Add debian10 content

Author: Bryan Schneiders

CMakeLists.txt

@@ -63,6 +63,7 @@ option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be bui
 option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN8 "If enabled, the Debian 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN9 "If enabled, the Debian 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_EAP6 "If enabled, the JBoss EAP6 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE)
 option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -230,6 +231,7 @@ message(STATUS "Products:")
 message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}")
 message(STATUS "Debian 8: ${SSG_PRODUCT_DEBIAN8}")
 message(STATUS "Debian 9: ${SSG_PRODUCT_DEBIAN9}")
+message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
 message(STATUS "JBoss EAP 6: ${SSG_PRODUCT_EAP6}")
 message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
 message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}")
@@ -294,6 +296,9 @@ endif()
 if (SSG_PRODUCT_DEBIAN9)
     add_subdirectory("debian9")
 endif()
+if (SSG_PRODUCT_DEBIAN10)
+    add_subdirectory("debian10")
+endif()
 if (SSG_PRODUCT_EAP6)
     add_subdirectory("eap6")
 endif()

build_product

@@ -265,6 +265,7 @@ all_cmake_products=(
 	CHROMIUM
 	DEBIAN8
 	DEBIAN9
+	DEBIAN10
 	EAP6
 	EXAMPLE
 	FEDORA

debian10/CMakeLists.txt

@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd debian10; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the developer_guide.adoc for more details!")
+endif()
+
+ssg_build_product("debian10")

debian10/cpe/debian10-cpe-dictionary.xml

@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
+      <cpe-item name="cpe:/o:debian:debian_linux:10">
+            <title xml:lang="en-us">Debian Linux 10</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_debian10</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:container">
+            <title xml:lang="en-us">Container</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_container</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:machine">
+            <title xml:lang="en-us">Bare-metal or Virtual Machine</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_machine</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:gdm">
+            <title xml:lang="en-us">Package gdm is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:libuser">
+            <title xml:lang="en-us">Package libuser is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_libuser_package</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:nss-pam-ldapd">
+            <title xml:lang="en-us">Package nss-pam-ldapd is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_nss-pam-ldapd_package</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:pam">
+            <title xml:lang="en-us">Package pam is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_pam_package</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:shadow-utils">
+            <title xml:lang="en-us">Package shadow-utils is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_shadow-utils_package</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:sssd">
+            <title xml:lang="en-us">Package sssd-common is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_sssd-common_package</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:systemd">
+            <title xml:lang="en-us">Package systemd is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_systemd_package</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:yum">
+            <title xml:lang="en-us">Package yum is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+      </cpe-item>
+</cpe-list>

debian10/overlays/.gitkeep

@@ -0,0 +1,11 @@
+product: debian10
+full_name: Debian 10
+type: platform
+
+benchmark_root: "../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "apt_get"
+
+init_system: "systemd"

debian10/product.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Profile for ANSSI DAT-NT28 Average (Intermediate) Level'
+
+description: 'This profile contains items for GNU/Linux installations already protected by multiple higher level security
+    stacks.'
+
+extends: anssi_np_nt28_minimal
+
+selections:
+    - partition_for_tmp
+    - partition_for_var
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - partition_for_home
+    - package_ntp_installed
+    - package_ntpdate_removed
+    - sshd_idle_timeout_value=5_minutes
+    - sshd_set_idle_timeout
+    - sshd_disable_root_login
+    - sshd_disable_empty_passwords
+    - sshd_allow_only_protocol2
+    - sshd_set_keepalive
+    - file_owner_logfiles_value=adm
+    - rsyslog_files_ownership
+    - file_groupowner_logfiles_value=adm
+    - rsyslog_files_groupownership
+    - rsyslog_files_permissions
+    - "!rsyslog_remote_loghost"
+    - ensure_logrotate_activated
+    - file_permissions_systemmap
+    - sysctl_fs_protected_symlinks
+    - sysctl_fs_protected_hardlinks
+    - sysctl_fs_suid_dumpable
+    - sysctl_kernel_randomize_va_space

debian10/profiles/anssi_np_nt28_average.profile

@@ -0,0 +1,11 @@
+documentation_complete: true
+
+title: 'Profile for ANSSI DAT-NT28 High (Enforced) Level'
+
+description: 'This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible
+    from unauthenticated or uncontroled networks.'
+
+extends: anssi_np_nt28_restrictive
+
+selections:
+    - grub2_enable_iommu_force

debian10/profiles/anssi_np_nt28_high.profile

@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Profile for ANSSI DAT-NT28 Minimal Level'
+
+description: 'This profile contains items to be applied systematically.'
+
+selections:
+    - sudo_remove_nopasswd
+    - sudo_remove_no_authenticate
+    - package_telnetd_removed
+    - package_inetutils-telnetd_removed
+    - package_telnetd-ssl_removed
+    - package_nis_removed
+    - package_rsyslog_installed
+    - service_rsyslog_enabled
+    - package_syslogng_installed
+    - service_syslogng_enabled
+    - apt_conf_disallow_unauthenticated
+    - apt_sources_list_official
+    - file_permissions_etc_shadow
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_permissions_etc_gshadow
+    - file_owner_etc_gshadow
+    - file_groupowner_etc_gshadow
+    - file_permissions_etc_passwd
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+    - file_permissions_etc_group
+    - file_owner_etc_group
+    - file_groupowner_etc_group

debian10/profiles/anssi_np_nt28_minimal.profile

@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Profile for ANSSI DAT-NT28 Restrictive Level'
+
+description: 'This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.'
+
+extends: anssi_np_nt28_average
+
+selections:
+    - partition_for_tmp
+    - partition_for_var
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - partition_for_home
+    - package_audit_installed
+    - package_cron_installed
+    - service_auditd_enabled
+    - service_ntp_enabled

debian10/profiles/anssi_np_nt28_restrictive.profile

@@ -0,0 +1,58 @@
+documentation_complete: true
+
+title: 'Standard System Security Profile for Debian 10'
+
+description: |-
+    This profile contains rules to ensure standard security baseline
+    of a Debian 10 system. Regardless of your system's workload
+    all of these checks should pass.
+
+selections:
+    - partition_for_tmp
+    - partition_for_var
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - partition_for_home
+    - package_audit_installed
+    - package_cron_installed
+    - package_ntp_installed
+    - package_rsyslog_installed
+    - package_telnetd_removed
+    - package_inetutils-telnetd_removed
+    - package_telnetd-ssl_removed
+    - package_nis_removed
+    - package_ntpdate_removed
+    - service_auditd_enabled
+    - service_cron_enabled
+    - service_ntp_enabled
+    - service_rsyslog_enabled
+    - sshd_idle_timeout_value=5_minutes
+    - sshd_set_idle_timeout
+    - sshd_disable_root_login
+    - sshd_disable_empty_passwords
+    - sshd_allow_only_protocol2
+    - sshd_set_keepalive
+    - file_owner_logfiles_value=adm
+    - rsyslog_files_ownership
+    - file_groupowner_logfiles_value=adm
+    - rsyslog_files_groupownership
+    - rsyslog_files_permissions
+    - "!rsyslog_remote_loghost"
+    - ensure_logrotate_activated
+    - file_permissions_systemmap
+    - file_permissions_etc_shadow
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_permissions_etc_gshadow
+    - file_owner_etc_gshadow
+    - file_groupowner_etc_gshadow
+    - file_permissions_etc_passwd
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+    - file_permissions_etc_group
+    - file_owner_etc_group
+    - file_groupowner_etc_group
+    - sysctl_fs_protected_symlinks
+    - sysctl_fs_protected_hardlinks
+    - sysctl_fs_suid_dumpable
+    - sysctl_kernel_randomize_va_space

debian10/profiles/standard.profile

@@ -0,0 +1,22 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">Debian 10</xsl:variable>
+<xsl:variable name="product_short_name">Debian 10</xsl:variable>
+<xsl:variable name="product_stig_id_name">DEBIAN_10_STIG</xsl:variable>
+<xsl:variable name="product_guide_id_name">DEBIAN-10</xsl:variable>
+<xsl:variable name="prod_type">debian10</xsl:variable>
+
+<!-- Define URI of official Center for Internet Security Benchmark for Debian Linux v1.0 -->
+<xsl:variable name="cisuri">https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf</xsl:variable>
+<xsl:variable name="disa-stigs-uri" select="$disa-stigs-os-unix-linux-uri"/>
+<xsl:variable name="os-stigid-concat" />
+
+<!-- Define URI for custom CCE identifier which can be used for mapping to corporate policy -->
+<!--xsl:variable name="custom-cce-uri">https://www.example.org</xsl:variable-->
+
+<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
+<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
+
+</xsl:stylesheet>

debian10/transforms/constants.xslt

@@ -0,0 +1,9 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../shared/transforms/shared_shorthand2xccdf.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:param name="ssg_version">unknown</xsl:param>
+<xsl:variable name="ovalfile">unlinked-debian10-oval.xml</xsl:variable>
+
+</xsl:stylesheet>

debian10/transforms/shorthand2xccdf.xslt

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:include href="../../shared/transforms/shared_table-srgmap.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+<xsl:variable name="items" select="document($map-to-items)//*[cdf:reference]" />
+<xsl:variable name="title" select="document($map-to-items)/cdf:Benchmark/cdf:title" />
+
+</xsl:stylesheet>

debian10/transforms/table-srgmap.xslt

@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>

debian10/transforms/table-style.xslt

@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>

debian10/transforms/xccdf-apply-overlay-stig.xslt

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-byref.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>

debian10/transforms/xccdf2table-byref.xslt

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>