Introduce OL9 product

Create product's file structure and necessary files to build it.
Additionally add an initial standard profile.

Signed-off-by: Federico Ramirez <federico.r.ramirez@oracle.com>

CMakeLists.txt

@@ -82,6 +82,7 @@ option(SSG_PRODUCT_OCP4 "If enabled, the OCP4 SCAP content will be built" ${SSG_
 option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_OL9 "If enabled, the Oracle Linux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -287,6 +288,7 @@ message(STATUS "OCP4: ${SSG_PRODUCT_OCP4}")
 message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}")
 message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}")
 message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}")
+message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}")
 message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
 message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
 message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}")
@@ -383,6 +385,9 @@ endif()
 if (SSG_PRODUCT_OL8)
     add_subdirectory("products/ol8" "ol8")
 endif()
+if (SSG_PRODUCT_OL9)
+    add_subdirectory("products/ol9" "ol9")
+endif()
 if (SSG_PRODUCT_OPENSUSE)
     add_subdirectory("products/opensuse" "opensuse")
 endif()

build_product

@@ -296,6 +296,7 @@ all_cmake_products=(
 	RHCOS4
 	OL7
 	OL8
+	OL9
 	OPENSUSE
 	RHEL7
 	RHEL8

products/ol9/CMakeLists.txt

@@ -0,0 +1,10 @@
+# Sometimes our users will try to do: "cd ol9; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "ol9")
+
+ssg_build_product(${PRODUCT})
+
+ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-standard" "${PRODUCT}" "standard" "nist")

products/ol9/product.yml

@@ -0,0 +1,27 @@
+product: ol9
+full_name: Oracle Linux 9
+type: platform
+
+benchmark_id: OL-9
+benchmark_root: "../../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "yum"
+
+init_system: "systemd"
+oval_feed_url: "https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - ol9:
+      name: "cpe:/o:oracle:linux:9"
+      title: "Oracle Linux 9"
+      check_id: installed_OS_is_ol9_family
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
+
+reference_uris:
+  cis: ''

products/ol9/profiles/standard.profile

@@ -0,0 +1,88 @@
+documentation_complete: true
+
+title: 'Standard System Security Profile for Oracle Linux 9'
+
+description: |-
+    This profile contains rules to ensure standard security baseline
+    of Oracle Linux 9 system. Regardless of your system's workload
+    all of these checks should pass.
+
+selections:
+    - ensure_oracle_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - security_patches_up_to_date
+    - rpm_verify_permissions
+    - rpm_verify_hashes
+    - no_empty_passwords
+    - file_permissions_unauthorized_sgid
+    - file_permissions_unauthorized_suid
+    - file_permissions_unauthorized_world_writable
+    - accounts_root_path_dirs_no_write
+    - dir_perms_world_writable_sticky_bits
+    - root_path_no_dot
+    - accounts_password_all_shadowed
+    - mount_option_dev_shm_nodev
+    - mount_option_dev_shm_nosuid
+    - audit_rules_privileged_commands
+    - audit_rules_privileged_commands_at
+    - audit_rules_privileged_commands_chage
+    - audit_rules_privileged_commands_chsh
+    - audit_rules_privileged_commands_crontab
+    - audit_rules_privileged_commands_gpasswd
+    - audit_rules_privileged_commands_mount
+    - audit_rules_privileged_commands_newgrp
+    - audit_rules_privileged_commands_pam_timestamp_check
+    - audit_rules_privileged_commands_passwd
+    - audit_rules_privileged_commands_postdrop
+    - audit_rules_privileged_commands_postqueue
+    - audit_rules_privileged_commands_ssh_keysign
+    - audit_rules_privileged_commands_su
+    - audit_rules_privileged_commands_sudo
+    - audit_rules_privileged_commands_sudoedit
+    - audit_rules_privileged_commands_umount
+    - audit_rules_privileged_commands_unix_chkpwd
+    - audit_rules_privileged_commands_userhelper
+    - audit_rules_privileged_commands_usernetctl
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_fremovexattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_file_deletion_events
+    - audit_rules_kernel_module_loading
+    - audit_rules_mac_modification
+    - audit_rules_media_export
+    - audit_rules_networkconfig_modification
+    - audit_rules_sysadmin_actions
+    - audit_rules_time_adjtimex
+    - audit_rules_time_clock_settime
+    - audit_rules_time_settimeofday
+    - audit_rules_time_stime
+    - audit_rules_time_watch_localtime
+    - audit_rules_unsuccessful_file_modification
+    - audit_rules_usergroup_modification
+    - package_rsyslog_installed
+    - service_abrtd_disabled
+    - service_atd_disabled
+    - service_autofs_disabled
+    - service_ntpdate_disabled
+    - service_oddjobd_disabled
+    - service_rdisc_disabled
+    - service_rsyslog_enabled
+    - service_qpidd_disabled
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - configure_crypto_policy
+    - configure_bind_crypto_policy
+    - configure_openssl_crypto_policy
+    - configure_libreswan_crypto_policy
+    - configure_ssh_crypto_policy
+    - configure_kerberos_crypto_policy

products/ol9/transforms/constants.xslt

@@ -0,0 +1,12 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">Oracle Linux 9</xsl:variable>
+<xsl:variable name="product_short_name">OL9</xsl:variable>
+<xsl:variable name="product_stig_id_name">>OL_9_STIG</xsl:variable>
+<xsl:variable name="prod_type">ol9</xsl:variable>
+
+<xsl:variable name="cisuri">empty</xsl:variable>
+
+</xsl:stylesheet>

products/ol9/transforms/table-srgmap.xslt

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:include href="../../../shared/transforms/shared_table-srgmap.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+<xsl:variable name="items" select="document($map-to-items)//*[cdf:reference]" />
+<xsl:variable name="title" select="document($map-to-items)/cdf:Benchmark/cdf:title" />
+
+</xsl:stylesheet>

products/ol9/transforms/table-style.xslt

@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>

products/ol9/transforms/xccdf-apply-overlay-stig.xslt

@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>

products/ol9/transforms/xccdf2table-cce.xslt

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>

shared/checks/oval/installed_OS_is_ol9_family.xml

@@ -0,0 +1,36 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_ol9_family" version="1">
+    <metadata>
+      <title>Oracle Linux 9</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:oracle:linux:9"
+      source="CPE" />
+
+      <description>The operating system installed on the system is
+      Oracle Linux 9</description>
+    </metadata>
+    <criteria>
+      <extend_definition comment="Installed OS is part of the Unix family"
+      definition_ref="installed_OS_is_part_of_Unix_family" />
+      <criteria operator="OR">
+          <criterion comment="Oracle Linux 9 System is installed"
+            test_ref="test_ol9_system" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 9" id="test_ol9_system" version="1">
+    <linux:object object_ref="obj_ol9_system" />
+    <linux:state state_ref="state_ol9_system" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_ol9_system" version="1">
+    <linux:version operation="pattern match">^9.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_ol9_system" version="1">
+    <linux:name>oraclelinux-release</linux:name>
+  </linux:rpminfo_object>
+
+</def-group>

ssg/constants.py

@@ -49,7 +49,7 @@
     'macos1015',
     'ocp4',
     'rhcos4',
-    'ol7', 'ol8',
+    'ol7', 'ol8', 'ol9',
     'opensuse',
     'rhel7', 'rhel8', 'rhel9',
     'rhosp10', 'rhosp13',
@@ -210,6 +210,7 @@
     "Red Hat Enterprise Linux CoreOS 4": "rhcos4",
     "Oracle Linux 7": "ol7",
     "Oracle Linux 8": "ol8",
+    "Oracle Linux 9": "ol9",
     "openSUSE": "opensuse",
     "Red Hat Enterprise Linux 7": "rhel7",
     "Red Hat Enterprise Linux 8": "rhel8",
@@ -271,7 +272,7 @@
     "multi_platform_eks": ["eks"],
     "multi_platform_fedora": ["fedora"],
     "multi_platform_opensuse": ["opensuse"],
-    "multi_platform_ol": ["ol7", "ol8"],
+    "multi_platform_ol": ["ol7", "ol8", "ol9"],
     "multi_platform_ocp": ["ocp4"],
     "multi_platform_rhcos": ["rhcos4"],
     "multi_platform_rhel": ["rhel7", "rhel8", "rhel9"],