From 2227b85575b5b5c049308fbe07b100f38da7cc98 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Mon, 26 Feb 2024 14:48:53 -0600
Subject: [PATCH 1/3] Add RHEL 10 Product

---
 CMakeLists.txt                                |   5 +
 build-scripts/enable_derivatives.py           |   2 +-
 build_product                                 |   1 +
 .../sudo/package_sudo_installed/rule.yml      |   1 +
 products/rhel10/CMakeLists.txt                |  26 +++
 products/rhel10/overlays/srg_support.xml      | 173 ++++++++++++++++++
 products/rhel10/product.yml                   |  57 ++++++
 products/rhel10/transforms/constants.xslt     |  13 ++
 products/rhel10/transforms/table-style.xslt   |   5 +
 .../transforms/xccdf-apply-overlay-stig.xslt  |   8 +
 .../rhel10/transforms/xccdf2table-cce.xslt    |   9 +
 .../xccdf2table-profileccirefs.xslt           |   9 +
 shared/applicability/cs10.yml                 |   3 +
 .../checks/oval/installed_OS_is_centos10.xml  |  47 +++++
 shared/checks/oval/installed_OS_is_rhel10.xml |  59 ++++++
 shared/references/cce-redhat-avail.txt        |   1 -
 ssg/constants.py                              |   7 +-
 tests/CMakeLists.txt                          |  16 ++
 18 files changed, 438 insertions(+), 4 deletions(-)
 create mode 100644 products/rhel10/CMakeLists.txt
 create mode 100644 products/rhel10/overlays/srg_support.xml
 create mode 100644 products/rhel10/product.yml
 create mode 100644 products/rhel10/transforms/constants.xslt
 create mode 100644 products/rhel10/transforms/table-style.xslt
 create mode 100644 products/rhel10/transforms/xccdf-apply-overlay-stig.xslt
 create mode 100644 products/rhel10/transforms/xccdf2table-cce.xslt
 create mode 100644 products/rhel10/transforms/xccdf2table-profileccirefs.xslt
 create mode 100644 shared/applicability/cs10.yml
 create mode 100644 shared/checks/oval/installed_OS_is_centos10.xml
 create mode 100644 shared/checks/oval/installed_OS_is_rhel10.xml

diff --git a/CMakeLists.txt b/CMakeLists.txt
index aef21154f2..21f5f5201b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -97,6 +97,7 @@ option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built
 option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL9 "If enabled, the RHEL9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHV4 "If enabled, the RHV4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLE12 "If enabled, the SLE12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLE15 "If enabled, the SLE15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -323,6 +324,7 @@ message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
 message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
 message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}")
 message(STATUS "RHEL 9: ${SSG_PRODUCT_RHEL9}")
+message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}")
 message(STATUS "RHV 4: ${SSG_PRODUCT_RHV4}")
 message(STATUS "SUSE 12: ${SSG_PRODUCT_SLE12}")
 message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}")
@@ -435,6 +437,9 @@ endif()
 if(SSG_PRODUCT_RHEL9)
     add_subdirectory("products/rhel9" "rhel9")
 endif()
+if(SSG_PRODUCT_RHEL10)
+    add_subdirectory("products/rhel10" "rhel10")
+endif()
 if(SSG_PRODUCT_RHV4)
     add_subdirectory("products/rhv4" "rhv4")
 endif()
diff --git a/build-scripts/enable_derivatives.py b/build-scripts/enable_derivatives.py
index bcc6ed3845..53e5eae1d0 100755
--- a/build-scripts/enable_derivatives.py
+++ b/build-scripts/enable_derivatives.py
@@ -94,7 +94,7 @@ def main():
         raise RuntimeError("No Benchmark found!")
 
     for namespace, benchmark in benchmarks:
-        if args[1] != "cs9" and not args[1].startswith("centos"):
+        if args[1] not in ("cs9", "cs10") and not args[1].startswith("centos"):
             # In all CentOS and CentOS Streams, profiles are kept because they are systems
             # intended to test content that will get into RHEL
             ssg.build_derivatives.profile_handling(benchmark, namespace)
diff --git a/build_product b/build_product
index 34c74f12ae..72e95aa7cb 100755
--- a/build_product
+++ b/build_product
@@ -340,6 +340,7 @@ all_cmake_products=(
 	RHEL7
 	RHEL8
 	RHEL9
+	RHEL10
 	RHV4
 	SLE12
 	SLE15
diff --git a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
index f2c8729c47..15731a7471 100644
--- a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
+++ b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel7: CCE-82213-0
     cce@rhel8: CCE-82214-8
     cce@rhel9: CCE-83523-1
+    cce@rhel10: CCE-87100-4
     cce@sle12: CCE-91491-1
     cce@sle15: CCE-91183-4
 
diff --git a/products/rhel10/CMakeLists.txt b/products/rhel10/CMakeLists.txt
new file mode 100644
index 0000000000..782fee524a
--- /dev/null
+++ b/products/rhel10/CMakeLists.txt
@@ -0,0 +1,26 @@
+# Sometimes our users will try to do: "cd rhel10; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "rhel10")
+
+ssg_build_product(${PRODUCT})
+
+ssg_build_html_cce_table(${PRODUCT})
+
+ssg_build_html_srgmap_tables(${PRODUCT})
+
+if(SSG_SRG_XLSX_EXPORT)
+    ssg_build_xlsx_srg_export(${PRODUCT} "srg_gpos")
+endif()
+
+#ssg_build_html_stig_tables(${PRODUCT})
+#ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")
+#ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig_gui")
+
+#ssg_build_html_stig_tables(${PRODUCT} "ospp")
+
+if(SSG_CENTOS_DERIVATIVES_ENABLED)
+    ssg_build_derivative_product(${PRODUCT} "centos" "cs10")
+endif()
diff --git a/products/rhel10/overlays/srg_support.xml b/products/rhel10/overlays/srg_support.xml
new file mode 100644
index 0000000000..c75c701825
--- /dev/null
+++ b/products/rhel10/overlays/srg_support.xml
@@ -0,0 +1,173 @@
+<Group id="srg_support" hidden="true">
+<title>Documentation to Support DISA OS SRG Mapping</title>
+<description>These groups exist to document how the Red Hat Enterprise Linux
+product meets (or does not meet) requirements listed in the DISA OS SRG, for
+those cases where Groups or Rules elsewhere in scap-security-guide do
+not clearly relate.
+</description>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - satisfied (through design and implementation)
+     - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_generic">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL10 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="15,42,56,206,1084,66,85,86,185,223,171,172,1694,770,804,162,163,164,345,346,1096,1111,1291,386,156,186,1083,1082,1090,804,1127,1128,1129,1248,1265,1314,1362,1368,1310,1311,1328,1399,1400,1404,1405,1427,1499,1632,1693,1665,1674" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here relate to auditing, and are:
+     - satisfied (through design and implementation)
+     - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_auditing">
+<title>Product Meets this Requirement</title>
+<rationale>
+The Red Hat Enterprise Linux audit system meets this requirement through design and implementation.
+</rationale>
+<ocil>The RHEL10 auditing system supports this requirement and cannot be configured to be out of
+compliance. Every audit record in RHEL includes a timestamp, the operation attempted,
+success or failure of the operation, the subject involved (executable/process),
+the object involved (file/path), and security labels for the subject and object.
+It also includes the ability to label events with custom key labels.  The auditing system
+centralizes the recording of audit events for the entire system and includes
+reduction (<tt>ausearch</tt>), reporting (<tt>aureport</tt>), and real-time
+response (<tt>audispd</tt>) facilities.
+This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="130,157,131,132,133,134,135,159,174" />
+</Rule>
+
+
+<!-- The CCI/SRG item referenced here are:
+     - satisfied (through design and implementation)
+     - not selected in a DoD baseline -->
+<Rule id="met_inherently_nonselected">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL10 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="34,35,99,154,226,802,872,1086,1087,1089,1091,1424,1426,1428,1209,1214,1237,1269,1338,1425,1670" />
+</Rule>
+
+
+<!-- The CCI/SRG item listed here are:
+     - satisfied (by Rules in the guidance, which include the reference)
+     - not selected in DoD baseline -->
+<!-- disa="26,32,771,772,831,884,888,1095,1115,1117,1250,1348,1353,1464,1496" -->
+
+
+<!-- The CCI/SRG item referenced here are:
+     - not satisfied
+     - not selected in a DoD baseline
+     - considered out of scope -->
+<Rule id="unmet_nonfinding_nonselected_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL10 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="21,25,28,29,30,165,221,354,553,779,780,781,1009,1094,1123,1124,1125,1132,1135,1140,1141,1142,1143,1145,1147,1148,1166,1339,1340,1341,1350,1356,1373,1374,1383,1391,1392,1395,1662" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - not satisfied
+     - not selected in a DoD baseline
+     - considered permanent findings -->
+<Rule id="unmet_finding_nonselected">
+<title>Implementation of the Requirement is Not Supported</title>
+<rationale>
+RHEL10 does not support this requirement.
+</rationale>
+<ocil>
+This is a permanent finding.
+</ocil>
+<description>
+This requirement is a permanent finding and cannot be fixed. An appropriate
+mitigation for the system must be implemented but this finding cannot be
+considered fixed.
+</description>
+<ref disa="20,31,52,144,1158,1294,1295,1500" />
+<!-- Note: CCI 52 supported for text login, but not graphical -->
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - not satisfied
+     - selected in a DoD baseline
+     - considered NA -->
+<Rule id="unmet_nonfinding_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL10 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+     it should not have CCE association -->
+<ref disa="27,218,219,371,372,535,537,539,1682,370,37,24,1112,1126,1143,1149,1157,1159,1210,1211,1274,1372,1376,1377,1352,1401,1555,1556,1150" />
+</Rule>
+
+<Rule id="update_process">
+<title>A process for prompt installation of OS updates must exist.</title>
+<rationale>
+This is a manual inquiry about update procedure.
+</rationale>
+<ocil>
+Ask an administrator if a process exists to promptly and automatically apply OS
+software updates.  If such a process does not exist, this is a finding.
+<br /><br />
+If the OS update process limits automatic updates of software packages, where
+such updates would impede normal system operation, to scheduled maintenance
+windows, but still within IAVM-dictated timeframes, this is not a finding.
+</ocil>
+<description>
+Procedures to promptly apply software updates must be established and
+executed. The Red Hat operating system provides support for automating such a
+process, by running the yum program through a cron job or by managing the
+system and its packages through the Red Hat Network or a Satellite Server.
+</description>
+<ref disa="1232" />
+<!-- Note: This is a process, as such, will not receive a CCE -->
+</Rule>
+
+</Group>
diff --git a/products/rhel10/product.yml b/products/rhel10/product.yml
new file mode 100644
index 0000000000..468cda56f5
--- /dev/null
+++ b/products/rhel10/product.yml
@@ -0,0 +1,57 @@
+product: rhel10
+full_name: Red Hat Enterprise Linux 10
+type: platform
+
+families:
+  - rhel
+  - rhel-like
+
+major_version_ordinal: 10
+
+benchmark_id: RHEL-10
+benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+# EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
+
+groups:
+  dedicated_ssh_keyowner:
+    name: ssh_keys
+
+sshd_distributed_config: "true"
+
+dconf_gdm_dir: "distro.d"
+
+faillock_path: "/var/log/faillock"
+
+# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
+pkg_release: ""
+pkg_version: ""
+aux_pkg_release: ""
+aux_pkg_version: ""
+
+release_key_fingerprint: ""
+auxiliary_key_fingerprint: ""
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - rhel10:
+      name: "cpe:/o:redhat:enterprise_linux:10"
+      title: "Red Hat Enterprise Linux 10"
+      check_id: installed_OS_is_rhel10
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
+
+reference_uris:
+  cis: 'https://www.cisecurity.org/benchmark/red_hat_linux/'
+
+
+journald_conf_dir_path: /etc/systemd/journald.conf.d
diff --git a/products/rhel10/transforms/constants.xslt b/products/rhel10/transforms/constants.xslt
new file mode 100644
index 0000000000..a37664d11f
--- /dev/null
+++ b/products/rhel10/transforms/constants.xslt
@@ -0,0 +1,13 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">Red Hat Enterprise Linux 10</xsl:variable>
+<xsl:variable name="product_short_name">RHEL 10</xsl:variable>
+<xsl:variable name="product_stig_id_name">RHEL_10_STIG</xsl:variable>
+<xsl:variable name="prod_type">rhel10</xsl:variable>
+
+<xsl:variable name="cisuri">https://www.cisecurity.org/benchmark/red_hat_linux/</xsl:variable>
+<xsl:variable name="disa-srguri" select="$disa-ossrguri"/>
+
+</xsl:stylesheet>
diff --git a/products/rhel10/transforms/table-style.xslt b/products/rhel10/transforms/table-style.xslt
new file mode 100644
index 0000000000..8b6caeab8c
--- /dev/null
+++ b/products/rhel10/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/rhel10/transforms/xccdf-apply-overlay-stig.xslt b/products/rhel10/transforms/xccdf-apply-overlay-stig.xslt
new file mode 100644
index 0000000000..4789419b80
--- /dev/null
+++ b/products/rhel10/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>
diff --git a/products/rhel10/transforms/xccdf2table-cce.xslt b/products/rhel10/transforms/xccdf2table-cce.xslt
new file mode 100644
index 0000000000..f156a66956
--- /dev/null
+++ b/products/rhel10/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/rhel10/transforms/xccdf2table-profileccirefs.xslt b/products/rhel10/transforms/xccdf2table-profileccirefs.xslt
new file mode 100644
index 0000000000..30419e92b2
--- /dev/null
+++ b/products/rhel10/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/shared/applicability/cs10.yml b/shared/applicability/cs10.yml
new file mode 100644
index 0000000000..a8dd98a90c
--- /dev/null
+++ b/shared/applicability/cs10.yml
@@ -0,0 +1,3 @@
+name: cpe:/o:centos:centos:10
+title: CentOS Stream 10
+check_id: installed_OS_is_centos10
diff --git a/shared/checks/oval/installed_OS_is_centos10.xml b/shared/checks/oval/installed_OS_is_centos10.xml
new file mode 100644
index 0000000000..fc85513e15
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_centos10.xml
@@ -0,0 +1,47 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_centos10" version="2">
+    <metadata>
+      <title>CentOS Stream 10</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:centos:centos:10"
+      source="CPE" />
+      <description>The operating system installed on the system is
+      CentOS Stream 10</description>
+    </metadata>
+    <criteria operator="AND">
+      <extend_definition comment="Installed OS is part of the Unix family"
+      definition_ref="installed_OS_is_part_of_Unix_family" />
+      <criterion comment="OS is CentOS Stream" test_ref="test_centos10_name" />
+      <criterion comment="OS version is 10" test_ref="test_centos10_version" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="test_centos10_name" version="1">
+    <ind:object object_ref="obj_name_centos10" />
+    <ind:state state_ref="state_name_centos10" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_name_centos10" version="1" comment="Check os-release ID">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^ID=&quot;(\w+)&quot;$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_name_centos10" version="1">
+    <ind:subexpression>centos</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="test_centos10_version" version="1">
+    <ind:object object_ref="obj_version_centos10" />
+    <ind:state state_ref="state_version_centos10" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_version_centos10" version="1" comment="Check os-release VERSION_ID">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^VERSION_ID=&quot;(\d)&quot;$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_version_centos10" version="1">
+    <ind:subexpression>10</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>
diff --git a/shared/checks/oval/installed_OS_is_rhel10.xml b/shared/checks/oval/installed_OS_is_rhel10.xml
new file mode 100644
index 0000000000..2a3736abb6
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_rhel10.xml
@@ -0,0 +1,59 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_rhel10" version="1">
+    <metadata>
+      <title>Red Hat Enterprise Linux 10</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:redhat:enterprise_linux:10"
+      source="CPE" />
+      <description>The operating system installed on the system is
+      Red Hat Enterprise Linux 10</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Installed operating system is part of the unix family"
+      test_ref="test_rhel10_unix_family" />
+      <criteria operator="OR">
+        <criterion comment="RHEL 10 is installed" test_ref="test_rhel10" />
+        <criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
+          <criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="test_rhvh4_version" />
+          <criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 10" test_ref="test_rhevh_rhel10_version" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="test_rhel10_unix_family" version="1">
+    <ind:object object_ref="obj_rhel10_unix_family" />
+    <ind:state state_ref="state_rhel10_unix_family" />
+  </ind:family_test>
+  <ind:family_state id="state_rhel10_unix_family" version="1">
+    <ind:family>unix</ind:family>
+  </ind:family_state>
+  <ind:family_object id="obj_rhel10_unix_family" version="1" />
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 10" id="test_rhel10" version="1">
+    <linux:object object_ref="obj_rhel10" />
+    <linux:state state_ref="state_rhel10" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_rhel10" version="1">
+    <linux:version operation="pattern match">^10.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_rhel10" version="1">
+    <linux:name>redhat-release</linux:name>
+  </linux:rpminfo_object>
+
+  <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 10" id="test_rhevh_rhel10_version" version="1">
+    <ind:object object_ref="obj_rhevh_rhel10_version" />
+    <ind:state state_ref="state_rhevh_rhel10_version" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_rhevh_rhel10_version" version="1">
+    <ind:filepath>/etc/redhat-release</ind:filepath>
+    <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_rhevh_rhel10_version" version="1">
+    <ind:subexpression operation="pattern match">10</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 80c5472525..351fc605c3 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -634,7 +634,6 @@ CCE-87093-1
 CCE-87094-9
 CCE-87095-6
 CCE-87099-8
-CCE-87100-4
 CCE-87110-3
 CCE-87111-1
 CCE-87112-9
diff --git a/ssg/constants.py b/ssg/constants.py
index 18fbf39d38..6d4128080f 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -55,7 +55,7 @@ product_directories = [
     'openeuler2203',
     'opensuse',
     'openembedded',
-    'rhel7', 'rhel8', 'rhel9',
+    'rhel7', 'rhel8', 'rhel9', 'rhel10',
     'rhv4',
     'sle12', 'sle15',
     'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'ubuntu2204',
@@ -218,6 +218,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
     "Red Hat Enterprise Linux 7": "rhel7",
     "Red Hat Enterprise Linux 8": "rhel8",
     "Red Hat Enterprise Linux 9": "rhel9",
+    "Red Hat Enterprise Linux 10": "rhel10",
     "Red Hat Virtualization 4": "rhv4",
     "SUSE Linux Enterprise 12": "sle12",
     "SUSE Linux Enterprise 15": "sle15",
@@ -293,7 +294,7 @@ MULTI_PLATFORM_MAPPING = {
     "multi_platform_ol": ["ol7", "ol8", "ol9"],
     "multi_platform_ocp": ["ocp4"],
     "multi_platform_rhcos": ["rhcos4"],
-    "multi_platform_rhel": ["rhel7", "rhel8", "rhel9"],
+    "multi_platform_rhel": ["rhel7", "rhel8", "rhel9", "rhel10"],
     "multi_platform_rhv": ["rhv4"],
     "multi_platform_sle": ["sle12", "sle15"],
     "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
@@ -305,6 +306,7 @@ RHEL_CENTOS_CPE_MAPPING = {
     "cpe:/o:redhat:enterprise_linux:7": "cpe:/o:centos:centos:7",
     "cpe:/o:redhat:enterprise_linux:8": "cpe:/o:centos:centos:8",
     "cpe:/o:redhat:enterprise_linux:9": "cpe:/o:centos:centos:9",
+    "cpe:/o:redhat:enterprise_linux:10": "cpe:/o:centos:centos:10",
 }
 
 RHEL_SL_CPE_MAPPING = {
@@ -511,6 +513,7 @@ DERIVATIVES_PRODUCT_MAPPING = {
     "centos7": "rhel7",
     "centos8": "rhel8",
     "cs9": "rhel9",
+    "cs10": "rhel10",
     "sl7": "rhel7"
 }
 
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index c4d43508b6..41880e1b6e 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -338,3 +338,19 @@ add_test(
     COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_components.py" --build-dir "${CMAKE_BINARY_DIR}" --source-dir "${CMAKE_SOURCE_DIR}" --product "rhel9"
 )
 endif()
+
+macro(cce_avail_check TEST_NAME_SUFFIX PRODUCTS CCE_LIST_PATH)
+    if(PYTHON_VERSION_MAJOR GREATER 2)
+        add_test(
+            NAME "cce_avail_check-${TEST_NAME_SUFFIX}"
+            COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/cces-removed.py" --root  "${CMAKE_SOURCE_DIR}" --json "${CMAKE_SOURCE_DIR}/build/rule_dirs.json" --products "${PRODUCTS}" --cce-list "${CCE_LIST_PATH}"
+        )
+        set_tests_properties("cce_avail_check-${TEST_NAME_SUFFIX}" PROPERTIES FIXTURES_REQUIRED "rule-dir-json")
+        set_tests_properties("cce_avail_check-${TEST_NAME_SUFFIX}" PROPERTIES DEPENDS "test-rule-dir-json")
+        set_tests_properties("cce_avail_check-${TEST_NAME_SUFFIX}" PROPERTIES LABELS quick)
+    endif()
+endmacro()
+
+cce_avail_check("rhel-all" "rhel7,rhel8,rhel9,rhel10" "${CMAKE_SOURCE_DIR}/shared/references/cce-redhat-avail.txt")
+cce_avail_check("sle12" "sle12" "${CMAKE_SOURCE_DIR}/shared/references/cce-sle12-avail.txt")
+cce_avail_check("sle15" "sle15" "${CMAKE_SOURCE_DIR}/shared/references/cce-sle15-avail.txt")
-- 
2.44.0

From 17bb8bfe511a9d7b0debcb75e3b3ed6dfa51c6de Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 22 Feb 2024 16:15:03 -0600
Subject: [PATCH 2/3] Human sort the sections in fix_rules

---
 utils/fix_rules.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/utils/fix_rules.py b/utils/fix_rules.py
index f6cf095c3d..42a863a563 100755
--- a/utils/fix_rules.py
+++ b/utils/fix_rules.py
@@ -110,9 +110,16 @@ def has_duplicated_subkeys(rule_path, rule, rule_lines):
     return ssg.rule_yaml.has_duplicated_subkeys(rule_path, rule_lines, TO_SORT)
 
 
+def _human_sort(line):
+    # Based on: https://blog.codinghorror.com/sorting-for-humans-natural-sort-order/
+    def convert(text): return int(text) if text.isdigit() else text
+    return [convert(text) for text in re.split(r'(\d+)', line)]
+
+
 def has_unordered_sections(rule_path, rule, rule_lines):
     if 'references' in rule or 'identifiers' in rule:
-        new_lines = ssg.rule_yaml.sort_section_keys(rule_path, rule_lines, TO_SORT)
+        new_lines = ssg.rule_yaml.sort_section_keys(rule_path, rule_lines, TO_SORT,
+                                                    sort_func=_human_sort)
 
         # Compare string representations to avoid issues with references being
         # different.
@@ -696,7 +703,7 @@ def find_int_references(args, product_yaml):
         product_yaml = result[2]
 
         if args.dry_run:
-            print(rule_path + " has one or more unsorted references")
+            print(rule_path + " has one or more unsorted integer references")
             continue
 
         fix_file_prompt(rule_path, product_yaml, fix_int_reference, args)
-- 
2.44.0

From 1051a6f33a8e8dce68d4805f18f1d5801f913c14 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 22 Feb 2024 11:12:30 -0600
Subject: [PATCH 3/3] Add Base STIG Profile for RHEL 10

Adding a base profile to be updated later.
---
 products/rhel10/profiles/stig.profile     | 22 ++++++++++++++++++++++
 products/rhel10/profiles/stig_gui.profile | 22 ++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 products/rhel10/profiles/stig.profile
 create mode 100644 products/rhel10/profiles/stig_gui.profile

diff --git a/products/rhel10/profiles/stig.profile b/products/rhel10/profiles/stig.profile
new file mode 100644
index 0000000000..51f006bd2c
--- /dev/null
+++ b/products/rhel10/profiles/stig.profile
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - mab879
+
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: 'DRAFT - DISA STIG for Red Hat Enterprise Linux 10'
+
+description: |-
+    This is a draft profile for experimental purposes.
+    It is not based on the DISA STIG for RHEL 10, because this one was not available at time of
+    the release.
+
+    In addition to being applicable to Red Hat Enterprise Linux 10, DISA recognizes this
+    configuration baseline as applicable to the operating system tier of
+    Red Hat technologies that are based on Red Hat Enterprise Linux 10.
+
+selections:
+    - package_sudo_installed
diff --git a/products/rhel10/profiles/stig_gui.profile b/products/rhel10/profiles/stig_gui.profile
new file mode 100644
index 0000000000..51f006bd2c
--- /dev/null
+++ b/products/rhel10/profiles/stig_gui.profile
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - mab879
+
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: 'DRAFT - DISA STIG for Red Hat Enterprise Linux 10'
+
+description: |-
+    This is a draft profile for experimental purposes.
+    It is not based on the DISA STIG for RHEL 10, because this one was not available at time of
+    the release.
+
+    In addition to being applicable to Red Hat Enterprise Linux 10, DISA recognizes this
+    configuration baseline as applicable to the operating system tier of
+    Red Hat technologies that are based on Red Hat Enterprise Linux 10.
+
+selections:
+    - package_sudo_installed
-- 
2.44.0