat Enterprise Linux', diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml index 1c1560a8..83bc5bd1 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_msvsphere,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh index 10ecee50..89067390 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_msvsphere,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = true # strategy = restrict # complexity = low diff --git a/tests/unit/ssg_test_suite/data/correct.pass.sh b/tests/unit/ssg_test_suite/data/correct.pass.sh index 8e5e284e..46e50b1a 100644 --- a/tests/unit/ssg_test_suite/data/correct.pass.sh +++ b/tests/unit/ssg_test_suite/data/correct.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = sudo,authselect -# platform = multi_platform_rhel,Fedora +# platform = multi_platform_rhel,multi_platform_msvsphere,Fedora # profiles = xccdf_org.ssgproject.content_profile_cis # remediation = none # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite -- 2.43.5