rpms
/
scap-security-guide
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0a5dc24cfe'
${ noResults }
scap-security-guide/SOURCES/0001-Add-session-monitor-ru...

1596 lines
64 KiB
Raw Blame History

From b23be587f5dff05eb8d9eb5c48fb661de9922fd0 Mon Sep 17 00:00:00 2001
From: Sergey Cherevko <s.cherevko@msvsphere-os.ru>
Date: Thu, 26 Sep 2024 19:36:57 +0300
Subject: [PATCH] Add session-monitor rule
---
CMakeLists.txt | 5 +
build_product | 1 +
components/session-monitor.yml | 6 +
.../rule.yml | 27 +
.../service_session-monitor_enabled/rule.yml | 27 +
products/msvsphere9/CMakeLists.txt | 26 +
.../ssg-msvsphere9-session-monitor-ks.cfg | 124 ++++
.../kickstart/ssg-msvsphere9-stig_gui-ks.cfg | 144 +++++
products/msvsphere9/overlays/srg_support.xml | 173 ++++++
products/msvsphere9/product.yml | 26 +
products/msvsphere9/profiles/default.profile | 555 ++++++++++++++++++
.../profiles/session-monitor.profile | 12 +
products/msvsphere9/profiles/stig.profile | 30 +
products/msvsphere9/profiles/stig_gui.profile | 49 ++
products/msvsphere9/transforms/constants.xslt | 18 +
.../msvsphere9/transforms/table-style.xslt | 5 +
.../transforms/xccdf-apply-overlay-stig.xslt | 8 +
.../transforms/xccdf2table-cce.xslt | 9 +
.../xccdf2table-profileccirefs.xslt | 9 +
.../oval/installed_OS_is_msvsphere9.xml | 34 ++
.../oval/sysctl_kernel_ipv6_disable.xml | 1 +
.../disa-stig-msvsphere9-v1r1-xccdf-scap.xml | 1 +
...disa-stig-msvsphere9-v1r3-xccdf-manual.xml | 1 +
ssg/constants.py | 6 +-
.../guide/selinux_state/ansible/shared.yml | 2 +-
.../guide/selinux_state/bash/shared.sh | 2 +-
.../unit/ssg_test_suite/data/correct.pass.sh | 2 +-
27 files changed, 1299 insertions(+), 4 deletions(-)
create mode 100644 components/session-monitor.yml
create mode 100644 linux_os/guide/system/software/system-tools/package_session-monitor_installed/rule.yml
create mode 100644 linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml
create mode 100644 products/msvsphere9/CMakeLists.txt
create mode 100644 products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
create mode 100644 products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg
create mode 100644 products/msvsphere9/overlays/srg_support.xml
create mode 100644 products/msvsphere9/product.yml
create mode 100644 products/msvsphere9/profiles/default.profile
create mode 100644 products/msvsphere9/profiles/session-monitor.profile
create mode 100644 products/msvsphere9/profiles/stig.profile
create mode 100644 products/msvsphere9/profiles/stig_gui.profile
create mode 100644 products/msvsphere9/transforms/constants.xslt
create mode 100644 products/msvsphere9/transforms/table-style.xslt
create mode 100644 products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
create mode 100644 products/msvsphere9/transforms/xccdf2table-cce.xslt
create mode 100644 products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
create mode 100644 shared/checks/oval/installed_OS_is_msvsphere9.xml
create mode 120000 shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml
create mode 120000 shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5d4bc725..3197125e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -88,6 +88,7 @@ option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be buil
option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_EKS "If enabled, the EKS SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE)
+option(SSG_PRODUCT_MSVSPHERE9 "If enabled, the MSVSphere SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_MACOS1015 "If enabled, the Apple macOS 10.15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -317,6 +318,7 @@ message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}")
message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}")
message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
+message(STATUS "MSVSphere 9: ${SSG_PRODUCT_MSVSPHERE9}")
message(STATUS "EKS: ${SSG_PRODUCT_EKS}")
message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}")
message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}")
@@ -402,6 +404,9 @@ endif()
if(SSG_PRODUCT_EXAMPLE)
add_subdirectory("products/example" "example")
endif()
+if(SSG_PRODUCT_MSVSPHERE9)
+ add_subdirectory("products/msvsphere9" "msvsphere9")
+endif()
if(SSG_PRODUCT_EKS)
add_subdirectory("products/eks" "eks")
endif()
diff --git a/build_product b/build_product
index e6fb8699..14f9c29e 100755
--- a/build_product
+++ b/build_product
@@ -354,6 +354,7 @@ all_cmake_products=(
DEBIAN11
DEBIAN12
EXAMPLE
+ MSVSPHERE9
EKS
FEDORA
FIREFOX
diff --git a/components/session-monitor.yml b/components/session-monitor.yml
new file mode 100644
index 00000000..af38d9b3
--- /dev/null
+++ b/components/session-monitor.yml
@@ -0,0 +1,6 @@
+name: session-monitor
+packages:
+- session-monitor
+rules:
+- package_session-monitor_installed
+- service_session-monitor_enabled
diff --git a/linux_os/guide/system/software/system-tools/package_session-monitor_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_session-monitor_installed/rule.yml
new file mode 100644
index 00000000..c2b5f232
--- /dev/null
+++ b/linux_os/guide/system/software/system-tools/package_session-monitor_installed/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+
+title: 'Install the session-monitor package'
+
+description: |-
+ Monitor user sessions and lock screen on state change.
+ Useful if screen was changed.
+ {{{ describe_package_install(package="session-monitor") }}}
+
+rationale: |-
+ Monitor user sessions and lock screen on state change
+
+severity: high
+
+identifiers:
+ cce@rhel7: CCE-82403-7
+ cce@rhel8: CCE-82404-5
+
+ocil_clause: 'the package is not installed'
+
+ocil: '{{{ ocil_package(package="session-monitor") }}}'
+
+template:
+ name: package_installed
+ vars:
+ pkgname: session-monitor
diff --git a/linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml b/linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml
new file mode 100644
index 00000000..9374fcc3
--- /dev/null
+++ b/linux_os/guide/system/software/system-tools/service_session-monitor_enabled/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+
+title: 'Enable Process Accounting (session-monitor)'
+
+description: |-
+ Monitor user sessions and lock screen on state change.
+ Useful if screen was changed.
+ {{{ describe_package_install(package="session-monitor") }}}
+
+rationale: |-
+ Monitor user sessions and lock screen on state change
+
+severity: low
+
+ocil_clause: |-
+ {{{ ocil_clause_service_disabled(service="session-monitor") }}}
+
+ocil: |-
+ {{{ ocil_service_disabled(service="session-monitor") }}}
+
+platform: machine
+
+template:
+ name: service_enabled
+ vars:
+ servicename: session-monitor
diff --git a/products/msvsphere9/CMakeLists.txt b/products/msvsphere9/CMakeLists.txt
new file mode 100644
index 00000000..ca7ee52f
--- /dev/null
+++ b/products/msvsphere9/CMakeLists.txt
@@ -0,0 +1,26 @@
+# Sometimes our users will try to do: "cd msvsphere9; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "msvsphere9")
+
+ssg_build_product(${PRODUCT})
+
+ssg_build_html_cce_table(${PRODUCT})
+
+ssg_build_html_srgmap_tables(${PRODUCT})
+
+if(SSG_SRG_XLSX_EXPORT)
+ ssg_build_xlsx_srg_export(${PRODUCT} "srg_gpos")
+endif()
+
+ssg_build_html_stig_tables(${PRODUCT})
+ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")
+ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig_gui")
+
+#ssg_build_html_stig_tables(${PRODUCT} "ospp")
+
+if(SSG_CENTOS_DERIVATIVES_ENABLED)
+ ssg_build_derivative_product(${PRODUCT} "centos" "cs9")
+endif()
diff --git a/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
new file mode 100644
index 00000000..447b36a5
--- /dev/null
+++ b/products/msvsphere9/kickstart/ssg-msvsphere9-session-monitor-ks.cfg
@@ -0,0 +1,124 @@
+# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for Red Hat Enterprise Linux 8
+# Version: 0.0.1
+# Date: 2021-01-28
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+# For more information see the following documentation:
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang ru_RU.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard --vckeymap us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+##network --onboot yes --bootproto dhcp
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set the system time zone (required)
+timezone --utc Europe/Moscow
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+# grub2-mkpasswd-pbkdf2
+# to see how to create encrypted password form for different plaintext password
+bootloader
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#
+# Important
+# Applying a security policy is not necessary on all systems. This screen should only be used
+# when a specific policy is mandated by your organization rules or government regulations.
+# Unlike most other commands, this add-on does not accept regular options, but uses key-value
+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+# Values can be optionally enclosed in single quotes (') or double quotes (").
+#
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+##%addon org_fedora_oscap
+%addon com_redha_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_session-monitor
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require 'Server with GUI' package environment to be installed
+@^Server with GUI
+
+%end
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg b/products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg
new file mode 100644
index 00000000..89744815
--- /dev/null
+++ b/products/msvsphere9/kickstart/ssg-msvsphere9-stig_gui-ks.cfg
@@ -0,0 +1,144 @@
+# SCAP Security Guide STIG with GUI profile kickstart for AlmaLinux 9
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+# For more information see the following documentation:
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang ru_RU.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard --vckeymap us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc Europe/Moscow
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+# grub2-mkpasswd-pbkdf2
+# to see how to create encrypted password form for different plaintext password
+bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#
+# Important
+# Applying a security policy is not necessary on all systems. This screen should only be used
+# when a specific policy is mandated by your organization rules or government regulations.
+# Unlike most other commands, this add-on does not accept regular options, but uses key-value
+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+# Values can be optionally enclosed in single quotes (') or double quotes (").
+#
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon com_redhat_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_stig_gui
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+@Server with GUI
+
+%end
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/msvsphere9/overlays/srg_support.xml b/products/msvsphere9/overlays/srg_support.xml
new file mode 100644
index 00000000..e5334dee
--- /dev/null
+++ b/products/msvsphere9/overlays/srg_support.xml
@@ -0,0 +1,173 @@
+<Group id="srg_support" hidden="true">
+<title>Documentation to Support DISA OS SRG Mapping</title>
+<description>These groups exist to document how the MSVSphere
+product meets (or does not meet) requirements listed in the DISA OS SRG, for
+those cases where Groups or Rules elsewhere in scap-security-guide do
+not clearly relate.
+</description>
+
+
+<!-- The CCI/SRG items referenced here are:
+ - satisfied (through design and implementation)
+ - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_generic">
+<title>Product Meets this Requirement</title>
+<rationale>
+MSVSphere meets this requirement through design and implementation.
+</rationale>
+<ocil>MSVSphere 9 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
+<ref disa="15,42,56,206,1084,66,85,86,185,223,171,172,1694,770,804,162,163,164,345,346,1096,1111,1291,386,156,186,1083,1082,1090,804,1127,1128,1129,1248,1265,1314,1362,1368,1310,1311,1328,1399,1400,1404,1405,1427,1499,1632,1693,1665,1674" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here relate to auditing, and are:
+ - satisfied (through design and implementation)
+ - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_auditing">
+<title>Product Meets this Requirement</title>
+<rationale>
+The MSVSphere audit system meets this requirement through design and implementation.
+</rationale>
+<ocil>The MSVSphere 9 auditing system supports this requirement and cannot be configured to be out of
+compliance. Every audit record in MSVSphere includes a timestamp, the operation attempted,
+success or failure of the operation, the subject involved (executable/process),
+the object involved (file/path), and security labels for the subject and object.
+It also includes the ability to label events with custom key labels. The auditing system
+centralizes the recording of audit events for the entire system and includes
+reduction (<tt>ausearch</tt>), reporting (<tt>aureport</tt>), and real-time
+response (<tt>audispd</tt>) facilities.
+This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
+<ref disa="130,157,131,132,133,134,135,159,174" />
+</Rule>
+
+
+<!-- The CCI/SRG item referenced here are:
+ - satisfied (through design and implementation)
+ - not selected in a DoD baseline -->
+<Rule id="met_inherently_nonselected">
+<title>Product Meets this Requirement</title>
+<rationale>
+MSVSphere meets this requirement through design and implementation.
+</rationale>
+<ocil>MSVSphere 9 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
+<ref disa="34,35,99,154,226,802,872,1086,1087,1089,1091,1424,1426,1428,1209,1214,1237,1269,1338,1425,1670" />
+</Rule>
+
+
+<!-- The CCI/SRG item listed here are:
+ - satisfied (by Rules in the guidance, which include the reference)
+ - not selected in DoD baseline -->
+<!-- disa="26,32,771,772,831,884,888,1095,1115,1117,1250,1348,1353,1464,1496" -->
+
+
+<!-- The CCI/SRG item referenced here are:
+ - not satisfied
+ - not selected in a DoD baseline
+ - considered out of scope -->
+<Rule id="unmet_nonfinding_nonselected_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+MSVSphere 9 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
+<ref disa="21,25,28,29,30,165,221,354,553,779,780,781,1009,1094,1123,1124,1125,1132,1135,1140,1141,1142,1143,1145,1147,1148,1166,1339,1340,1341,1350,1356,1373,1374,1383,1391,1392,1395,1662" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+ - not satisfied
+ - not selected in a DoD baseline
+ - considered permanent findings -->
+<Rule id="unmet_finding_nonselected">
+<title>Implementation of the Requirement is Not Supported</title>
+<rationale>
+MSVSphere 9 does not support this requirement.
+</rationale>
+<ocil>
+This is a permanent finding.
+</ocil>
+<description>
+This requirement is a permanent finding and cannot be fixed. An appropriate
+mitigation for the system must be implemented but this finding cannot be
+considered fixed.
+</description>
+<ref disa="20,31,52,144,1158,1294,1295,1500" />
+<!-- Note: CCI 52 supported for text login, but not graphical -->
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+ - not satisfied
+ - selected in a DoD baseline
+ - considered NA -->
+<Rule id="unmet_nonfinding_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+MSVSphere 9 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
+<ref disa="27,218,219,371,372,535,537,539,1682,370,37,24,1112,1126,1143,1149,1157,1159,1210,1211,1274,1372,1376,1377,1352,1401,1555,1556,1150" />
+</Rule>
+
+<Rule id="update_process">
+<title>A process for prompt installation of OS updates must exist.</title>
+<rationale>
+This is a manual inquiry about update procedure.
+</rationale>
+<ocil>
+Ask an administrator if a process exists to promptly and automatically apply OS
+software updates. If such a process does not exist, this is a finding.
+<br /><br />
+If the OS update process limits automatic updates of software packages, where
+such updates would impede normal system operation, to scheduled maintenance
+windows, but still within IAVM-dictated timeframes, this is not a finding.
+</ocil>
+<description>
+Procedures to promptly apply software updates must be established and
+executed. The MSVSphere operating system provides support for automating such a
+process, by running the yum program through a cron job or by managing the
+system and its packages through the Foreman.
+</description>
+<ref disa="1232" />
+<!-- Note: This is a process, as such, will not receive a CCE -->
+</Rule>
+
+</Group>
diff --git a/products/msvsphere9/product.yml b/products/msvsphere9/product.yml
new file mode 100644
index 00000000..f2b7f0f0
--- /dev/null
+++ b/products/msvsphere9/product.yml
@@ -0,0 +1,26 @@
+product: msvsphere9
+full_name: MSVSphere 9
+type: platform
+
+families:
+ - rhel
+ - rhel-like
+
+major_version_ordinal: 9
+
+benchmark_id: MSVSPHERE-9
+benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+cpes_root: "../../shared/applicability"
+cpes:
+ - msvsphere9:
+ name: "cpe:/o:ncsd:msvsphere:9"
+ title: "MSVSphere 9"
+ check_id: installed_OS_is_msvsphere9
diff --git a/products/msvsphere9/profiles/default.profile b/products/msvsphere9/profiles/default.profile
new file mode 100644
index 00000000..567393e8
--- /dev/null
+++ b/products/msvsphere9/profiles/default.profile
@@ -0,0 +1,555 @@
+documentation_complete: true
+
+hidden: true
+
+title: Default Profile for MSVSphere 9
+
+description: |-
+ This profile contains all the rules that once belonged to the
+ rhel9 product via 'prodtype'. This profile won't
+ be rendered into an XCCDF Profile entity, nor it will select any
+ of these rules by default. The only purpose of this profile
+ is to keep a rule in the product's XCCDF Benchmark.
+
+selections:
+ - sebool_nfsd_anon_write
+ - sebool_squid_connect_any
+ - sebool_polipo_connect_all_unreserved
+ - audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write
+ - auditd_data_disk_full_action
+ - mount_option_var_tmp_bind
+ - sebool_selinuxuser_use_ssh_chroot
+ - sebool_condor_tcp_network_connect
+ - sebool_xserver_object_manager
+ - mount_option_home_grpquota
+ - sebool_mpd_enable_homedirs
+ - sebool_logadm_exec_content
+ - auditd_audispd_encrypt_sent_records
+ - audit_rules_unsuccessful_file_modification_openat_rule_order
+ - sebool_logwatch_can_network_connect_mail
+ - sebool_mpd_use_nfs
+ - sebool_virt_use_sanlock
+ - kernel_module_vfat_disabled
+ - sebool_xguest_use_bluetooth
+ - sebool_puppetagent_manage_all_files
+ - sshd_use_strong_rng
+ - grub2_uefi_admin_username
+ - sebool_staff_use_svirt
+ - audit_rules_successful_file_modification_lsetxattr
+ - sebool_daemons_enable_cluster_mode
+ - package_krb5-workstation_removed
+ - package_samba-common_installed
+ - sebool_httpd_enable_cgi
+ - accounts_passwords_pam_faillock_silent
+ - xwindows_remove_packages
+ - sebool_httpd_can_network_memcache
+ - sebool_git_system_use_nfs
+ - sudoers_no_root_target
+ - sebool_httpd_can_connect_zabbix
+ - sebool_samba_portmapper
+ - audit_rules_etc_shadow_open
+ - sebool_httpd_graceful_shutdown
+ - sebool_ftpd_use_fusefs
+ - service_cups_disabled
+ - sebool_selinuxuser_ping
+ - sebool_unconfined_chrome_sandbox_transition
+ - dconf_gnome_screensaver_lock_locked
+ - package_ntpdate_removed
+ - package_avahi_removed
+ - file_groupowner_efi_user_cfg
+ - set_loopback_traffic
+ - ntpd_specify_multiple_servers
+ - sebool_gitosis_can_sendmail
+ - audit_rules_unsuccessful_file_modification_renameat
+ - sebool_pcp_read_generic_logs
+ - sebool_httpd_run_ipa
+ - sebool_selinuxuser_share_music
+ - file_groupowner_var_log_syslog
+ - service_netfs_disabled
+ - sebool_dbadm_manage_user_files
+ - sebool_smbd_anon_write
+ - auditd_audispd_configure_remote_server
+ - service_ypserv_disabled
+ - sebool_nagios_run_sudo
+ - sebool_dbadm_exec_content
+ - package_ntp_installed
+ - package_cron_installed
+ - dconf_gnome_screensaver_idle_activation_locked
+ - audit_rules_successful_file_modification_unlinkat
+ - package_audit-audispd-plugins_installed
+ - sebool_xserver_clients_write_xshm
+ - sebool_xdm_exec_bootloader
+ - sebool_httpd_serve_cobbler_files
+ - sebool_use_ecryptfs_home_dirs
+ - sebool_container_connect_any
+ - sebool_sge_domain_can_network_connect
+ - sebool_staff_exec_content
+ - file_permissions_home_dirs
+ - audit_rules_privileged_commands_newgidmap
+ - sebool_ssh_chroot_rw_homedirs
+ - sebool_virt_use_xserver
+ - sebool_mozilla_plugin_use_spice
+ - sebool_tmpreaper_use_nfs
+ - sebool_httpd_can_connect_ldap
+ - sudoers_default_includedir
+ - sebool_mmap_low_allowed
+ - sebool_glance_use_fusefs
+ - sebool_httpd_dontaudit_search_dirs
+ - sebool_named_tcp_bind_http_port
+ - auditd_audispd_network_failure_action
+ - sebool_wine_mmap_zero_ignore
+ - sebool_cluster_use_execmem
+ - audit_rules_privileged_commands_usernetctl
+ - dconf_gnome_disable_user_admin
+ - service_rlogin_disabled
+ - sebool_ftpd_use_nfs
+ - sebool_httpd_use_fusefs
+ - service_iptables_enabled
+ - sebool_tor_bind_all_unreserved_ports
+ - sebool_virt_sandbox_use_all_caps
+ - sebool_httpd_use_openstack
+ - sebool_icecast_use_any_tcp_ports
+ - audit_rules_unsuccessful_file_modification_rename
+ - sebool_openshift_use_nfs
+ - sebool_mailman_use_fusefs
+ - sebool_nfs_export_all_rw
+ - sebool_httpd_dbus_avahi
+ - mount_option_smb_client_signing
+ - audit_rules_successful_file_modification_open_o_trunc_write
+ - sebool_mplayer_execstack
+ - sebool_virt_sandbox_use_mknod
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order
+ - package_pam_pwquality_installed
+ - sebool_fcron_crond
+ - sebool_httpd_read_user_content
+ - sebool_samba_domain_controller
+ - service_sshd_disabled
+ - zipl_page_poison_argument
+ - file_owner_efi_user_cfg
+ - sebool_cobbler_anon_write
+ - audit_rules_successful_file_modification_openat_o_trunc_write
+ - audit_rules_successful_file_modification_removexattr
+ - sebool_xdm_write_home
+ - sebool_httpd_mod_auth_pam
+ - audit_rules_successful_file_modification_fchownat
+ - service_httpd_disabled
+ - package_nfs-utils_removed
+ - sebool_pppd_for_user
+ - sebool_rsync_export_all_ro
+ - audit_rules_successful_file_modification_open_o_creat
+ - install_hids
+ - sebool_authlogin_radius
+ - sebool_swift_can_network
+ - audit_rules_file_deletion_events
+ - sshd_disable_pubkey_auth
+ - sebool_tor_can_network_relay
+ - sebool_virt_use_samba
+ - sebool_spamassassin_can_network
+ - package_syslogng_installed
+ - sebool_selinuxuser_postgresql_connect_enabled
+ - sebool_virt_sandbox_use_sys_admin
+ - sebool_irssi_use_full_network
+ - sebool_sysadm_exec_content
+ - sebool_polipo_use_cifs
+ - sebool_samba_load_libgfapi
+ - package_rpcbind_removed
+ - sebool_samba_run_unconfined
+ - sebool_webadm_manage_user_files
+ - sebool_zoneminder_run_sudo
+ - sebool_ftpd_anon_write
+ - sebool_rsync_anon_write
+ - mount_option_proc_hidepid
+ - sebool_nfs_export_all_ro
+ - audit_rules_unsuccessful_file_modification_chown
+ - sebool_selinuxuser_udp_server
+ - sebool_cups_execmem
+ - service_ntpdate_disabled
+ - sebool_httpd_execmem
+ - sebool_httpd_sys_script_anon_write
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write
+ - sebool_ftpd_use_cifs
+ - service_atd_disabled
+ - audit_rules_etc_shadow_open_by_handle_at
+ - sebool_mysql_connect_any
+ - audit_rules_privileged_commands_pt_chown
+ - sebool_httpd_can_sendmail
+ - sebool_prosody_bind_http_port
+ - sebool_httpd_use_sasl
+ - sebool_tftp_home_dir
+ - sebool_gssd_read_tmp
+ - kernel_module_uvcvideo_disabled
+ - sebool_squid_use_tproxy
+ - sebool_httpd_ssi_exec
+ - sebool_use_lpd_server
+ - audit_rules_successful_file_modification_open_by_handle_at_o_creat
+ - sebool_unconfined_login
+ - account_use_centralized_automated_auth
+ - file_groupowner_efi_grub2_cfg
+ - sebool_xdm_bind_vnc_tcp_port
+ - sebool_deny_ptrace
+ - sebool_postgresql_selinux_transmit_client_label
+ - sysctl_net_ipv6_conf_all_disable_ipv6
+ - sebool_smartmon_3ware
+ - dconf_gnome_login_retries
+ - audit_rules_unsuccessful_file_modification_setxattr
+ - sudo_vdsm_nopasswd
+ - sebool_global_ssp
+ - service_smb_disabled
+ - sebool_virt_rw_qemu_ga_data
+ - sebool_selinuxuser_tcp_server
+ - package_inetutils-telnetd_removed
+ - audit_rules_successful_file_modification_openat
+ - audit_rules_unsuccessful_file_modification_fchmod
+ - service_ntpd_enabled
+ - file_permissions_httpd_server_conf_files
+ - sebool_httpd_use_gpg
+ - sebool_spamd_enable_home_dirs
+ - package_openldap-servers_removed
+ - avahi_disable_publishing
+ - audit_rules_successful_file_modification_fchmod
+ - sebool_fenced_can_network_connect
+ - sebool_virt_use_nfs
+ - sebool_lsmd_plugin_connect_any
+ - account_passwords_pam_faillock_dir
+ - sebool_authlogin_yubikey
+ - sebool_authlogin_nsswitch_use_ldap
+ - dconf_gnome_disable_geolocation
+ - sebool_httpd_run_preupgrade
+ - sebool_httpd_use_cifs
+ - sebool_telepathy_tcp_connect_generic_network_ports
+ - zipl_slub_debug_argument
+ - sebool_entropyd_use_audio
+ - grub2_kernel_trust_cpu_rng
+ - sebool_httpd_enable_ftp_server
+ - sebool_postgresql_selinux_users_ddl
+ - package_ypbind_removed
+ - xwindows_runlevel_target
+ - package_talk-server_removed
+ - kernel_module_ipv6_option_disabled
+ - sebool_cobbler_use_nfs
+ - sebool_mozilla_plugin_can_network_connect
+ - sebool_ftpd_full_access
+ - sebool_mcelog_foreground
+ - sebool_xguest_exec_content
+ - sebool_daemons_dump_core
+ - audit_rules_successful_file_modification_renameat
+ - service_rngd_enabled
+ - kernel_module_cfg80211_disabled
+ - sebool_git_cgi_use_cifs
+ - sebool_virt_sandbox_use_netlink
+ - enable_dconf_user_profile
+ - service_dhcpd_disabled
+ - kernel_module_jffs2_disabled
+ - sebool_openvpn_run_unconfined
+ - sebool_gluster_anon_write
+ - audit_rules_successful_file_modification_open
+ - sebool_secure_mode_insmod
+ - sebool_nscd_use_shm
+ - sebool_ksmtuned_use_cifs
+ - sebool_nagios_run_pnp4nagios
+ - sebool_selinuxuser_direct_dri_enabled
+ - sebool_haproxy_connect_any
+ - audit_rules_etc_shadow_openat
+ - sebool_pppd_can_insmod
+ - sebool_glance_api_can_network
+ - accounts_passwords_pam_faillock_enforce_local
+ - sebool_mozilla_plugin_use_bluejeans
+ - sebool_mozilla_read_content
+ - sebool_virt_use_usb
+ - sebool_virt_use_execmem
+ - sebool_virt_read_qemu_ga_data
+ - service_vsftpd_disabled
+ - ssh_private_keys_have_passcode
+ - sebool_user_exec_content
+ - sebool_gluster_export_all_ro
+ - sebool_mcelog_server
+ - sebool_mount_anyfile
+ - sebool_sge_use_nfs
+ - sebool_daemons_use_tty
+ - sebool_mcelog_client
+ - sebool_rsync_client
+ - sebool_privoxy_connect_any
+ - postfix_client_configure_relayhost
+ - sebool_httpd_builtin_scripting
+ - etc_system_fips_exists
+ - iptables_sshd_disabled
+ - grub2_ipv6_disable_argument
+ - dconf_gnome_disable_thumbnailers
+ - sebool_varnishd_connect_any
+ - kernel_module_hfsplus_disabled
+ - audit_rules_for_ospp
+ - package_rsh_removed
+ - dconf_gnome_enable_smartcard_auth
+ - service_oddjobd_disabled
+ - service_postfix_enabled
+ - package_openssh-server_removed
+ - sebool_httpd_can_connect_mythtv
+ - audit_rules_successful_file_modification_lchown
+ - sebool_tftp_anon_write
+ - sebool_cobbler_can_network_connect
+ - sebool_samba_export_all_ro
+ - service_cron_enabled
+ - file_permissions_efi_user_cfg
+ - service_rhnsd_disabled
+ - audit_rules_successful_file_modification_unlink
+ - no_all_squash_exports
+ - sebool_use_samba_home_dirs
+ - audit_rules_etc_gshadow_openat
+ - service_ufw_enabled
+ - harden_sshd_macs_openssh_conf_crypto_policy
+ - dir_permissions_binary_dirs
+ - sebool_xend_run_blktap
+ - dconf_gnome_disable_wifi_notification
+ - package_nis_removed
+ - service_xinetd_disabled
+ - audit_rules_etc_passwd_open
+ - dhcp_client_restrict_options
+ - sebool_openvpn_can_network_connect
+ - kernel_module_freevxfs_disabled
+ - account_emergency_expire_date
+ - sebool_unconfined_mozilla_plugin_transition
+ - audit_rules_unsuccessful_file_modification_lremovexattr
+ - file_permissions_var_log_syslog
+ - sebool_git_cgi_enable_homedirs
+ - audit_rules_etc_passwd_open_by_handle_at
+ - audit_rules_privileged_commands_at
+ - sebool_virt_use_fusefs
+ - kernel_module_iwlmvm_disabled
+ - service_ntp_enabled
+ - file_owner_var_log_syslog
+ - service_ip6tables_enabled
+ - sebool_logging_syslogd_run_nagios_plugins
+ - sebool_mozilla_plugin_use_gps
+ - service_slapd_disabled
+ - audit_rules_unsuccessful_file_modification_open_o_trunc_write
+ - sebool_ftpd_connect_all_unreserved
+ - configure_user_data_backups
+ - dir_ownership_binary_dirs
+ - sebool_mcelog_exec_scripts
+ - sysctl_net_ipv4_tcp_invalid_ratelimit
+ - sebool_xserver_execmem
+ - sysctl_net_ipv6_conf_default_disable_ipv6
+ - sebool_cron_userdomain_transition
+ - sebool_collectd_tcp_network_connect
+ - sebool_httpd_enable_homedirs
+ - sebool_httpd_unified
+ - audit_rules_privileged_commands_newuidmap
+ - sebool_zabbix_can_network
+ - audit_rules_unsuccessful_file_modification_chmod
+ - sebool_gpg_web_anon_write
+ - fapolicyd_prevent_home_folder_access
+ - no_legacy_plus_entries_etc_passwd
+ - sebool_sanlock_use_nfs
+ - sebool_racoon_read_shadow
+ - audit_rules_successful_file_modification_fsetxattr
+ - audit_rules_successful_file_modification_fremovexattr
+ - package_krb5-server_removed
+ - file_permissions_httpd_server_conf_d_files
+ - audit_rules_successful_file_modification_rename
+ - sebool_guest_exec_content
+ - kernel_module_rds_disabled
+ - sebool_selinuxuser_mysql_connect_enabled
+ - sebool_antivirus_use_jit
+ - sebool_ksmtuned_use_nfs
+ - service_qpidd_disabled
+ - audit_rules_successful_file_modification_setxattr
+ - sebool_polipo_session_bind_all_unreserved_ports
+ - sebool_secure_mode_policyload
+ - sebool_webadm_read_user_files
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat
+ - audit_rules_unsuccessful_file_modification_fsetxattr
+ - kernel_module_hfs_disabled
+ - sebool_git_session_users
+ - sebool_exim_manage_user_files
+ - configure_gnutls_tls_crypto_policy
+ - sshd_enable_gssapi_auth
+ - sebool_minidlna_read_generic_user_content
+ - audit_rules_etc_group_openat
+ - sebool_httpd_can_network_connect_cobbler
+ - auditd_data_disk_error_action
+ - audit_rules_unsuccessful_file_modification_fchownat
+ - sebool_openvpn_enable_homedirs
+ - zipl_enable_selinux
+ - audit_rules_unsuccessful_file_modification_open_o_creat
+ - kernel_config_ipv6
+ - audit_rules_successful_file_modification_chown
+ - audit_rules_successful_file_modification_fchmodat
+ - sebool_dhcpc_exec_iptables
+ - file_permissions_efi_grub2_cfg
+ - audit_rules_unsuccessful_file_modification_removexattr
+ - sebool_telepathy_connect_all_ports
+ - sebool_postgresql_can_rsync
+ - audit_rules_unsuccessful_file_modification_openat_o_trunc_write
+ - rpm_verify_permissions
+ - package_telnetd_removed
+ - sebool_httpd_setrlimit
+ - harden_sshd_macs_opensshserver_conf_crypto_policy
+ - service_dovecot_disabled
+ - service_cockpit_disabled
+ - no_legacy_plus_entries_etc_group
+ - mount_option_boot_noauto
+ - sebool_git_cgi_use_nfs
+ - sebool_git_system_use_cifs
+ - sebool_httpd_use_nfs
+ - audit_rules_unsuccessful_file_modification_lchown
+ - dconf_gnome_disable_wifi_create
+ - audit_rules_successful_file_modification_fchown
+ - sebool_git_system_enable_homedirs
+ - sebool_httpd_can_check_spam
+ - sebool_mpd_use_cifs
+ - sebool_xen_use_nfs
+ - sebool_samba_enable_home_dirs
+ - service_named_disabled
+ - service_syslogng_enabled
+ - sebool_sanlock_use_fusefs
+ - account_passwords_pam_faillock_audit
+ - sebool_ssh_keysign
+ - sebool_zebra_write_config
+ - auditd_data_retention_num_logs
+ - sebool_kerberos_enabled
+ - sebool_irc_use_any_tcp_ports
+ - package_xinetd_removed
+ - audit_rules_etc_gshadow_open_by_handle_at
+ - sebool_samba_export_all_rw
+ - audit_rules_successful_file_modification_truncate
+ - dhcp_server_minimize_served_info
+ - file_permissions_httpd_server_modules_files
+ - audit_rules_successful_file_modification_open_by_handle_at
+ - sebool_tmpreaper_use_samba
+ - sebool_xdm_sysadm_login
+ - sebool_samba_create_home_dirs
+ - sebool_login_console_enabled
+ - sebool_secadm_exec_content
+ - audit_rules_successful_file_modification_chmod
+ - sebool_nis_enabled
+ - sebool_cvs_read_shadow
+ - audit_rules_unsuccessful_file_modification_lsetxattr
+ - sebool_xend_run_qemu
+ - sebool_virt_use_comm
+ - installed_OS_is_FIPS_certified
+ - sebool_httpd_can_network_connect
+ - sebool_virt_sandbox_use_audit
+ - sshd_disable_root_password_login
+ - package_telnetd-ssl_removed
+ - sebool_puppetmaster_use_db
+ - audit_rules_successful_file_modification_ftruncate
+ - fapolicy_default_deny
+ - dconf_gnome_disable_power_settings
+ - sebool_mozilla_plugin_bind_unreserved_ports
+ - package_MFEhiplsm_installed
+ - sebool_fenced_can_ssh
+ - sebool_glance_use_execmem
+ - audit_rules_etc_passwd_openat
+ - sebool_rsync_full_access
+ - snmpd_no_rwusers
+ - mount_option_home_usrquota
+ - sebool_logging_syslogd_can_sendmail
+ - sebool_ftpd_use_passive_mode
+ - sebool_cluster_can_network_connect
+ - sebool_cdrecord_read_content
+ - sebool_antivirus_can_scan_system
+ - rsyslog_logging_configured
+ - sebool_httpd_manage_ipa
+ - sebool_samba_share_nfs
+ - sebool_domain_kernel_load_modules
+ - package_389-ds-base_removed
+ - sebool_logging_syslogd_use_tty
+ - audit_rules_etc_group_open
+ - sebool_secure_mode
+ - set_iptables_default_rule_forward
+ - service_rdisc_disabled
+ - zipl_vsyscall_argument
+ - audit_rules_unsuccessful_file_modification_openat_o_creat
+ - sebool_awstats_purge_apache_log_files
+ - sebool_httpd_tmp_exec
+ - package_postfix_installed
+ - sebool_sanlock_use_samba
+ - force_opensc_card_drivers
+ - audit_rules_successful_file_modification_creat
+ - sebool_domain_fd_use
+ - package_avahi-autoipd_removed
+ - sebool_httpd_can_connect_ftp
+ - sebool_httpd_anon_write
+ - sebool_dhcpd_use_ldap
+ - coreos_enable_selinux_kernel_argument
+ - sebool_postgresql_selinux_unconfined_dbadm
+ - kernel_disable_entropy_contribution_for_solid_state_drives
+ - sebool_use_fusefs_home_dirs
+ - audit_rules_successful_file_modification_lremovexattr
+ - sebool_virt_transition_userdomain
+ - package_freeradius_removed
+ - file_owner_efi_grub2_cfg
+ - sebool_httpd_tty_comm
+ - sebool_dbadm_read_user_files
+ - audit_rules_unsuccessful_file_modification_unlink
+ - auditd_audispd_disk_full_action
+ - sebool_exim_read_user_files
+ - ftp_limit_users
+ - sebool_zarafa_setrlimit
+ - kernel_module_mac80211_disabled
+ - sebool_kdumpgui_run_bootloader
+ - rsyslog_accept_remote_messages_tcp
+ - sebool_httpd_verify_dns
+ - accounts_password_pam_enforce_local
+ - usbguard_allow_hub
+ - sebool_polipo_use_nfs
+ - sebool_exim_can_connect_db
+ - sebool_unprivuser_use_svirt
+ - sebool_httpd_run_stickshift
+ - set_ipv6_loopback_traffic
+ - ftp_configure_firewall
+ - sebool_cron_can_relabel
+ - audit_rules_unsuccessful_file_modification_fremovexattr
+ - sebool_httpd_dbus_sssd
+ - sebool_xguest_connect_network
+ - package_geolite2-country_removed
+ - audit_rules_etc_group_open_by_handle_at
+ - sebool_daemons_use_tcp_wrapper
+ - sebool_use_nfs_home_dirs
+ - sshd_set_keepalive_0
+ - sebool_conman_can_network
+ - sebool_logrotate_use_nfs
+ - audit_rules_unsuccessful_file_modification_fchown
+ - sebool_httpd_can_network_connect_db
+ - sebool_gluster_export_all_rw
+ - sebool_named_write_master_zones
+ - sebool_postfix_local_write_mail_spool
+ - sebool_xguest_mount_media
+ - sebool_selinuxuser_rw_noexattrfile
+ - sebool_cron_system_cronjob_use_shares
+ - sebool_virt_use_rawip
+ - sebool_pcp_bind_all_unreserved_ports
+ - audit_rules_etc_gshadow_open
+ - sebool_saslauthd_read_shadow
+ - sebool_mock_enable_homedirs
+ - ntpd_specify_remote_server
+ - selinux_user_login_roles
+ - audit_rules_successful_file_modification_openat_o_creat
+ - kernel_module_iwlwifi_disabled
+ - sebool_zoneminder_anon_write
+ - sshd_enable_x11_forwarding
+ - dconf_gnome_screensaver_user_info
+ - sshd_disable_rhosts_rsa
+ - sebool_neutron_can_network
+ - sebool_ftpd_connect_db
+ - sebool_httpd_mod_auth_ntlm_winbind
+ - sebool_samba_share_fusefs
+ - harden_ssh_client_crypto_policy
+ - sebool_cobbler_use_cifs
+ - sebool_httpd_can_network_relay
+ - package_geolite2-city_removed
+ - set_iptables_default_rule
+ - sebool_piranha_lvs_can_network_connect
+ - usbguard_allow_hid
+ - package_talk_removed
+ - no_legacy_plus_entries_etc_shadow
+ - sebool_git_session_bind_all_unreserved_ports
+ - rsyslog_accept_remote_messages_udp
+ - sebool_boinc_execmem
+ - audit_rules_unsuccessful_file_modification_unlinkat
+ - sebool_fips_mode
+ - audit_rules_unsuccessful_file_modification_open_rule_order
+ - audit_rules_unsuccessful_file_modification_fchmodat
+ - sebool_polipo_session_users
+ - sebool_cluster_manage_all_files
+ - configure_firewalld_ports
diff --git a/products/msvsphere9/profiles/session-monitor.profile b/products/msvsphere9/profiles/session-monitor.profile
new file mode 100644
index 00000000..fdd4bf2f
--- /dev/null
+++ b/products/msvsphere9/profiles/session-monitor.profile
@@ -0,0 +1,12 @@
+documentation_complete: true
+
+title: 'Session-monitor profile for MSVSphere 9'
+
+description: |-
+ This profile contains the rule needed to monitor
+ user sessions and lock the screen when
+ the status changes
+
+selections:
+ - package_session-monitor_installed
+ - service_session-monitor_enabled
diff --git a/products/msvsphere9/profiles/stig.profile b/products/msvsphere9/profiles/stig.profile
new file mode 100644
index 00000000..252a98c5
--- /dev/null
+++ b/products/msvsphere9/profiles/stig.profile
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+metadata:
+ version: V1R3
+ SMEs:
+ - mab879
+ - ggbecker
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: 'DISA STIG for Red Hat Enterprise Linux 9'
+
+description: |-
+ This profile contains configuration checks that align to the
+ DISA STIG for Red Hat Enterprise Linux 9 V1R3.
+
+ In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
+ configuration baseline as applicable to the operating system tier of
+ Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
+
+ - Red Hat Enterprise Linux Server
+ - Red Hat Enterprise Linux Workstation and Desktop
+ - Red Hat Enterprise Linux for HPC
+ - Red Hat Storage
+ - Red Hat Containers with a Red Hat Enterprise Linux 9 image
+
+selections:
+ - stig_rhel9:all
+ # Following rules once had a prodtype incompatible with the rhel9 product
+ - '!audit_rules_immutable_login_uids'
diff --git a/products/msvsphere9/profiles/stig_gui.profile b/products/msvsphere9/profiles/stig_gui.profile
new file mode 100644
index 00000000..9d63ff7e
--- /dev/null
+++ b/products/msvsphere9/profiles/stig_gui.profile
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+metadata:
+ version: V1R3
+ SMEs:
+ - mab879
+ - ggbecker
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: 'DISA STIG with GUI for Red Hat Enterprise Linux 9'
+
+description: |-
+ This profile contains configuration checks that align to the
+ DISA STIG for Red Hat Enterprise Linux 9 V1R3.
+
+
+ In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
+ configuration baseline as applicable to the operating system tier of
+ Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
+
+ - Red Hat Enterprise Linux Server
+ - Red Hat Enterprise Linux Workstation and Desktop
+ - Red Hat Enterprise Linux for HPC
+ - Red Hat Storage
+ - Red Hat Containers with a Red Hat Enterprise Linux 9 image
+
+ Warning: The installation and use of a Graphical User Interface (GUI)
+ increases your attack vector and decreases your overall security posture. If
+ your Information Systems Security Officer (ISSO) lacks a documented operational
+ requirement for a graphical user interface, please consider using the
+ standard DISA STIG for Red Hat Enterprise Linux 9 profile.
+
+extends: stig
+
+selections:
+ # RHEL-09-215070
+ - '!xwindows_remove_packages'
+
+ # RHEL-09-211030
+ - '!xwindows_runlevel_target'
+
+ # RHEL-09-215025
+ - '!package_nfs-utils_removed'
+
+ # RHEL-09-213105
+ # Limiting user namespaces cause issues with user apps, such as Firefox and Cheese
+ # https://issues.redhat.com/browse/RHEL-10416
+ - '!sysctl_user_max_user_namespaces'
diff --git a/products/msvsphere9/transforms/constants.xslt b/products/msvsphere9/transforms/constants.xslt
new file mode 100644
index 00000000..98fd9760
--- /dev/null
+++ b/products/msvsphere9/transforms/constants.xslt
@@ -0,0 +1,18 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">MSVSphere 9</xsl:variable>
+<xsl:variable name="product_short_name">MSVSphere9</xsl:variable>
+<xsl:variable name="product_stig_id_name">MSVSPHERE_STIG</xsl:variable>
+<xsl:variable name="prod_type">msvsphere9</xsl:variable>
+
+<!-- Define URI of official Center for Internet Security Benchmark for MSVSphere 9 -->
+<!--<xsl:variable name="cisuri">https://benchmarks.cisecurity.org/tools2/linux/CIS_MSVSphere_Benchmark_v1.0.pdf</xsl:variable>-->
+<xsl:variable name="disa-srguri" select="$disa-ossrguri"/>
+<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
+<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
+
+<xsl:variable name="cisuri">empty</xsl:variable>
+
+</xsl:stylesheet>
diff --git a/products/msvsphere9/transforms/table-style.xslt b/products/msvsphere9/transforms/table-style.xslt
new file mode 100644
index 00000000..8b6caeab
--- /dev/null
+++ b/products/msvsphere9/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
new file mode 100644
index 00000000..4789419b
--- /dev/null
+++ b/products/msvsphere9/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>
diff --git a/products/msvsphere9/transforms/xccdf2table-cce.xslt b/products/msvsphere9/transforms/xccdf2table-cce.xslt
new file mode 100644
index 00000000..f156a669
--- /dev/null
+++ b/products/msvsphere9/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt b/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
new file mode 100644
index 00000000..30419e92
--- /dev/null
+++ b/products/msvsphere9/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/shared/checks/oval/installed_OS_is_msvsphere9.xml b/shared/checks/oval/installed_OS_is_msvsphere9.xml
new file mode 100644
index 00000000..7db019aa
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_msvsphere9.xml
@@ -0,0 +1,34 @@
+<def-group>
+ <definition class="inventory" id="installed_OS_is_msvsphere9" version="3">
+ <metadata>
+ <title>MSVSphere 9</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <reference ref_id="cpe:/o:ncsd:msvsphere:9" source="CPE" />
+ <description>The operating system installed on the system is MSVSphere 9</description>
+ </metadata>
+ <criteria comment="current OS is 9" operator="AND">
+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
+ <criterion comment="MSVSphere is installed" test_ref="test_msvsphere" />
+ <criterion comment="MSVSphere 9 is installed" test_ref="test_msvsphere9" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/msvsphere exists" id="test_msvsphere" version="1">
+ <unix:object object_ref="obj_msvsphere" />
+ </unix:file_test>
+ <unix:file_object comment="check /etc/msvsphere file" id="obj_msvsphere" version="1">
+ <unix:filepath>/etc/msvsphere</unix:filepath>
+ </unix:file_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Custom OS version" id="test_msvsphere9" version="1">
+ <ind:object object_ref="obj_msvsphere9" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_msvsphere9" version="1" comment="Check MSVSphere version">
+ <ind:filepath>/etc/msvsphere</ind:filepath>
+ <ind:pattern operation="pattern match">^9.[0-9]+$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
index e5cf1ffb..56df0967 100644
--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
@@ -7,6 +7,7 @@
<platform>multi_platform_anolis</platform>
<platform>multi_platform_debian</platform>
<platform>multi_platform_example</platform>
+ <platform>multi_platform_msvsphere</platform>
<platform>multi_platform_fedora</platform>
<platform>multi_platform_openembedded</platform>
<platform>multi_platform_openeuler</platform>
diff --git a/shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml b/shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml
new file mode 120000
index 00000000..6f97d155
--- /dev/null
+++ b/shared/references/disa-stig-msvsphere9-v1r1-xccdf-scap.xml
@@ -0,0 +1 @@
+disa-stig-rhel9-v1r1-xccdf-scap.xml
\ No newline at end of file
diff --git a/shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml b/shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml
new file mode 120000
index 00000000..bf80a773
--- /dev/null
+++ b/shared/references/disa-stig-msvsphere9-v1r3-xccdf-manual.xml
@@ -0,0 +1 @@
+disa-stig-rhel9-v1r3-xccdf-manual.xml
\ No newline at end of file
diff --git a/ssg/constants.py b/ssg/constants.py
index c0285809..5bc2ea24 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -45,6 +45,7 @@ product_directories = [
'chromium',
'debian10', 'debian11', 'debian12',
'example',
+ 'msvsphere9',
'eks',
'fedora',
'firefox',
@@ -205,6 +206,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
"Debian 11": "debian11",
"Debian 12": "debian12",
"Example": "example",
+ "MSVSphere 9": "msvsphere9",
"Amazon Elastic Kubernetes Service": "eks",
"Fedora": "fedora",
"Firefox": "firefox",
@@ -278,7 +280,7 @@ REFERENCES = dict(
)
-MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+MULTI_PLATFORM_LIST = ["rhel", "fedora", "msvsphere", "rhv", "debian", "ubuntu",
"openeuler",
"opensuse", "sle", "ol", "ocp", "rhcos",
"example", "eks", "alinux", "uos", "anolis", "openembedded"]
@@ -290,6 +292,7 @@ MULTI_PLATFORM_MAPPING = {
"multi_platform_example": ["example"],
"multi_platform_eks": ["eks"],
"multi_platform_fedora": ["fedora"],
+ "multi_platform_msvsphere": ["msvsphere9"],
"multi_platform_openeuler": ["openeuler2203"],
"multi_platform_opensuse": ["opensuse"],
"multi_platform_ol": ["ol7", "ol8", "ol9"],
@@ -455,6 +458,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
'anolis': 'Anolis OS',
'chromium': 'Google Chromium Browser',
'fedora': 'Fedora',
+ 'msvsphere': 'MSVSphere',
'firefox': 'Mozilla Firefox',
'macos': 'Apple macOS',
'rhel': 'Red Hat Enterprise Linux',
diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml
index 1c1560a8..83bc5bd1 100644
--- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml
+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_msvsphere,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh
index 10ecee50..89067390 100644
--- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh
+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_msvsphere,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# reboot = true
# strategy = restrict
# complexity = low
diff --git a/tests/unit/ssg_test_suite/data/correct.pass.sh b/tests/unit/ssg_test_suite/data/correct.pass.sh
index 8e5e284e..46e50b1a 100644
--- a/tests/unit/ssg_test_suite/data/correct.pass.sh
+++ b/tests/unit/ssg_test_suite/data/correct.pass.sh
@@ -1,6 +1,6 @@
#!/bin/bash
# packages = sudo,authselect
-# platform = multi_platform_rhel,Fedora
+# platform = multi_platform_rhel,multi_platform_msvsphere,Fedora
# profiles = xccdf_org.ssgproject.content_profile_cis
# remediation = none
# variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
--
2.43.5
Reference in new issue View Git Blame Copy Permalink