Merge pull request #23 from atomicturtle/rocky8-naming-rl8

Rebasing on rl8

Author: atomicturtle

ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8

@@ -22,7 +22,7 @@ diff -Nru content.org/CMakeLists.txt content/CMakeLists.txt
      add_subdirectory("products/wrlinux1019" "wrlinux1019")
  endif()
 +if (SSG_PRODUCT_ROCKY8)
-+    add_subdirectory("products/rocky8" "rocky8")
++    add_subdirectory("products/rl8" "rl8")
 +endif()
 +
 
@@ -47,7 +47,7 @@ diff -Nru content.org/shared/checks/oval/install_mcafee_hbss.xml content/shared/
  	<platform>multi_platform_sle</platform>
  	<platform>multi_platform_ubuntu</platform>
  	<platform>multi_platform_wrlinux</platform>
-+	<platform>multi_platform_rocky</platform>
++	<platform>multi_platform_rl</platform>
        </affected>
        <description>McAfee Host-Based Intrusion Detection Software (HBSS) software
        should be installed.</description>
@@ -59,12 +59,12 @@ diff -Nru content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml content/
  	<platform>multi_platform_ol</platform>
  	<platform>multi_platform_rhcos</platform>
 -	<platform>multi_platform_rhel</platform>
-+	<platform>multi_platform_rhel,multi_platform_rocky</platform>
++	<platform>multi_platform_rhel,multi_platform_rl</platform>
  	<platform>multi_platform_rhv</platform>
  	<platform>multi_platform_sle</platform>
  	<platform>multi_platform_ubuntu</platform>
  	<platform>multi_platform_wrlinux</platform>
-+	<platform>multi_platform_rocky</platform>
++	<platform>multi_platform_rl</platform>
        </affected>
        <description>Disables IPv6 for all network interfaces.</description>
      </metadata>
@@ -77,15 +77,15 @@ diff -Nru content.org/ssg/constants.py content/ssg/constants.py
      'vsel',
 -    'wrlinux8', 'wrlinux1019'
 +    'wrlinux8', 'wrlinux1019',
-+    'rocky8'
++    'rl8'
  ]
 
  JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname(
 @@ -182,6 +183,7 @@
      "Ubuntu 20.04": "ubuntu2004",
      "WRLinux 8": "wrlinux8",
      "WRLinux 1019": "wrlinux1019",
-+    "Rocky Linux 8": "rocky8",
++    "Rocky Linux 8": "rl8",
  }
 
 
@@ -94,21 +94,21 @@ diff -Nru content.org/ssg/constants.py content/ssg/constants.py
 
  MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
 -                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"]
-+                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rocky", "example"]
++                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rl", "example"]
 
  MULTI_PLATFORM_MAPPING = {
      "multi_platform_debian": ["debian9", "debian10"],
 @@ -212,6 +214,7 @@
      "multi_platform_sle": ["sle12", "sle15"],
      "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004"],
      "multi_platform_wrlinux": ["wrlinux8", "wrlinux1019"],
-+    "multi_platform_rocky": ["rocky8"],
++    "multi_platform_rl": ["rl8"],
  }
 
  RHEL_CENTOS_CPE_MAPPING = {
 @@ -377,6 +380,7 @@
      'ol': 'Oracle Linux',
      'ocp': 'Red Hat OpenShift Container Platform',
      'rhcos': 'Red Hat Enterprise Linux CoreOS',
-+    'rocky': 'Rocky Linux',
++    'rl': 'Rocky Linux',
  }

ComplianceAsCode/content_for_supporting_rocky8/files/disa-stig-rocky8-v1r3-xccdf-manual.xml

@@ -1545,7 +1545,7 @@ Main PID: 1130 (code=exited, status=0/SUCCESS)
 
 If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
 
-If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-230311"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230311r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010671</version><title>RHEL 8 must disable the kernel.core_pattern.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8,multi_platform_rocky</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8,multi_platform_rocky</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32955r567680_fix">Configure RHEL 8 to disable storing core dumps by adding the following line to a file in the "/etc/sysctl.d" directory:
+If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-230311"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230311r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010671</version><title>RHEL 8 must disable the kernel.core_pattern.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8,multi_platform_rl</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8,multi_platform_rl</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32955r567680_fix">Configure RHEL 8 to disable storing core dumps by adding the following line to a file in the "/etc/sysctl.d" directory:
 
 kernel.core_pattern = |/bin/false
 
@@ -5951,7 +5951,7 @@ $ sudo sysctl net.ipv6.conf.all.accept_redirects
 
 net.ipv6.conf.all.accept_redirects = 0
 
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230545"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230545r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040281</version><title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8,multi_platform_rocky</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8,multi_platform_rocky</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33189r568382_fix">Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file in the "/etc/sysctl.d" directory:
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230545"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230545r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040281</version><title>RHEL 8 must disable access to network bpf syscall from unprivileged processes.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8,multi_platform_rl</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8,multi_platform_rl</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33189r568382_fix">Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file in the "/etc/sysctl.d" directory:
 
 kernel.unprivileged_bpf_disabled = 1
 
@@ -5963,7 +5963,7 @@ $ sudo sysctl kernel.unprivileged_bpf_disabled
 
 kernel.unprivileged_bpf_disabled = 1
 
-If the returned line does not have a value of "1", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230546"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230546r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040282</version><title>RHEL 8 must restrict usage of ptrace to descendant  processes.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8,multi_platform_rocky</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8,multi_platform_rocky</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33190r568385_fix">Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file in the "/etc/sysctl.d" directory:
+If the returned line does not have a value of "1", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230546"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230546r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040282</version><title>RHEL 8 must restrict usage of ptrace to descendant  processes.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8,multi_platform_rl</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8,multi_platform_rl</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33190r568385_fix">Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file in the "/etc/sysctl.d" directory:
 
 kernel.yama.ptrace_scope = 1
 
@@ -5975,7 +5975,7 @@ $ sudo sysctl kernel.yama.ptrace_scope
 
 kernel.yama.ptrace_scope = 1
 
-If the returned line does not have a value of "1", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230547"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230547r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040283</version><title>RHEL 8 must restrict exposed kernel pointer addresses access.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8,multi_platform_rocky</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8,multi_platform_rocky</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33191r568388_fix">Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file in the "/etc/sysctl.d" directory:
+If the returned line does not have a value of "1", or a line is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-230547"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230547r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040283</version><title>RHEL 8 must restrict exposed kernel pointer addresses access.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8,multi_platform_rl</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8,multi_platform_rl</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33191r568388_fix">Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file in the "/etc/sysctl.d" directory:
 
 kernel.kptr_restrict = 1
 
@@ -6912,4 +6912,4 @@ Verify that the daemon is running:
 
 $ sudo ps -ef | grep -i mfetpd
 
-If the daemon is not running, this is a finding.</check-content></check></Rule></Group></Benchmark>
+If the daemon is not running, this is a finding.</check-content></check></Rule></Group></Benchmark>

…rting_rocky8/files/rocky8/CMakeLists.txt …pporting_rocky8/files/rl8/CMakeLists.txtComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt renamed to ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt renamed to ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt

@@ -3,7 +3,7 @@ if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
     message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
 endif()
 
-set(PRODUCT "rocky8")
+set(PRODUCT "rl8")
 set(DISA_SRG_TYPE "os")
 
 ssg_build_product(${PRODUCT})