Merge pull request #12290 from Xeicker/create_ol10

Create OL10 product

CMakeLists.txt

@@ -99,6 +99,7 @@ option(SSG_PRODUCT_OCP4 "If enabled, the OCP4 SCAP content will be built" ${SSG_
 option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL9 "If enabled, the Oracle Linux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_OL10 "If enabled, the Oracle Linux 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OPENEMBEDDED "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -327,6 +328,7 @@ message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}")
 message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}")
 message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}")
 message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}")
+message(STATUS "Oracle Linux 10: ${SSG_PRODUCT_OL10}")
 message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}")
 message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
 message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}")
@@ -421,6 +423,9 @@ endif()
 if(SSG_PRODUCT_OL9)
     add_subdirectory("products/ol9" "ol9")
 endif()
+if(SSG_PRODUCT_OL10)
+    add_subdirectory("products/ol10" "ol10")
+endif()
 if(SSG_PRODUCT_OPENEULER2203)
     add_subdirectory("products/openeuler2203" "openeuler2203")
 endif()

build_product

@@ -365,6 +365,7 @@ all_cmake_products=(
 	OL7
 	OL8
 	OL9
+	OL10
 	OPENSUSE
 	RHEL8
 	RHEL9

products/ol10/CMakeLists.txt

@@ -0,0 +1,13 @@
+# Sometimes our users will try to do: "cd ol9; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "ol10")
+
+ssg_build_product(${PRODUCT})
+
+#ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
+
+#ssg_build_html_stig_tables(${PRODUCT})
+#ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")

products/ol10/product.yml

@@ -0,0 +1,48 @@
+product: ol10
+full_name: Oracle Linux 10
+type: platform
+
+families:
+  - ol
+
+major_version_ordinal: 10
+
+benchmark_id: OL-10
+benchmark_root: "../../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+dconf_gdm_dir: "local.d"
+
+faillock_path: "/var/log/faillock"
+pkg_release: ""
+pkg_version: ""
+
+aux_pkg_release: ""
+aux_pkg_version: ""
+
+# OL fingerprints below retrieved from: https://linux.oracle.com/security/gpg/#gpg
+release_key_fingerprint: ""
+auxiliary_key_fingerprint: ""
+
+groups:
+  dedicated_ssh_keyowner:
+    name: ssh_keys
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - ol10:
+      name: "cpe:/o:oracle:linux:10"
+      title: "Oracle Linux 10"
+      check_id: installed_OS_is_ol10
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
+
+reference_uris:
+  cis: ''

products/ol10/profiles/anssi_bp28_enhanced.profile

@@ -0,0 +1,42 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (enhanced)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening
+    level. ANSSI is the French National Information Security Agency, and stands for Agence
+    nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration
+    recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+    - anssi:all:enhanced
+    - '!partition_for_opt'
+    - '!package_ypserv_removed'
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!install_PAE_kernel_on_x86-32'
+    - '!partition_for_boot'
+    - '!ensure_redhat_gpgkey_installed'
+    - '!sudo_add_ignore_dot'
+    - '!audit_rules_privileged_commands_rmmod'
+    - '!audit_rules_privileged_commands_modprobe'
+    - '!package_dracut-fips-aesni_installed'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!partition_for_usr'
+    - '!cracklib_accounts_password_pam_ocredit'
+    - '!enable_pam_namespace'
+    - '!audit_rules_privileged_commands_insmod'
+    - '!package_ypbind_removed'
+    - '!service_chronyd_or_ntpd_enabled'
+    - '!sudo_dedicated_group'
+    - '!chronyd_configure_pool_and_server'
+    - '!accounts_passwords_pam_tally2'
+    - '!cracklib_accounts_password_pam_ucredit'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!sudo_add_umask'
+    - '!sudo_add_env_reset'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!package_xinetd_removed'

products/ol10/profiles/anssi_bp28_high.profile

@@ -0,0 +1,43 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (high)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 at the high hardening
+    level. ANSSI is the French National Information Security Agency, and stands for Agence
+    nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration
+    recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+    - anssi:all:high
+    - '!partition_for_opt'
+    - '!package_ypserv_removed'
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!install_PAE_kernel_on_x86-32'
+    - '!partition_for_boot'
+    - '!ensure_redhat_gpgkey_installed'
+    - '!aide_periodic_checking_systemd_timer'
+    - '!sudo_add_ignore_dot'
+    - '!audit_rules_privileged_commands_rmmod'
+    - '!audit_rules_privileged_commands_modprobe'
+    - '!partition_for_usr'
+    - '!package_dracut-fips-aesni_installed'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_ocredit'
+    - '!enable_pam_namespace'
+    - '!audit_rules_privileged_commands_insmod'
+    - '!package_ypbind_removed'
+    - '!service_chronyd_or_ntpd_enabled'
+    - '!sudo_dedicated_group'
+    - '!chronyd_configure_pool_and_server'
+    - '!accounts_passwords_pam_tally2'
+    - '!cracklib_accounts_password_pam_ucredit'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!sudo_add_umask'
+    - '!sudo_add_env_reset'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!package_xinetd_removed'

products/ol10/profiles/anssi_bp28_intermediary.profile

@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (intermediary)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening
+    level. ANSSI is the French National Information Security Agency, and stands for Agence
+    nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration
+    recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+    - anssi:all:intermediary
+    - '!package_ypbind_removed'
+    - '!partition_for_opt'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!package_ypserv_removed'
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2'
+    - '!cracklib_accounts_password_pam_ucredit'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!partition_for_usr'
+    - '!partition_for_boot'
+    - '!cracklib_accounts_password_pam_ocredit'
+    - '!enable_pam_namespace'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!ensure_redhat_gpgkey_installed'
+    - '!sudo_add_umask'
+    - '!sudo_add_ignore_dot'
+    - '!sudo_add_env_reset'
+    - '!package_xinetd_removed'

products/ol10/profiles/anssi_bp28_minimal.profile

@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (minimal)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening
+    level. ANSSI is the French National Information Security Agency, and stands for Agence
+    nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration
+    recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+  - anssi:all:minimal
+  - '!package_ypbind_removed'
+  - '!cracklib_accounts_password_pam_minlen'
+  - '!package_ypserv_removed'
+  - '!accounts_passwords_pam_tally2_deny_root'
+  - '!accounts_passwords_pam_tally2'
+  - '!cracklib_accounts_password_pam_ucredit'
+  - '!cracklib_accounts_password_pam_dcredit'
+  - '!cracklib_accounts_password_pam_lcredit'
+  - '!cracklib_accounts_password_pam_ocredit'
+  - '!accounts_passwords_pam_tally2_unlock_time'
+  - '!ensure_redhat_gpgkey_installed'
+  - '!package_xinetd_removed'

products/ol10/transforms/constants.xslt

@@ -0,0 +1,12 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">Oracle Linux Linux 10</xsl:variable>
+<xsl:variable name="product_short_name">OL 10</xsl:variable>
+<xsl:variable name="product_stig_id_name">OL_10_STIG</xsl:variable>
+<xsl:variable name="prod_type">ol10</xsl:variable>
+
+<xsl:variable name="cisuri">empty</xsl:variable>
+
+</xsl:stylesheet>

products/ol10/transforms/table-style.xslt

@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>

products/ol10/transforms/xccdf-apply-overlay-stig.xslt

@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>

products/ol10/transforms/xccdf2table-cce.xslt

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>

products/ol10/transforms/xccdf2table-profileccirefs.xslt

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>

shared/checks/oval/installed_OS_is_ol10.xml

@@ -0,0 +1,36 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_ol10" version="1">
+    <metadata>
+      <title>Oracle Linux 10</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:oracle:linux:10"
+      source="CPE" />
+
+      <description>The operating system installed on the system is
+      Oracle Linux 10</description>
+    </metadata>
+    <criteria>
+      <extend_definition comment="Installed OS is part of the Unix family"
+      definition_ref="installed_OS_is_part_of_Unix_family" />
+      <criteria operator="OR">
+          <criterion comment="Oracle Linux 10 System is installed"
+            test_ref="test_ol10_system" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 10" id="test_ol10_system" version="1">
+    <linux:object object_ref="obj_ol10_system" />
+    <linux:state state_ref="state_ol10_system" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_ol10_system" version="1">
+    <linux:version operation="pattern match">^10.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_ol10_system" version="1">
+    <linux:name>oraclelinux-release</linux:name>
+  </linux:rpminfo_object>
+
+</def-group>

ssg/constants.py

@@ -52,7 +52,7 @@
     'macos1015',
     'ocp4',
     'rhcos4',
-    'ol7', 'ol8', 'ol9',
+    'ol7', 'ol8', 'ol9', 'ol10',
     'openeuler2203',
     'opensuse',
     'openembedded',
@@ -216,6 +216,7 @@
     "Oracle Linux 7": "ol7",
     "Oracle Linux 8": "ol8",
     "Oracle Linux 9": "ol9",
+    "Oracle Linux 10": "ol10",
     "openEuler 2203": "openeuler2203",
     "openSUSE": "opensuse",
     "Red Hat Enterprise Linux 8": "rhel8",
@@ -294,7 +295,7 @@
     "multi_platform_fedora": ["fedora"],
     "multi_platform_openeuler": ["openeuler2203"],
     "multi_platform_opensuse": ["opensuse"],
-    "multi_platform_ol": ["ol7", "ol8", "ol9"],
+    "multi_platform_ol": ["ol7", "ol8", "ol9", "ol10"],
     "multi_platform_ocp": ["ocp4"],
     "multi_platform_rhcos": ["rhcos4"],
     "multi_platform_rhel": ["rhel8", "rhel9", "rhel10"],