From e7f5763feb7643d947087657ddbd4c034ad8e6f5 Mon Sep 17 00:00:00 2001 From: t0292887 Date: Tue, 19 May 2026 16:18:39 +0200 Subject: [PATCH] Add new product for Ubuntu 26.04 and a default profile --- .github/workflows/automatus-ubuntu2604.yml | 171 ++++++++++++++++++ .github/workflows/gate.yaml | 19 ++ CMakeLists.txt | 5 + CODEOWNERS | 1 + build_product | 1 + .../oval/shared.xml | 1 + .../policy/stig/ubuntu2604.yml | 18 ++ products/ubuntu2604/CMakeLists.txt | 6 + products/ubuntu2604/overlays/.gitkeep | 0 products/ubuntu2604/product.yml | 57 ++++++ products/ubuntu2604/profiles/default.profile | 11 ++ shared/applicability/package.yml | 2 +- .../oval/installed_OS_is_ubuntu2604.xml | 26 +++ ssg/constants.py | 5 +- tests/data/product_stability/ubuntu2604.yml | 138 ++++++++++++++ .../generate_product_family_guards.py | 4 +- 16 files changed, 460 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/automatus-ubuntu2604.yml create mode 100644 linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/policy/stig/ubuntu2604.yml create mode 100644 products/ubuntu2604/CMakeLists.txt create mode 100644 products/ubuntu2604/overlays/.gitkeep create mode 100644 products/ubuntu2604/product.yml create mode 100644 products/ubuntu2604/profiles/default.profile create mode 100644 shared/checks/oval/installed_OS_is_ubuntu2604.xml create mode 100644 tests/data/product_stability/ubuntu2604.yml diff --git a/.github/workflows/automatus-ubuntu2604.yml b/.github/workflows/automatus-ubuntu2604.yml new file mode 100644 index 000000000000..281820427a6f --- /dev/null +++ b/.github/workflows/automatus-ubuntu2604.yml @@ -0,0 +1,171 @@ +name: Automatus Ubuntu 26.04 +on: + pull_request: + branches: [ master, 'stabilization*' ] +concurrency: + group: ${{ github.workflow }}-${{ github.event.number || github.run_id }} + cancel-in-progress: true +env: + DATASTREAM: ssg-ubuntu2604-ds.xml +jobs: + build-content: + name: Build Content + runs-on: ubuntu-26.04 + steps: + - name: Install build deps + run: sudo apt-get update && sudo apt-get install -y cmake ninja-build xsltproc libxml2-utils python3-yaml python3-jinja2 openscap-utils + - name: Install workflow deps + run: sudo apt install -y git python3-deepdiff python3-requests jq python3-pip + - name: Install deps python + run: pip3 install gitpython xmldiff + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + with: + fetch-depth: 0 + - name: Checkout (CTF) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + with: + repository: ComplianceAsCode/content-test-filtering + path: ctf + # https://github.com/actions/checkout/issues/766 + - name: Set git safe directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Find forking point + env: + BASE_BRANCH: ${{ github.base_ref }} + run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT + id: fork_point + - name: Detect content changes in the PR + run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }} --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json + - name: Test if there are no content changes + run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT + id: ctf + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + with: + name: output.json + path: output.json + - name: Print changes to content detected if any + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: cat output.json + - name: Get product attribute + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + id: product + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 + with: + path: 'output.json' + prop_path: 'product' + - name: Build product + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: ./build_product ubuntu2604 --datastream-only + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + with: + name: ${{ env.DATASTREAM }} + path: build/${{ env.DATASTREAM }} + validate-ubuntu: + name: Run Tests + needs: build-content + runs-on: ubuntu-26.04 + steps: + - name: Install test deps + run: sudo apt-get update && sudo apt-get install -y cmake ninja-build xsltproc libxml2-utils python3-yaml python3-jinja2 openscap-utils podman + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - name: Get cached CTF output + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v4 + id: get_ctf_output + with: + name: output.json + # continue even if the file is unavailable that + # means there are no changes detected by CTF in the previous job + continue-on-error: true + - name: Test if there are no content changes + if: ${{ steps.get_ctf_output.outcome == 'success' }} + run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT + id: ctf + - name: Print changes to content detected if any + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: cat output.json + - name: Generate id_rsa key + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa + - name: Build test suite container + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-ubuntu2604 + working-directory: ./Dockerfiles + - name: Get rule ids to be tested + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + id: rules + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 + with: + path: 'output.json' + prop_path: 'rules' + - name: Get product attribute + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + id: product + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 + with: + path: 'output.json' + prop_path: 'product' + - name: Get bash attribute + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + id: bash + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 + with: + path: 'output.json' + prop_path: 'bash' + - name: Get ansible attribute + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + id: ansible + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 + with: + path: 'output.json' + prop_path: 'ansible' + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v4 + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + with: + name: ${{ env.DATASTREAM }} + - name: Run tests in a container - Bash + if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: tests/test_rule_in_container.sh --no-make-applicable-in-containers --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream ${{ env.DATASTREAM }} ${{join(fromJSON(steps.rules.outputs.prop))}} + env: + ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified" + - name: Check for ERROR in logs + if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: grep -q "^ERROR" logs_bash/test_suite.log + id: check_results_bash + # when grep returns 1 means it didn't find the ^ERROR string in the test_suite.log file + # and this means tests finished successfully without errors. So the job needs to keep going. + # By using continue-on-error: true the "conclusion" parameter is set to true so it's not possible to use + # it to determine whether the task has failed or succeed. The "outcome" parameter has to be used instead. + # See the step below + continue-on-error: true + - name: Upload logs in case of failure + if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: + name: logs_bash + path: logs_bash/ + - name: Run tests in a container - Ansible + if: ${{ steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: tests/test_rule_in_container.sh --no-make-applicable-in-containers --dontclean --logdir logs_ansible --remediate-using ansible --name ssg_test_suite --datastream ${{ env.DATASTREAM }} ${{join(fromJSON(steps.rules.outputs.prop))}} + env: + ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified" + - name: Check for ERROR in logs + if: ${{steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: grep -q "^ERROR" logs_ansible/test_suite.log + id: check_results_ansible + continue-on-error: true + - name: Upload logs in case of failure + if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: + name: logs_ansible + path: logs_ansible/ + - name: Fail in case of ERROR present in logs_bash/test_suite.log or logs_ansible/test_suite.log + if: ${{ (steps.check_results_bash.outcome == 'success' || steps.check_results_ansible.outcome == 'success') && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: | + [[ -f logs_bash/test_suite.log ]] && echo "---------Bash Remediation Logs---------" && cat logs_bash/test_suite.log | grep -v "DEBUG - " + [[ -f logs_ansible/test_suite.log ]] && echo "---------Ansible Remediation Logs---------" && cat logs_ansible/test_suite.log | grep -v "DEBUG - " + exit 1 diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index ed304455555f..c837ac5cfe5e 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -121,6 +121,25 @@ jobs: run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build + validate-ubuntu-26-04: + name: Build, Test on Ubuntu 26.04 + runs-on: ubuntu-26.04 + steps: + - name: Install Deps + run: sudo apt-get update && sudo apt-get install -y cmake ninja-build openscap-utils libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - name: Install deps python + run: pip3 install -r requirements.txt -r test-requirements.txt + - name: Build + env: + ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" + run: |- + ./build_product ubuntu2604 + - name: Test + run: ctest -j$(nproc) --output-on-failure -E unique-stigids + working-directory: ./build + validate-fedora-rawhide: name: Build, Test on Fedora Rawhide (Container) runs-on: ubuntu-latest diff --git a/CMakeLists.txt b/CMakeLists.txt index ca33e4fdb726..29605b9e328d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -119,6 +119,7 @@ option(SSG_PRODUCT_SLMICRO6 "If enabled, the SLE Micro 6 SCAP content will be bu option(SSG_PRODUCT_TENCENTOS4 "If enabled, the TencentOS Server 4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU2404 "If enabled, the Ubuntu 24.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_UBUNTU2604 "If enabled, the Ubuntu 26.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) # Products derivatives option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) @@ -357,6 +358,7 @@ message(STATUS "SLE Micro 6: ${SSG_PRODUCT_SLMICRO6}") message(STATUS "TencentOS Server 4: ${SSG_PRODUCT_TENCENTOS4}") message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}") message(STATUS "Ubuntu 24.04: ${SSG_PRODUCT_UBUNTU2404}") +message(STATUS "Ubuntu 26.04: ${SSG_PRODUCT_UBUNTU2604}") message(STATUS " ") # Remove this option when we would like to run ansible-lint and yamllint against our playbooks by @@ -492,6 +494,9 @@ endif() if(SSG_PRODUCT_UBUNTU2404) add_subdirectory("products/ubuntu2404" "ubuntu2404") endif() +if(SSG_PRODUCT_UBUNTU2604) + add_subdirectory("products/ubuntu2604" "ubuntu2604") +endif() # ZIP only contains source datastreams and kickstarts. # People who want sources to build from should get the tarball instead. diff --git a/CODEOWNERS b/CODEOWNERS index 1b1538d0eaf6..3ae31a6850c4 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -31,3 +31,4 @@ /controls/cis_sle15.yml @ComplianceAsCode/suse-maintainers /controls/stig_slemicro5.yml @ComplianceAsCode/suse-maintainers /controls/cis_ubuntu2404.yml @ComplianceAsCode/ubuntu-maintainers +/controls/cis_ubuntu2604.yml @ComplianceAsCode/ubuntu-maintainers \ No newline at end of file diff --git a/build_product b/build_product index df6acb1fa654..0213f4edcaaf 100755 --- a/build_product +++ b/build_product @@ -385,6 +385,7 @@ all_cmake_products=( TENCENTOS4 UBUNTU2204 UBUNTU2404 + UBUNTU2604 ) build_type_option="-DCMAKE_BUILD_TYPE=Release" diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml index ab6480a8cefa..1ccb107eb46a 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml @@ -19,6 +19,7 @@ + diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/policy/stig/ubuntu2604.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/policy/stig/ubuntu2604.yml new file mode 100644 index 000000000000..a68e67d4537f --- /dev/null +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/policy/stig/ubuntu2604.yml @@ -0,0 +1,18 @@ +srg_requirement: |- + {{{ full_name }}} must be a vendor-supported release. + +vuldiscussion: |- + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +checktext: |- + Verify that the version or {{{ full_name }}} is vendor supported with the following command: + + $ grep DISTRIB_DESCRIPTION /etc/lsb-release + + DISTRIB_DESCRIPTION="Ubuntu 26.04.1 LTS" + + If the installed version of {{{ full_name }}} is not supported, this is a finding. + +fixtext: |- + Upgrade to a supported version of {{{ full_name }}}. + diff --git a/products/ubuntu2604/CMakeLists.txt b/products/ubuntu2604/CMakeLists.txt new file mode 100644 index 000000000000..20c723ca6f10 --- /dev/null +++ b/products/ubuntu2604/CMakeLists.txt @@ -0,0 +1,6 @@ +# Sometimes our users will try to do: "cd ubuntu26; cmake ." That needs to error in a nice way. +if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +ssg_build_product("ubuntu2604") diff --git a/products/ubuntu2604/overlays/.gitkeep b/products/ubuntu2604/overlays/.gitkeep new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/products/ubuntu2604/product.yml b/products/ubuntu2604/product.yml new file mode 100644 index 000000000000..c8a74bc89b81 --- /dev/null +++ b/products/ubuntu2604/product.yml @@ -0,0 +1,57 @@ +product: ubuntu2604 +full_name: "Ubuntu 26.04" +type: platform + +families: + - debian-like + - ubuntu + +major_version_ordinal: 2604 + +benchmark_id: UBUNTU_26-04 +benchmark_root: "../../linux_os/guide" +components_root: "../../components" + +profiles_root: "./profiles" + +pkg_manager: "apt_get" +pkg_manager_config_file: "/etc/apt/apt.conf" + +init_system: "systemd" +oval_feed_url: "https://security-metadata.canonical.com/oval/com.ubuntu.resolute.usn.oval.xml.bz2" + +sshd_distributed_config: "true" + +aide_bin_path: "/usr/bin/aide" +aide_conf_path: "/etc/aide/aide.conf" +aide_default_path: "/etc/default/aide" +audisp_conf_path: "/etc/audit" +chrony_conf_path: "/etc/chrony/chrony.conf" +chrony_d_path: "/etc/chrony/conf.d/" +journald_conf_dir_path: "/etc/systemd/journald.conf.d" + +cpes_root: "../../shared/applicability" +cpes: + - ubuntu2604: + name: "cpe:/o:canonical:ubuntu_linux:26.04::~~lts~~~" + title: "Ubuntu release 26.04 (Resolute Raccoon)" + check_id: installed_OS_is_ubuntu2604 + +platform_package_overrides: + audit: auditd + avahi: avahi-daemon + bind: bind9 + crontabs: cron + dconf: dconf-editor + gdm: gdm3 + grub2: grub2-common + net-snmp: snmp + NetworkManager: network-manager + nss-pam-ldapd: libpam-ldap + pam: libpam-runtime + shadow: login + sssd: sssd-common + openssl-pkcs11: libpam-pkcs11 + +reference_uris: + cis: 'https://www.cisecurity.org/benchmark/ubuntu_linux/' diff --git a/products/ubuntu2604/profiles/default.profile b/products/ubuntu2604/profiles/default.profile new file mode 100644 index 000000000000..840f9c2aa9dd --- /dev/null +++ b/products/ubuntu2604/profiles/default.profile @@ -0,0 +1,11 @@ +documentation_complete: true + +hidden: true + +title: Default Profile for Ubuntu 26.04 + +description: |- + Minimal default profile for Ubuntu 26.04 to ensure benchmark generation. + +selections: + - installed_OS_is_vendor_supported diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml index bfb3104263b6..91c7dfd5837a 100644 --- a/shared/applicability/package.yml +++ b/shared/applicability/package.yml @@ -75,7 +75,7 @@ args: pkgname: snmp {{% endif %}} networkmanager: - {{% if product in ["ubuntu2204", "ubuntu2404"] %}} + {{% if product in ["ubuntu2204", "ubuntu2404", "ubuntu2604"] %}} pkgname: network-manager {{% else %}} pkgname: NetworkManager diff --git a/shared/checks/oval/installed_OS_is_ubuntu2604.xml b/shared/checks/oval/installed_OS_is_ubuntu2604.xml new file mode 100644 index 000000000000..2da099152243 --- /dev/null +++ b/shared/checks/oval/installed_OS_is_ubuntu2604.xml @@ -0,0 +1,26 @@ + + + + Ubuntu 26.04 LTS + + multi_platform_all + + + The operating system installed on the system is Ubuntu 26.04 LTS + + + + + + + + + + + + /etc/lsb-release + ^DISTRIB_CODENAME=resolute$ + 1 + + + diff --git a/ssg/constants.py b/ssg/constants.py index 62d14c8957c8..e04d6dcad73d 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -59,7 +59,7 @@ 'rhv4', 'sle12', 'sle15', 'sle16', 'slmicro5', 'slmicro6', 'tencentos4', - 'ubuntu2204', 'ubuntu2404' + 'ubuntu2204', 'ubuntu2404', 'ubuntu2604' ] JINJA_MACROS_DIRECTORY = os.path.abspath(os.path.join(os.path.dirname(os.path.dirname( @@ -244,6 +244,7 @@ "TencentOS Server 4": "tencentos4", "Ubuntu 22.04": "ubuntu2204", "Ubuntu 24.04": "ubuntu2404", + "Ubuntu 26.04": "ubuntu2604", "OpenEmbedded": "openembedded", "Not Applicable": "example", } @@ -317,7 +318,7 @@ "multi_platform_sle": ["sle12", "sle15", "sle16"], "multi_platform_slmicro": ["slmicro5", "slmicro6"], "multi_platform_tencentos": ["tencentos4"], - "multi_platform_ubuntu": ["ubuntu2204", "ubuntu2404"], + "multi_platform_ubuntu": ["ubuntu2204", "ubuntu2404", "ubuntu2604"], "multi_platform_openembedded": ["openembedded"], "multi_platform_al": ["al2023"], } diff --git a/tests/data/product_stability/ubuntu2604.yml b/tests/data/product_stability/ubuntu2604.yml new file mode 100644 index 000000000000..09ad0dca7e96 --- /dev/null +++ b/tests/data/product_stability/ubuntu2604.yml @@ -0,0 +1,138 @@ +aide_also_checks_audispd: 'no' +aide_also_checks_rsyslog: 'no' +aide_bin_path: /usr/bin/aide +aide_conf_path: /etc/aide/aide.conf +aide_default_path: /etc/default/aide +audisp_conf_path: /etc/audit +audit_binaries: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + - /sbin/audisp-syslog + - /sbin/audisp-remote + - /sbin/audispd-zos-remote +audit_watches_style: legacy +auid: 1000 +basic_properties_derived: true +benchmark_id: UBUNTU_26-04 +benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' +chrony_conf_path: /etc/chrony/chrony.conf +chrony_d_path: /etc/chrony/conf.d/ +components_root: ../../components +cpes: + - ubuntu2604: + check_id: installed_OS_is_ubuntu2604 + name: cpe:/o:canonical:ubuntu_linux:26.04::~~lts~~~ + title: Ubuntu release 26.04 (Resolute Raccoon) +cpes_root: ../../shared/applicability +dconf_gdm_dir: gdm.d +dynamic_uid_max: 65519 +dynamic_uid_min: 61184 +faillock_path: /var/run/faillock +families: + - debian-like + - ubuntu +full_name: Ubuntu 26.04 +gid_min: 1000 +groups: {} +grub2_boot_path: /boot/grub +grub2_uefi_boot_path: /boot/grub +grub_helper_executable: update-grub +init_system: systemd +journald_conf_dir_path: /etc/systemd/journald.conf.d +login_defs_defaults_path: /usr/etc/login.defs +login_defs_drop_in_path: /etc/login.defs.d/oscap.login.defs +login_defs_path: /etc/login.defs +major_version_ordinal: 2604 +nobody_gid: 65534 +nobody_uid: 65534 +openssh_client_crypto_policy_config_file: /etc/crypto-policies/back-ends/openssh.config +openssh_server_crypto_policy_config_file: /etc/crypto-policies/back-ends/opensshserver.config +oval_feed_url: https://security-metadata.canonical.com/oval/com.ubuntu.resolute.usn.oval.xml.bz2 +pam_faillock_conf_path: /etc/security/faillock.conf +pkg_manager: apt_get +pkg_manager_config_file: /etc/apt/apt.conf +pkg_system: dpkg +platform_package_overrides: + NetworkManager: network-manager + aarch64_arch: null + audit: auditd + avahi: avahi-daemon + bind: bind9 + crontabs: cron + dconf: dconf-editor + gdm: gdm3 + grub2: grub2-common + login_defs: login + net-snmp: snmp + no_ovirt: null + non-uefi: null + not_aarch64_arch: null + not_s390x_arch: null + nss-pam-ldapd: libpam-ldap + openssl-pkcs11: libpam-pkcs11 + ovirt: null + pam: libpam-runtime + s390x_arch: null + shadow: login + sssd: sssd-common + sssd-ldap: null + uefi: null + zipl: s390utils-base +product: ubuntu2604 +profiles_root: ./profiles +pwhistory_path: /etc/security/pwhistory.conf +pwquality_path: /etc/security/pwquality.conf +reference_uris: + anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf + cis: https://www.cisecurity.org/benchmark/ubuntu_linux/ + cis-csc: https://www.cisecurity.org/controls/ + cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf + cobit5: https://www.isaca.org/resources/cobit + cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf + dcid: not_officially_available + disa: https://www.cyber.mil/stigs/cci/ + hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf + isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat + isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu + ism: https://www.cyber.gov.au/acsc/view-all-content/ism + iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip + nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf + nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + ospp: https://www.niap-ccevs.org/Profile/PP.cfm + pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ +rsyslog_cafile: /etc/pki/tls/cert.pem +ssh_client_config_dir: /etc/ssh/ssh_config.d +ssh_client_main_config_file: /etc/ssh/ssh_config +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d +sshd_distributed_config: 'true' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_runtime_check: 'false' +sshd_sysconfig_file: /etc/sysconfig/sshd +sysctl_remediate_drop_in_file: 'false' +target_oval_version: + - 5 + - 11 + - 2 +target_oval_version_str: 5.11.2 +type: platform +uid_min: 1000 +xwindows_packages: + - xorg-x11-server-Xorg + - xorg-x11-server-common + - xorg-x11-server-utils + - xorg-x11-server-Xwayland diff --git a/utils/nist_sync/generate_product_family_guards.py b/utils/nist_sync/generate_product_family_guards.py index 4a610430c345..70dc08338a39 100755 --- a/utils/nist_sync/generate_product_family_guards.py +++ b/utils/nist_sync/generate_product_family_guards.py @@ -40,7 +40,7 @@ 'rhel': ['rhel8', 'rhel9', 'rhel10'], 'ol': ['ol7', 'ol8', 'ol9'], 'ocp': ['ocp4'], - 'ubuntu': ['ubuntu2004', 'ubuntu2204', 'ubuntu2404'], + 'ubuntu': ['ubuntu2004', 'ubuntu2204', 'ubuntu2404', 'ubuntu2604'], 'fedora': ['fedora'], 'sle': ['sle12', 'sle15'], 'rhcos': ['rhcos4'], @@ -604,7 +604,7 @@ def main(): rhel → rhel8, rhel9, rhel10 ol → ol7, ol8, ol9 ocp → ocp4 - ubuntu → ubuntu2004, ubuntu2204, ubuntu2404 + ubuntu → ubuntu2004, ubuntu2204, ubuntu2404, ubuntu2604 fedora → fedora sle → sle12, sle15 rhcos → rhcos4