Add RHEL 10 Product

CMakeLists.txt

@@ -101,6 +101,7 @@ option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built
 option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL9 "If enabled, the RHEL9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" FALSE)
 option(SSG_PRODUCT_RHV4 "If enabled, the RHV4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLE12 "If enabled, the SLE12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLE15 "If enabled, the SLE15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -328,6 +329,7 @@ message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
 message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
 message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}")
 message(STATUS "RHEL 9: ${SSG_PRODUCT_RHEL9}")
+message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}")
 message(STATUS "RHV 4: ${SSG_PRODUCT_RHV4}")
 message(STATUS "SUSE 12: ${SSG_PRODUCT_SLE12}")
 message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}")
@@ -440,6 +442,9 @@ endif()
 if(SSG_PRODUCT_RHEL9)
     add_subdirectory("products/rhel9" "rhel9")
 endif()
+if(SSG_PRODUCT_RHEL10)
+    add_subdirectory("products/rhel10" "rhel10")
+endif()
 if(SSG_PRODUCT_RHV4)
     add_subdirectory("products/rhv4" "rhv4")
 endif()

build_product

@@ -366,6 +366,7 @@ all_cmake_products=(
 	RHEL7
 	RHEL8
 	RHEL9
+	RHEL10
 	RHV4
 	SLE12
 	SLE15

linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml

@@ -19,6 +19,7 @@ identifiers:
     cce@rhel7: CCE-82213-0
     cce@rhel8: CCE-82214-8
     cce@rhel9: CCE-83523-1
+    cce@rhel10: CCE-87100-4
     cce@sle12: CCE-91491-1
     cce@sle15: CCE-91183-4
 

products/rhel10/CMakeLists.txt

@@ -0,0 +1,26 @@
+# Sometimes our users will try to do: "cd rhel9; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "rhel10")
+
+ssg_build_product(${PRODUCT})
+
+ssg_build_html_cce_table(${PRODUCT})
+
+ssg_build_html_srgmap_tables(${PRODUCT})
+
+if(SSG_SRG_XLSX_EXPORT)
+    ssg_build_xlsx_srg_export(${PRODUCT} "srg_gpos")
+endif()
+
+#ssg_build_html_stig_tables(${PRODUCT})
+#ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")
+#ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig_gui")
+
+#ssg_build_html_stig_tables(${PRODUCT} "ospp")
+
+#if(SSG_CENTOS_DERIVATIVES_ENABLED)
+#    ssg_build_derivative_product(${PRODUCT} "centos" "cs9")
+#endif()

products/rhel10/overlays/srg_support.xml

@@ -0,0 +1,173 @@
+<Group id="srg_support" hidden="true">
+<title>Documentation to Support DISA OS SRG Mapping</title>
+<description>These groups exist to document how the Red Hat Enterprise Linux
+product meets (or does not meet) requirements listed in the DISA OS SRG, for
+those cases where Groups or Rules elsewhere in scap-security-guide do
+not clearly relate.
+</description>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - satisfied (through design and implementation)
+     - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_generic">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL8 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="15,42,56,206,1084,66,85,86,185,223,171,172,1694,770,804,162,163,164,345,346,1096,1111,1291,386,156,186,1083,1082,1090,804,1127,1128,1129,1248,1265,1314,1362,1368,1310,1311,1328,1399,1400,1404,1405,1427,1499,1632,1693,1665,1674" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here relate to auditing, and are:
+     - satisfied (through design and implementation)
+     - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_auditing">
+<title>Product Meets this Requirement</title>
+<rationale>
+The Red Hat Enterprise Linux audit system meets this requirement through design and implementation.
+</rationale>
+<ocil>The RHEL8 auditing system supports this requirement and cannot be configured to be out of
+compliance. Every audit record in RHEL includes a timestamp, the operation attempted,
+success or failure of the operation, the subject involved (executable/process),
+the object involved (file/path), and security labels for the subject and object.
+It also includes the ability to label events with custom key labels.  The auditing system
+centralizes the recording of audit events for the entire system and includes
+reduction (<tt>ausearch</tt>), reporting (<tt>aureport</tt>), and real-time
+response (<tt>audispd</tt>) facilities.
+This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="130,157,131,132,133,134,135,159,174" />
+</Rule>
+
+
+<!-- The CCI/SRG item referenced here are:
+     - satisfied (through design and implementation)
+     - not selected in a DoD baseline -->
+<Rule id="met_inherently_nonselected">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL8 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="34,35,99,154,226,802,872,1086,1087,1089,1091,1424,1426,1428,1209,1214,1237,1269,1338,1425,1670" />
+</Rule>
+
+
+<!-- The CCI/SRG item listed here are:
+     - satisfied (by Rules in the guidance, which include the reference)
+     - not selected in DoD baseline -->
+<!-- disa="26,32,771,772,831,884,888,1095,1115,1117,1250,1348,1353,1464,1496" -->
+
+
+<!-- The CCI/SRG item referenced here are:
+     - not satisfied
+     - not selected in a DoD baseline
+     - considered out of scope -->
+<Rule id="unmet_nonfinding_nonselected_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL8 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="21,25,28,29,30,165,221,354,553,779,780,781,1009,1094,1123,1124,1125,1132,1135,1140,1141,1142,1143,1145,1147,1148,1166,1339,1340,1341,1350,1356,1373,1374,1383,1391,1392,1395,1662" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - not satisfied
+     - not selected in a DoD baseline
+     - considered permanent findings -->
+<Rule id="unmet_finding_nonselected">
+<title>Implementation of the Requirement is Not Supported</title>
+<rationale>
+RHEL8 does not support this requirement.
+</rationale>
+<ocil>
+This is a permanent finding.
+</ocil>
+<description>
+This requirement is a permanent finding and cannot be fixed. An appropriate
+mitigation for the system must be implemented but this finding cannot be
+considered fixed.
+</description>
+<ref disa="20,31,52,144,1158,1294,1295,1500" />
+<!-- Note: CCI 52 supported for text login, but not graphical -->
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - not satisfied
+     - selected in a DoD baseline
+     - considered NA -->
+<Rule id="unmet_nonfinding_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL8 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+     it should not have CCE association -->
+<ref disa="27,218,219,371,372,535,537,539,1682,370,37,24,1112,1126,1143,1149,1157,1159,1210,1211,1274,1372,1376,1377,1352,1401,1555,1556,1150" />
+</Rule>
+
+<Rule id="update_process">
+<title>A process for prompt installation of OS updates must exist.</title>
+<rationale>
+This is a manual inquiry about update procedure.
+</rationale>
+<ocil>
+Ask an administrator if a process exists to promptly and automatically apply OS
+software updates.  If such a process does not exist, this is a finding.
+<br /><br />
+If the OS update process limits automatic updates of software packages, where
+such updates would impede normal system operation, to scheduled maintenance
+windows, but still within IAVM-dictated timeframes, this is not a finding.
+</ocil>
+<description>
+Procedures to promptly apply software updates must be established and
+executed. The Red Hat operating system provides support for automating such a
+process, by running the yum program through a cron job or by managing the
+system and its packages through the Red Hat Network or a Satellite Server.
+</description>
+<ref disa="1232" />
+<!-- Note: This is a process, as such, will not receive a CCE -->
+</Rule>
+
+</Group>

products/rhel10/product.yml

@@ -0,0 +1,57 @@
+product: rhel10
+full_name: Red Hat Enterprise Linux 10
+type: platform
+
+families:
+  - rhel
+  - rhel-like
+
+major_version_ordinal: 10
+
+benchmark_id: RHEL-10
+benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+# EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
+
+groups:
+  dedicated_ssh_keyowner:
+    name: ssh_keys
+
+sshd_distributed_config: "true"
+
+dconf_gdm_dir: "distro.d"
+
+faillock_path: "/var/log/faillock"
+
+# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
+pkg_release: ""
+pkg_version: ""
+aux_pkg_release: ""
+aux_pkg_version: ""
+
+release_key_fingerprint: ""
+auxiliary_key_fingerprint: ""
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - rhel10:
+      name: "cpe:/o:redhat:enterprise_linux:10"
+      title: "Red Hat Enterprise Linux 10"
+      check_id: installed_OS_is_rhel10
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
+
+reference_uris:
+  cis: 'https://www.cisecurity.org/benchmark/red_hat_linux/'
+
+
+journald_conf_dir_path: /etc/systemd/journald.conf.d

products/rhel10/transforms/constants.xslt

@@ -0,0 +1,13 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1101010/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">Red Hat Enterprise Linux 10</xsl:variable>
+<xsl:variable name="product_short_name">RHEL 10</xsl:variable>
+<xsl:variable name="product_stig_id_name">RHEL_10_STIG</xsl:variable>
+<xsl:variable name="prod_type">rhel10</xsl:variable>
+
+<xsl:variable name="cisuri">https://www.cisecurity.org/benchmark/red_hat_linux/</xsl:variable>
+<xsl:variable name="disa-srguri" select="$disa-ossrguri"/>
+
+</xsl:stylesheet>

products/rhel10/transforms/table-style.xslt

@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>

products/rhel10/transforms/xccdf-apply-overlay-stig.xslt

@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>

products/rhel10/transforms/xccdf2table-profileccirefs.xslt

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>

shared/checks/oval/installed_OS_is_rhel10.xml

@@ -0,0 +1,59 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_rhel10" version="1">
+    <metadata>
+      <title>Red Hat Enterprise Linux 10</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:redhat:enterprise_linux:10"
+      source="CPE" />
+      <description>The operating system installed on the system is
+      Red Hat Enterprise Linux 10</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Installed operating system is part of the unix family"
+      test_ref="test_rhel10_unix_family" />
+      <criteria operator="OR">
+        <criterion comment="RHEL 10 is installed" test_ref="test_rhel10" />
+        <criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
+          <criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="test_rhvh4_version" />
+          <criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 10" test_ref="test_rhevh_rhel10_version" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="test_rhel10_unix_family" version="1">
+    <ind:object object_ref="obj_rhel10_unix_family" />
+    <ind:state state_ref="state_rhel10_unix_family" />
+  </ind:family_test>
+  <ind:family_state id="state_rhel10_unix_family" version="1">
+    <ind:family>unix</ind:family>
+  </ind:family_state>
+  <ind:family_object id="obj_rhel10_unix_family" version="1" />
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 10" id="test_rhel10" version="1">
+    <linux:object object_ref="obj_rhel10" />
+    <linux:state state_ref="state_rhel10" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_rhel10" version="1">
+    <linux:version operation="pattern match">^10.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_rhel10" version="1">
+    <linux:name>redhat-release</linux:name>
+  </linux:rpminfo_object>
+
+  <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 10" id="test_rhevh_rhel10_version" version="1">
+    <ind:object object_ref="obj_rhevh_rhel10_version" />
+    <ind:state state_ref="state_rhevh_rhel10_version" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_rhevh_rhel10_version" version="1">
+    <ind:filepath>/etc/redhat-release</ind:filepath>
+    <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_rhevh_rhel10_version" version="1">
+    <ind:subexpression operation="pattern match">10</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>