Add RHEL 10 Product

This commit is contained in:
Matthew Burket 2024-03-27 18:19:05 -05:00
parent 0e2a008939
commit 0d5213e1d4
No known key found for this signature in database
GPG Key ID: 9C26A3A35EA736FD
2 changed files with 785 additions and 3 deletions

779
01-Add-RHEL10.patch Normal file
View File

@ -0,0 +1,779 @@
From 2227b85575b5b5c049308fbe07b100f38da7cc98 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Mon, 26 Feb 2024 14:48:53 -0600
Subject: [PATCH 1/3] Add RHEL 10 Product
---
CMakeLists.txt | 5 +
build-scripts/enable_derivatives.py | 2 +-
build_product | 1 +
.../sudo/package_sudo_installed/rule.yml | 1 +
products/rhel10/CMakeLists.txt | 26 +++
products/rhel10/overlays/srg_support.xml | 173 ++++++++++++++++++
products/rhel10/product.yml | 57 ++++++
products/rhel10/transforms/constants.xslt | 13 ++
products/rhel10/transforms/table-style.xslt | 5 +
.../transforms/xccdf-apply-overlay-stig.xslt | 8 +
.../rhel10/transforms/xccdf2table-cce.xslt | 9 +
.../xccdf2table-profileccirefs.xslt | 9 +
shared/applicability/cs10.yml | 3 +
.../checks/oval/installed_OS_is_centos10.xml | 47 +++++
shared/checks/oval/installed_OS_is_rhel10.xml | 59 ++++++
shared/references/cce-redhat-avail.txt | 1 -
ssg/constants.py | 7 +-
tests/CMakeLists.txt | 16 ++
18 files changed, 438 insertions(+), 4 deletions(-)
create mode 100644 products/rhel10/CMakeLists.txt
create mode 100644 products/rhel10/overlays/srg_support.xml
create mode 100644 products/rhel10/product.yml
create mode 100644 products/rhel10/transforms/constants.xslt
create mode 100644 products/rhel10/transforms/table-style.xslt
create mode 100644 products/rhel10/transforms/xccdf-apply-overlay-stig.xslt
create mode 100644 products/rhel10/transforms/xccdf2table-cce.xslt
create mode 100644 products/rhel10/transforms/xccdf2table-profileccirefs.xslt
create mode 100644 shared/applicability/cs10.yml
create mode 100644 shared/checks/oval/installed_OS_is_centos10.xml
create mode 100644 shared/checks/oval/installed_OS_is_rhel10.xml
diff --git a/CMakeLists.txt b/CMakeLists.txt
index aef21154f2..21f5f5201b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -97,6 +97,7 @@ option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built
option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_RHEL9 "If enabled, the RHEL9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_RHV4 "If enabled, the RHV4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_SLE12 "If enabled, the SLE12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_SLE15 "If enabled, the SLE15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -323,6 +324,7 @@ message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}")
message(STATUS "RHEL 9: ${SSG_PRODUCT_RHEL9}")
+message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}")
message(STATUS "RHV 4: ${SSG_PRODUCT_RHV4}")
message(STATUS "SUSE 12: ${SSG_PRODUCT_SLE12}")
message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}")
@@ -435,6 +437,9 @@ endif()
if(SSG_PRODUCT_RHEL9)
add_subdirectory("products/rhel9" "rhel9")
endif()
+if(SSG_PRODUCT_RHEL10)
+ add_subdirectory("products/rhel10" "rhel10")
+endif()
if(SSG_PRODUCT_RHV4)
add_subdirectory("products/rhv4" "rhv4")
endif()
diff --git a/build-scripts/enable_derivatives.py b/build-scripts/enable_derivatives.py
index bcc6ed3845..53e5eae1d0 100755
--- a/build-scripts/enable_derivatives.py
+++ b/build-scripts/enable_derivatives.py
@@ -94,7 +94,7 @@ def main():
raise RuntimeError("No Benchmark found!")
for namespace, benchmark in benchmarks:
- if args[1] != "cs9" and not args[1].startswith("centos"):
+ if args[1] not in ("cs9", "cs10") and not args[1].startswith("centos"):
# In all CentOS and CentOS Streams, profiles are kept because they are systems
# intended to test content that will get into RHEL
ssg.build_derivatives.profile_handling(benchmark, namespace)
diff --git a/build_product b/build_product
index 34c74f12ae..72e95aa7cb 100755
--- a/build_product
+++ b/build_product
@@ -340,6 +340,7 @@ all_cmake_products=(
RHEL7
RHEL8
RHEL9
+ RHEL10
RHV4
SLE12
SLE15
diff --git a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
index f2c8729c47..15731a7471 100644
--- a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
+++ b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
cce@rhel7: CCE-82213-0
cce@rhel8: CCE-82214-8
cce@rhel9: CCE-83523-1
+ cce@rhel10: CCE-87100-4
cce@sle12: CCE-91491-1
cce@sle15: CCE-91183-4
diff --git a/products/rhel10/CMakeLists.txt b/products/rhel10/CMakeLists.txt
new file mode 100644
index 0000000000..782fee524a
--- /dev/null
+++ b/products/rhel10/CMakeLists.txt
@@ -0,0 +1,26 @@
+# Sometimes our users will try to do: "cd rhel10; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "rhel10")
+
+ssg_build_product(${PRODUCT})
+
+ssg_build_html_cce_table(${PRODUCT})
+
+ssg_build_html_srgmap_tables(${PRODUCT})
+
+if(SSG_SRG_XLSX_EXPORT)
+ ssg_build_xlsx_srg_export(${PRODUCT} "srg_gpos")
+endif()
+
+#ssg_build_html_stig_tables(${PRODUCT})
+#ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")
+#ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig_gui")
+
+#ssg_build_html_stig_tables(${PRODUCT} "ospp")
+
+if(SSG_CENTOS_DERIVATIVES_ENABLED)
+ ssg_build_derivative_product(${PRODUCT} "centos" "cs10")
+endif()
diff --git a/products/rhel10/overlays/srg_support.xml b/products/rhel10/overlays/srg_support.xml
new file mode 100644
index 0000000000..c75c701825
--- /dev/null
+++ b/products/rhel10/overlays/srg_support.xml
@@ -0,0 +1,173 @@
+<Group id="srg_support" hidden="true">
+<title>Documentation to Support DISA OS SRG Mapping</title>
+<description>These groups exist to document how the Red Hat Enterprise Linux
+product meets (or does not meet) requirements listed in the DISA OS SRG, for
+those cases where Groups or Rules elsewhere in scap-security-guide do
+not clearly relate.
+</description>
+
+
+<!-- The CCI/SRG items referenced here are:
+ - satisfied (through design and implementation)
+ - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_generic">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL10 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
+<ref disa="15,42,56,206,1084,66,85,86,185,223,171,172,1694,770,804,162,163,164,345,346,1096,1111,1291,386,156,186,1083,1082,1090,804,1127,1128,1129,1248,1265,1314,1362,1368,1310,1311,1328,1399,1400,1404,1405,1427,1499,1632,1693,1665,1674" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here relate to auditing, and are:
+ - satisfied (through design and implementation)
+ - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_auditing">
+<title>Product Meets this Requirement</title>
+<rationale>
+The Red Hat Enterprise Linux audit system meets this requirement through design and implementation.
+</rationale>
+<ocil>The RHEL10 auditing system supports this requirement and cannot be configured to be out of
+compliance. Every audit record in RHEL includes a timestamp, the operation attempted,
+success or failure of the operation, the subject involved (executable/process),
+the object involved (file/path), and security labels for the subject and object.
+It also includes the ability to label events with custom key labels. The auditing system
+centralizes the recording of audit events for the entire system and includes
+reduction (<tt>ausearch</tt>), reporting (<tt>aureport</tt>), and real-time
+response (<tt>audispd</tt>) facilities.
+This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
+<ref disa="130,157,131,132,133,134,135,159,174" />
+</Rule>
+
+
+<!-- The CCI/SRG item referenced here are:
+ - satisfied (through design and implementation)
+ - not selected in a DoD baseline -->
+<Rule id="met_inherently_nonselected">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL10 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
+<ref disa="34,35,99,154,226,802,872,1086,1087,1089,1091,1424,1426,1428,1209,1214,1237,1269,1338,1425,1670" />
+</Rule>
+
+
+<!-- The CCI/SRG item listed here are:
+ - satisfied (by Rules in the guidance, which include the reference)
+ - not selected in DoD baseline -->
+<!-- disa="26,32,771,772,831,884,888,1095,1115,1117,1250,1348,1353,1464,1496" -->
+
+
+<!-- The CCI/SRG item referenced here are:
+ - not satisfied
+ - not selected in a DoD baseline
+ - considered out of scope -->
+<Rule id="unmet_nonfinding_nonselected_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL10 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
+<ref disa="21,25,28,29,30,165,221,354,553,779,780,781,1009,1094,1123,1124,1125,1132,1135,1140,1141,1142,1143,1145,1147,1148,1166,1339,1340,1341,1350,1356,1373,1374,1383,1391,1392,1395,1662" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+ - not satisfied
+ - not selected in a DoD baseline
+ - considered permanent findings -->
+<Rule id="unmet_finding_nonselected">
+<title>Implementation of the Requirement is Not Supported</title>
+<rationale>
+RHEL10 does not support this requirement.
+</rationale>
+<ocil>
+This is a permanent finding.
+</ocil>
+<description>
+This requirement is a permanent finding and cannot be fixed. An appropriate
+mitigation for the system must be implemented but this finding cannot be
+considered fixed.
+</description>
+<ref disa="20,31,52,144,1158,1294,1295,1500" />
+<!-- Note: CCI 52 supported for text login, but not graphical -->
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+ - not satisfied
+ - selected in a DoD baseline
+ - considered NA -->
+<Rule id="unmet_nonfinding_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL10 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
+<ref disa="27,218,219,371,372,535,537,539,1682,370,37,24,1112,1126,1143,1149,1157,1159,1210,1211,1274,1372,1376,1377,1352,1401,1555,1556,1150" />
+</Rule>
+
+<Rule id="update_process">
+<title>A process for prompt installation of OS updates must exist.</title>
+<rationale>
+This is a manual inquiry about update procedure.
+</rationale>
+<ocil>
+Ask an administrator if a process exists to promptly and automatically apply OS
+software updates. If such a process does not exist, this is a finding.
+<br /><br />
+If the OS update process limits automatic updates of software packages, where
+such updates would impede normal system operation, to scheduled maintenance
+windows, but still within IAVM-dictated timeframes, this is not a finding.
+</ocil>
+<description>
+Procedures to promptly apply software updates must be established and
+executed. The Red Hat operating system provides support for automating such a
+process, by running the yum program through a cron job or by managing the
+system and its packages through the Red Hat Network or a Satellite Server.
+</description>
+<ref disa="1232" />
+<!-- Note: This is a process, as such, will not receive a CCE -->
+</Rule>
+
+</Group>
diff --git a/products/rhel10/product.yml b/products/rhel10/product.yml
new file mode 100644
index 0000000000..468cda56f5
--- /dev/null
+++ b/products/rhel10/product.yml
@@ -0,0 +1,57 @@
+product: rhel10
+full_name: Red Hat Enterprise Linux 10
+type: platform
+
+families:
+ - rhel
+ - rhel-like
+
+major_version_ordinal: 10
+
+benchmark_id: RHEL-10
+benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+# EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
+
+groups:
+ dedicated_ssh_keyowner:
+ name: ssh_keys
+
+sshd_distributed_config: "true"
+
+dconf_gdm_dir: "distro.d"
+
+faillock_path: "/var/log/faillock"
+
+# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
+pkg_release: ""
+pkg_version: ""
+aux_pkg_release: ""
+aux_pkg_version: ""
+
+release_key_fingerprint: ""
+auxiliary_key_fingerprint: ""
+
+cpes_root: "../../shared/applicability"
+cpes:
+ - rhel10:
+ name: "cpe:/o:redhat:enterprise_linux:10"
+ title: "Red Hat Enterprise Linux 10"
+ check_id: installed_OS_is_rhel10
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
+
+reference_uris:
+ cis: 'https://www.cisecurity.org/benchmark/red_hat_linux/'
+
+
+journald_conf_dir_path: /etc/systemd/journald.conf.d
diff --git a/products/rhel10/transforms/constants.xslt b/products/rhel10/transforms/constants.xslt
new file mode 100644
index 0000000000..a37664d11f
--- /dev/null
+++ b/products/rhel10/transforms/constants.xslt
@@ -0,0 +1,13 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">Red Hat Enterprise Linux 10</xsl:variable>
+<xsl:variable name="product_short_name">RHEL 10</xsl:variable>
+<xsl:variable name="product_stig_id_name">RHEL_10_STIG</xsl:variable>
+<xsl:variable name="prod_type">rhel10</xsl:variable>
+
+<xsl:variable name="cisuri">https://www.cisecurity.org/benchmark/red_hat_linux/</xsl:variable>
+<xsl:variable name="disa-srguri" select="$disa-ossrguri"/>
+
+</xsl:stylesheet>
diff --git a/products/rhel10/transforms/table-style.xslt b/products/rhel10/transforms/table-style.xslt
new file mode 100644
index 0000000000..8b6caeab8c
--- /dev/null
+++ b/products/rhel10/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/rhel10/transforms/xccdf-apply-overlay-stig.xslt b/products/rhel10/transforms/xccdf-apply-overlay-stig.xslt
new file mode 100644
index 0000000000..4789419b80
--- /dev/null
+++ b/products/rhel10/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>
diff --git a/products/rhel10/transforms/xccdf2table-cce.xslt b/products/rhel10/transforms/xccdf2table-cce.xslt
new file mode 100644
index 0000000000..f156a66956
--- /dev/null
+++ b/products/rhel10/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/rhel10/transforms/xccdf2table-profileccirefs.xslt b/products/rhel10/transforms/xccdf2table-profileccirefs.xslt
new file mode 100644
index 0000000000..30419e92b2
--- /dev/null
+++ b/products/rhel10/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/shared/applicability/cs10.yml b/shared/applicability/cs10.yml
new file mode 100644
index 0000000000..a8dd98a90c
--- /dev/null
+++ b/shared/applicability/cs10.yml
@@ -0,0 +1,3 @@
+name: cpe:/o:centos:centos:10
+title: CentOS Stream 10
+check_id: installed_OS_is_centos10
diff --git a/shared/checks/oval/installed_OS_is_centos10.xml b/shared/checks/oval/installed_OS_is_centos10.xml
new file mode 100644
index 0000000000..fc85513e15
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_centos10.xml
@@ -0,0 +1,47 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_OS_is_centos10" version="2">
+ <metadata>
+ <title>CentOS Stream 10</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <reference ref_id="cpe:/o:centos:centos:10"
+ source="CPE" />
+ <description>The operating system installed on the system is
+ CentOS Stream 10</description>
+ </metadata>
+ <criteria operator="AND">
+ <extend_definition comment="Installed OS is part of the Unix family"
+ definition_ref="installed_OS_is_part_of_Unix_family" />
+ <criterion comment="OS is CentOS Stream" test_ref="test_centos10_name" />
+ <criterion comment="OS version is 10" test_ref="test_centos10_version" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="test_centos10_name" version="1">
+ <ind:object object_ref="obj_name_centos10" />
+ <ind:state state_ref="state_name_centos10" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_name_centos10" version="1" comment="Check os-release ID">
+ <ind:filepath>/etc/os-release</ind:filepath>
+ <ind:pattern operation="pattern match">^ID=&quot;(\w+)&quot;$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_name_centos10" version="1">
+ <ind:subexpression>centos</ind:subexpression>
+ </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="test_centos10_version" version="1">
+ <ind:object object_ref="obj_version_centos10" />
+ <ind:state state_ref="state_version_centos10" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_version_centos10" version="1" comment="Check os-release VERSION_ID">
+ <ind:filepath>/etc/os-release</ind:filepath>
+ <ind:pattern operation="pattern match">^VERSION_ID=&quot;(\d)&quot;$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_version_centos10" version="1">
+ <ind:subexpression>10</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
diff --git a/shared/checks/oval/installed_OS_is_rhel10.xml b/shared/checks/oval/installed_OS_is_rhel10.xml
new file mode 100644
index 0000000000..2a3736abb6
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_rhel10.xml
@@ -0,0 +1,59 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_OS_is_rhel10" version="1">
+ <metadata>
+ <title>Red Hat Enterprise Linux 10</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <reference ref_id="cpe:/o:redhat:enterprise_linux:10"
+ source="CPE" />
+ <description>The operating system installed on the system is
+ Red Hat Enterprise Linux 10</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Installed operating system is part of the unix family"
+ test_ref="test_rhel10_unix_family" />
+ <criteria operator="OR">
+ <criterion comment="RHEL 10 is installed" test_ref="test_rhel10" />
+ <criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
+ <criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="test_rhvh4_version" />
+ <criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 10" test_ref="test_rhevh_rhel10_version" />
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="test_rhel10_unix_family" version="1">
+ <ind:object object_ref="obj_rhel10_unix_family" />
+ <ind:state state_ref="state_rhel10_unix_family" />
+ </ind:family_test>
+ <ind:family_state id="state_rhel10_unix_family" version="1">
+ <ind:family>unix</ind:family>
+ </ind:family_state>
+ <ind:family_object id="obj_rhel10_unix_family" version="1" />
+
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 10" id="test_rhel10" version="1">
+ <linux:object object_ref="obj_rhel10" />
+ <linux:state state_ref="state_rhel10" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_state id="state_rhel10" version="1">
+ <linux:version operation="pattern match">^10.*$</linux:version>
+ </linux:rpminfo_state>
+ <linux:rpminfo_object id="obj_rhel10" version="1">
+ <linux:name>redhat-release</linux:name>
+ </linux:rpminfo_object>
+
+ <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 10" id="test_rhevh_rhel10_version" version="1">
+ <ind:object object_ref="obj_rhevh_rhel10_version" />
+ <ind:state state_ref="state_rhevh_rhel10_version" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_rhevh_rhel10_version" version="1">
+ <ind:filepath>/etc/redhat-release</ind:filepath>
+ <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_rhevh_rhel10_version" version="1">
+ <ind:subexpression operation="pattern match">10</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 80c5472525..351fc605c3 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -634,7 +634,6 @@ CCE-87093-1
CCE-87094-9
CCE-87095-6
CCE-87099-8
-CCE-87100-4
CCE-87110-3
CCE-87111-1
CCE-87112-9
diff --git a/ssg/constants.py b/ssg/constants.py
index 18fbf39d38..6d4128080f 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -55,7 +55,7 @@ product_directories = [
'openeuler2203',
'opensuse',
'openembedded',
- 'rhel7', 'rhel8', 'rhel9',
+ 'rhel7', 'rhel8', 'rhel9', 'rhel10',
'rhv4',
'sle12', 'sle15',
'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'ubuntu2204',
@@ -218,6 +218,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
"Red Hat Enterprise Linux 7": "rhel7",
"Red Hat Enterprise Linux 8": "rhel8",
"Red Hat Enterprise Linux 9": "rhel9",
+ "Red Hat Enterprise Linux 10": "rhel10",
"Red Hat Virtualization 4": "rhv4",
"SUSE Linux Enterprise 12": "sle12",
"SUSE Linux Enterprise 15": "sle15",
@@ -293,7 +294,7 @@ MULTI_PLATFORM_MAPPING = {
"multi_platform_ol": ["ol7", "ol8", "ol9"],
"multi_platform_ocp": ["ocp4"],
"multi_platform_rhcos": ["rhcos4"],
- "multi_platform_rhel": ["rhel7", "rhel8", "rhel9"],
+ "multi_platform_rhel": ["rhel7", "rhel8", "rhel9", "rhel10"],
"multi_platform_rhv": ["rhv4"],
"multi_platform_sle": ["sle12", "sle15"],
"multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
@@ -305,6 +306,7 @@ RHEL_CENTOS_CPE_MAPPING = {
"cpe:/o:redhat:enterprise_linux:7": "cpe:/o:centos:centos:7",
"cpe:/o:redhat:enterprise_linux:8": "cpe:/o:centos:centos:8",
"cpe:/o:redhat:enterprise_linux:9": "cpe:/o:centos:centos:9",
+ "cpe:/o:redhat:enterprise_linux:10": "cpe:/o:centos:centos:10",
}
RHEL_SL_CPE_MAPPING = {
@@ -511,6 +513,7 @@ DERIVATIVES_PRODUCT_MAPPING = {
"centos7": "rhel7",
"centos8": "rhel8",
"cs9": "rhel9",
+ "cs10": "rhel10",
"sl7": "rhel7"
}
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index c4d43508b6..41880e1b6e 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -338,3 +338,19 @@ add_test(
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_components.py" --build-dir "${CMAKE_BINARY_DIR}" --source-dir "${CMAKE_SOURCE_DIR}" --product "rhel9"
)
endif()
+
+macro(cce_avail_check TEST_NAME_SUFFIX PRODUCTS CCE_LIST_PATH)
+ if(PYTHON_VERSION_MAJOR GREATER 2)
+ add_test(
+ NAME "cce_avail_check-${TEST_NAME_SUFFIX}"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/cces-removed.py" --root "${CMAKE_SOURCE_DIR}" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --products "${PRODUCTS}" --cce-list "${CCE_LIST_PATH}"
+ )
+ set_tests_properties("cce_avail_check-${TEST_NAME_SUFFIX}" PROPERTIES FIXTURES_REQUIRED "rule-dir-json")
+ set_tests_properties("cce_avail_check-${TEST_NAME_SUFFIX}" PROPERTIES DEPENDS "test-rule-dir-json")
+ set_tests_properties("cce_avail_check-${TEST_NAME_SUFFIX}" PROPERTIES LABELS quick)
+ endif()
+endmacro()
+
+cce_avail_check("rhel-all" "rhel7,rhel8,rhel9,rhel10" "${CMAKE_SOURCE_DIR}/shared/references/cce-redhat-avail.txt")
+cce_avail_check("sle12" "sle12" "${CMAKE_SOURCE_DIR}/shared/references/cce-sle12-avail.txt")
+cce_avail_check("sle15" "sle15" "${CMAKE_SOURCE_DIR}/shared/references/cce-sle15-avail.txt")
--
2.44.0
From 17bb8bfe511a9d7b0debcb75e3b3ed6dfa51c6de Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 22 Feb 2024 16:15:03 -0600
Subject: [PATCH 2/3] Human sort the sections in fix_rules
---
utils/fix_rules.py | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/utils/fix_rules.py b/utils/fix_rules.py
index f6cf095c3d..42a863a563 100755
--- a/utils/fix_rules.py
+++ b/utils/fix_rules.py
@@ -110,9 +110,16 @@ def has_duplicated_subkeys(rule_path, rule, rule_lines):
return ssg.rule_yaml.has_duplicated_subkeys(rule_path, rule_lines, TO_SORT)
+def _human_sort(line):
+ # Based on: https://blog.codinghorror.com/sorting-for-humans-natural-sort-order/
+ def convert(text): return int(text) if text.isdigit() else text
+ return [convert(text) for text in re.split(r'(\d+)', line)]
+
+
def has_unordered_sections(rule_path, rule, rule_lines):
if 'references' in rule or 'identifiers' in rule:
- new_lines = ssg.rule_yaml.sort_section_keys(rule_path, rule_lines, TO_SORT)
+ new_lines = ssg.rule_yaml.sort_section_keys(rule_path, rule_lines, TO_SORT,
+ sort_func=_human_sort)
# Compare string representations to avoid issues with references being
# different.
@@ -696,7 +703,7 @@ def find_int_references(args, product_yaml):
product_yaml = result[2]
if args.dry_run:
- print(rule_path + " has one or more unsorted references")
+ print(rule_path + " has one or more unsorted integer references")
continue
fix_file_prompt(rule_path, product_yaml, fix_int_reference, args)
--
2.44.0
From 1051a6f33a8e8dce68d4805f18f1d5801f913c14 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 22 Feb 2024 11:12:30 -0600
Subject: [PATCH 3/3] Add Base STIG Profile for RHEL 10
Adding a base profile to be updated later.
---
products/rhel10/profiles/stig.profile | 22 ++++++++++++++++++++++
products/rhel10/profiles/stig_gui.profile | 22 ++++++++++++++++++++++
2 files changed, 44 insertions(+)
create mode 100644 products/rhel10/profiles/stig.profile
create mode 100644 products/rhel10/profiles/stig_gui.profile
diff --git a/products/rhel10/profiles/stig.profile b/products/rhel10/profiles/stig.profile
new file mode 100644
index 0000000000..51f006bd2c
--- /dev/null
+++ b/products/rhel10/profiles/stig.profile
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+metadata:
+ SMEs:
+ - mab879
+
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: 'DRAFT - DISA STIG for Red Hat Enterprise Linux 10'
+
+description: |-
+ This is a draft profile for experimental purposes.
+ It is not based on the DISA STIG for RHEL 10, because this one was not available at time of
+ the release.
+
+ In addition to being applicable to Red Hat Enterprise Linux 10, DISA recognizes this
+ configuration baseline as applicable to the operating system tier of
+ Red Hat technologies that are based on Red Hat Enterprise Linux 10.
+
+selections:
+ - package_sudo_installed
diff --git a/products/rhel10/profiles/stig_gui.profile b/products/rhel10/profiles/stig_gui.profile
new file mode 100644
index 0000000000..51f006bd2c
--- /dev/null
+++ b/products/rhel10/profiles/stig_gui.profile
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+metadata:
+ SMEs:
+ - mab879
+
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: 'DRAFT - DISA STIG for Red Hat Enterprise Linux 10'
+
+description: |-
+ This is a draft profile for experimental purposes.
+ It is not based on the DISA STIG for RHEL 10, because this one was not available at time of
+ the release.
+
+ In addition to being applicable to Red Hat Enterprise Linux 10, DISA recognizes this
+ configuration baseline as applicable to the operating system tier of
+ Red Hat technologies that are based on Red Hat Enterprise Linux 10.
+
+selections:
+ - package_sudo_installed
--
2.44.0

View File

@ -5,11 +5,12 @@
Name: scap-security-guide
Version: 0.1.72
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
Patch0: 01-Add-RHEL10.patch
BuildArch: noarch
BuildRequires: libxslt
@ -78,10 +79,9 @@ rm %{buildroot}/%{_docdir}/%{name}/README.md
rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%files
# To Enabled once the content for RHEL 10
%{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart
%{_datadir}/%{name}/ansible/*.yml
%{_datadir}/%{name}/tailoring
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
%doc %{_docdir}/%{name}/LICENSE
%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
@ -99,6 +99,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif
%changelog
* Wed Mar 27 2024 Matthew Burket <mburket@redhat.com> - 0.1.72-2
- Add RHEL10 Product
* Fri Feb 09 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.72-1
- Update to latest upstream SCAP-Security-Guide-0.1.72 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.72