[WIP] add bascontrol22d

.gitignore

@@ -82,3 +82,4 @@ coverage.xml
 
 # Trestle specfic
 shared/references/oscal/.trestle/cache
+products/bascontrol22d4/CMakeFiles/

CMakeLists.txt

@@ -89,6 +89,7 @@ option(SSG_PRODUCT_ALINUX3 "If enabled, the Alibaba Cloud Linux 3 SCAP content w
 option(SSG_PRODUCT_ALMALINUX9 "If enabled, the AlmaLinux OS 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_ANOLIS23 "If enabled, the Anolis OS 23 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_BASCONTROL22D4 "If enabled, the Contemporary Controls BAScontrol22D 4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN13 "If enabled, the Debian 13 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -326,6 +327,7 @@ message(STATUS "Alibaba Cloud Linux 3: ${SSG_PRODUCT_ALINUX3}")
 message(STATUS "AlmaLinux OS 9: ${SSG_PRODUCT_ALMALINUX9}")
 message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}")
 message(STATUS "Anolis OS 23: ${SSG_PRODUCT_ANOLIS23}")
+message(STATUS "Contemporary Controls BAScontrol22D 4: ${SSG_PRODUCT_BASCONTROL22D4}")
 message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}")
 message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}")
 message(STATUS "Debian 13: ${SSG_PRODUCT_DEBIAN13}")
@@ -397,6 +399,9 @@ endif()
 if(SSG_PRODUCT_ANOLIS23)
     add_subdirectory("products/anolis23" "anolis23")
 endif()
+#if(SSG_PRODUCT_BASCONTROL22D4)
+#    add_subdirectory("products/bascontrol22d4" "bascontrol22d4")
+#endif()
 if(SSG_PRODUCT_DEBIAN11)
     add_subdirectory("products/debian11" "debian11")
 endif()

build_product

@@ -333,6 +333,7 @@ all_cmake_products=(
 	ALMALINUX9
 	ANOLIS23
 	ANOLIS8
+        BASCONTROL22D4
 	DEBIAN11
 	DEBIAN12
 	DEBIAN13

products/bascontrol22d4/CMakeLists.txt

@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd bascontrol22d4; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+ssg_build_product("bascontrol22d4")

products/bascontrol22d4/guide/benchmark.yml

@@ -0,0 +1,54 @@
+---
+documentation_complete: true
+
+title: Guide to the Secure Configuration of {{{ full_name }}}
+
+status: draft
+
+description: |
+    This guide presents a catalog of security-relevant
+    configuration settings for {{{ full_name }}}. It is a rendering of
+    content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
+    in order to support security automation.  The SCAP content is
+    is available in the <tt>scap-security-guide</tt> package which is developed at
+    {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}.
+    <br/><br/>
+    Providing system administrators with such guidance informs them how to securely
+    configure systems under their control in a variety of network roles. Policy
+    makers and baseline creators can use this catalog of settings, with its
+    associated references to higher-level security control catalogs, in order to
+    assist them in security baseline creation. This guide is a <em>catalog, not a
+    checklist</em>, and satisfaction of every item is not likely to be possible or
+    sensible in many operational scenarios. However, the XCCDF format enables
+    granular selection and adjustment of settings, and their association with OVAL
+    and OCIL content provides an automated checking capability. Transformations of
+    this document, and its associated automated checking content, are capable of
+    providing baselines that meet a diverse set of policy objectives. Some example
+    XCCDF <em>Profiles</em>, which are selections of items that form checklists and
+    can be used as baselines, are available with this guide. They can be
+    processed, in an automated fashion, with tools that support the Security
+    Content Automation Protocol (SCAP). The DISA STIG for {{{ full_name }}},
+    which provides required settings for US Department of Defense systems, is
+    one example of a baseline created from this guidance.
+
+notice:
+    id: terms_of_use
+    description: |
+        Do not attempt to implement any of the settings in
+        this guide without first testing them in a non-operational environment. The
+        creators of this guidance assume no responsibility whatsoever for its use by
+        other parties, and makes no guarantees, expressed or implied, about its
+        quality, reliability, or any other characteristic.
+
+front-matter: |
+    # BASCONSTROL22D-$ Benchmark
+    The SCAP Security Guide Project<br/>
+    {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}
+
+rear-matter: |
+    Red Hat and Red Hat Enterprise Linux are either registered
+    trademarks or trademarks of Red Hat, Inc. in the United States and other
+    countries. All other names are registered trademarks or trademarks of their
+    respective companies.
+
+version: 0.9

products/bascontrol22d4/product.yml

@@ -0,0 +1,17 @@
+product: bascontrol22d4
+full_name: Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4
+type: product
+
+benchmark_id: BASCONTROL22D-4
+benchmark_root: "./guide"
+
+components_root: "../../components"
+
+profiles_root: "./profiles"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - bascontrol22d4:
+      name: "cpe:/a:bascontrol22d:4"
+      title: "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4"
+      check_id: installed_app_is_bascontrol22d4

products/bascontrol22d4/profiles/standard.profile

@@ -0,0 +1,9 @@
+documentation_complete: true
+
+title: 'Standard System Security Profile for Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4'
+
+description: |-
+    This profile contains rules to ensure standard security baseline
+    of a Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4 system.
+
+#selections:

shared/applicability/oval/installed_app_is_bascontrol22d4.xml

@@ -0,0 +1,28 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_app_is_bascontrol22d" version="4">
+    <metadata>
+      <title>Mozilla Firefox</title>
+      <affected family="unix">
+        <product>Mozilla Firefox</product>
+      </affected>
+      <reference ref_id="cpe:/a:bascontrol22d:4"
+      source="CPE" />
+      <description>The application installed on the system is firefox.</description>
+       </metadata>
+    <criteria operator="AND">
+      <extend_definition comment="Installed OS is part of the Unix family"
+      definition_ref="installed_OS_is_part_of_Unix_family" />
+      <criterion comment="Firefox is installed"
+      test_ref="test_bascontroll2d4" />
+    </criteria>
+  </definition>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Firefox is installed via RPM" id="test_bascontroll2d4" version="1">
+    <linux:object object_ref="obj_bascontrol22d" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_bascontrol22d" version="1">
+    <linux:name>firefox</linux:name>
+  </linux:rpminfo_object>
+
+</def-group>

ssg/constants.py

@@ -43,6 +43,7 @@
     'anolis8',
     'anolis23',
     'al2023',
+    'bascontrol22d4',
     'debian11', 'debian12', 'debian13',
     'example',
     'eks',
@@ -213,6 +214,7 @@
     "Anolis OS 8": "anolis8",
     "Anolis OS 23": "anolis23",
     "Amazon Linux 2023": "al2023",
+    "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4": "bascontrol22d4",
     "Debian 11": "debian11",
     "Debian 12": "debian12",
     "Debian 13": "debian13",
@@ -287,17 +289,15 @@
     )
 )
 
-
-MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
-                       "openeuler", "kylinserver",
-                       "opensuse", "sle", "tencentos", "ol", "ocp", "rhcos",
-                       "example", "eks", "alinux", "anolis", "openembedded", "al",
-                       "slmicro", "almalinux"]
+MULTI_PLATFORM_LIST = ["al", "alinux", "almalinux", "anolis", "bascontrol22d", "debian", "eks",
+                       "example", "fedora", "kylinserver", "ocp", "ol", "openembedded", "openeuler",
+                       "opensuse", "rhcos", "rhel", "rhv", "sle", "slmicro", "tencentos", "ubuntu"]
 
 MULTI_PLATFORM_MAPPING = {
     "multi_platform_alinux": ["alinux2", "alinux3"],
     "multi_platform_almalinux": ["almalinux9"],
     "multi_platform_anolis": ["anolis8", "anolis23"],
+    "multi_platform_bascontrol22d": ["bascontrol22d4"],
     "multi_platform_debian": ["debian11", "debian12", "debian13"],
     "multi_platform_example": ["example"],
     "multi_platform_eks": ["eks"],
@@ -429,6 +429,7 @@
     'kylinserver': 'Kylin Server',
     'rhel': 'Red Hat Enterprise Linux',
     'rhv': 'Red Hat Virtualization',
+    'bascontrol22d': 'Contemporary Controls BAScontrol22D',
     'debian': 'Debian',
     'ubuntu': 'Ubuntu',
     'eap': 'JBoss Enterprise Application Platform',