-+ If the system is not connected to the Internet,
-+ then install the AlmaLinux GPG key from trusted media such as
-+ the AlmaLinux installation CD-ROM or DVD. Assuming the disc is mounted
-+ in /media/cdrom, use the following command as the root user to import
-+ it into the keyring:
-+
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
-+
-+rationale: |-
-+ Changes to software components can have significant effects on the
-+ overall security of the operating system. This requirement ensures
-+ the software has not been tampered with and that it has been provided
-+ by a trusted vendor. The AlmaLinux GPG key is necessary to
-+ cryptographically verify packages are from AlmaLinux.
-+
-+severity: high
-+
-+references:
-+ cis: 1.2.2
-+ disa: CCI-001749
-+ nist: CM-5(3),SI-7,SC-12,SC-12(3),CM-6(a),CM-11(a),CM-11(b)
-+ nist-csf: PR.DS-6,PR.DS-8,PR.IP-1
-+ pcidss: Req-6.2
-+ isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 7.6'
-+ isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
-+ cobit5: APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02
-+ iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
-+ cis-csc: 11,2,3,9
-+
-+ocil_clause: 'the AlmaLinux GPG Key is not installed'
-+
-+ocil: |-
-+ To ensure that the GPG key is installed, run:
-+
+ If the system is not configured to use repos, updates (in the form of RPM packages)
+ can be manually downloaded from the repos and installed using rpm.
- {{% elif product in ["sle12", "sle15"] %}}
+ {{% elif product in ["sle12", "sle15", "slmicro5"] %}}
If the system is configured for online updates, invoking the following command will list available
security updates:
+diff --git a/product_properties/10-grub.yml b/product_properties/10-grub.yml
+index 436c6b492..3d4927544 100644
+--- a/product_properties/10-grub.yml
++++ b/product_properties/10-grub.yml
+@@ -6,7 +6,7 @@ default:
+
+ overrides:
+ {{% if "rhel-like" in families and major_version_ordinal <= 8 %}}
+- grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
++ grub2_uefi_boot_path: "/boot/efi/EFI/almalinux"
+ {{% endif %}}
+ {{% if "suse" in families %}}
+ grub_helper_executable: "grub2-mkconfig"
diff --git a/products/almalinux10/CMakeLists.txt b/products/almalinux10/CMakeLists.txt
new file mode 100644
index 000000000..1284434a2
@@ -6728,13 +4813,13 @@ index 000000000..1284434a2
+endif()
diff --git a/products/almalinux10/overlays/srg_support.xml b/products/almalinux10/overlays/srg_support.xml
new file mode 100644
-index 000000000..ead1127fe
+index 000000000..6e0a0ab8c
--- /dev/null
+++ b/products/almalinux10/overlays/srg_support.xml
@@ -0,0 +1,173 @@
+
+Documentation to Support DISA OS SRG Mapping
-+These groups exist to document how the AlmaLinux
++These groups exist to document how the AlmaLinux OS
+product meets (or does not meet) requirements listed in the DISA OS SRG, for
+those cases where Groups or Rules elsewhere in scap-security-guide do
+not clearly relate.
@@ -6747,9 +4832,9 @@ index 000000000..ead1127fe
+
+Product Meets this Requirement
+
-+AlmaLinux meets this requirement through design and implementation.
++AlmaLinux OS meets this requirement through design and implementation.
+
-+AlmaLinux 10 supports this requirement and cannot be configured to be out of
++AlmaLinux OS 10 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+
+
@@ -6767,10 +4852,10 @@ index 000000000..ead1127fe
+
+Product Meets this Requirement
+
-+The AlmaLinux audit system meets this requirement through design and implementation.
++The AlmaLinux OS audit system meets this requirement through design and implementation.
+
-+The AlmaLinux 10 auditing system supports this requirement and cannot be configured to be out of
-+compliance. Every audit record in AlmaLinux includes a timestamp, the operation attempted,
++The AlmaLinux OS 10 auditing system supports this requirement and cannot be configured to be out of
++compliance. Every audit record in AlmaLinux OS includes a timestamp, the operation attempted,
+success or failure of the operation, the subject involved (executable/process),
+the object involved (file/path), and security labels for the subject and object.
+It also includes the ability to label events with custom key labels. The auditing system
@@ -6794,9 +4879,9 @@ index 000000000..ead1127fe
+
+Product Meets this Requirement
+
-+AlmaLinux meets this requirement through design and implementation.
++AlmaLinux OS meets this requirement through design and implementation.
+
-+AlmaLinux 10 supports this requirement and cannot be configured to be out of
++AlmaLinux OS 10 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+
+
@@ -6825,7 +4910,7 @@ index 000000000..ead1127fe
+The requirement is impractical or out of scope.
+
+
-+AlmaLinux 10 cannot support this requirement without assistance from an external
++AlmaLinux OS 10 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+
+
@@ -6844,7 +4929,7 @@ index 000000000..ead1127fe
+
+Implementation of the Requirement is Not Supported
+
-+AlmaLinux 10 does not support this requirement.
++AlmaLinux OS 10 does not support this requirement.
+
+
+This is a permanent finding.
@@ -6870,7 +4955,7 @@ index 000000000..ead1127fe
+The requirement is impractical or out of scope.
+
+
-+AlmaLinux 10 cannot support this requirement without assistance from an external
++AlmaLinux OS 10 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+
+
@@ -6907,12 +4992,12 @@ index 000000000..ead1127fe
+
diff --git a/products/almalinux10/product.yml b/products/almalinux10/product.yml
new file mode 100644
-index 000000000..3f685127c
+index 000000000..4e5104f67
--- /dev/null
+++ b/products/almalinux10/product.yml
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,52 @@
+product: almalinux10
-+full_name: AlmaLinux 10
++full_name: AlmaLinux OS 10
+type: platform
+
+families:
@@ -6933,11 +5018,8 @@ index 000000000..3f685127c
+
+# EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
+
-+groups:
-+ dedicated_ssh_keyowner:
-+ name: ssh_keys
-+
+sshd_distributed_config: "true"
++bootable_containers_supported: "true"
+
+dconf_gdm_dir: "distro.d"
+
@@ -6948,12 +5030,13 @@ index 000000000..3f685127c
+pkg_version: "c2a1e572"
+
+release_key_fingerprint: "EE6DB7B98F5BF5EDD9DA0DE5DEE5C11CC2A1E572"
++oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-10.xml.bz2"
+
+cpes_root: "../../shared/applicability"
+cpes:
+ - almalinux10:
+ name: "cpe:/o:almalinux:almalinux:10"
-+ title: "AlmaLinux 10"
++ title: "AlmaLinux OS 10"
+ check_id: installed_OS_is_almalinux10
+
+# Mapping of CPE platform to package
@@ -6967,10 +5050,10 @@ index 000000000..3f685127c
+journald_conf_dir_path: /etc/systemd/journald.conf.d
diff --git a/products/almalinux10/profiles/anssi_bp28_enhanced.profile b/products/almalinux10/profiles/anssi_bp28_enhanced.profile
new file mode 100644
-index 000000000..54c7ada58
+index 000000000..c77fab679
--- /dev/null
+++ b/products/almalinux10/profiles/anssi_bp28_enhanced.profile
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,80 @@
+documentation_complete: true
+
+metadata:
@@ -6978,7 +5061,7 @@ index 000000000..54c7ada58
+ - marcusburghardt
+ - vojtapolasek
+
-+title: 'DRAFT - ANSSI-BP-028 (enhanced)'
++title: 'ANSSI-BP-028 (enhanced)'
+
+description: |-
+ This is a draft profile for experimental purposes.
@@ -6995,32 +5078,32 @@ index 000000000..54c7ada58
+
+selections:
+ - anssi:all:enhanced
-+ # Following rules are incompatible with the rhel10 product
-+ - '!partition_for_opt'
++ # Following rules are incompatible with rhel10 product
++ # tally2 is deprecated, replaced by faillock
+ - '!accounts_passwords_pam_tally2_deny_root'
-+ - '!install_PAE_kernel_on_x86-32'
-+ - '!partition_for_boot'
-+ - '!sudo_add_ignore_dot'
-+ - '!audit_rules_privileged_commands_rmmod'
-+ - '!audit_rules_privileged_commands_modprobe'
-+ - '!package_dracut-fips-aesni_installed'
-+ - '!cracklib_accounts_password_pam_lcredit'
-+ - '!partition_for_usr'
-+ - '!cracklib_accounts_password_pam_ocredit'
-+ - '!enable_pam_namespace'
-+ - '!audit_rules_privileged_commands_insmod'
-+ - '!service_chronyd_or_ntpd_enabled'
-+ - '!chronyd_configure_pool_and_server'
+ - '!accounts_passwords_pam_tally2'
-+ - '!cracklib_accounts_password_pam_ucredit'
+ - '!accounts_passwords_pam_tally2_unlock_time'
-+ - '!sudo_add_umask'
-+ - '!sudo_add_env_reset'
++ # RHEL 10 does not support 32 bit architecture
++ - '!install_PAE_kernel_on_x86-32'
++ # the package does not exist in RHEL 10
++ - '!package_dracut-fips-aesni_installed'
++ # pam_cracklib is not used in RHEL 10
++ - '!cracklib_accounts_password_pam_lcredit'
++ - '!cracklib_accounts_password_pam_ocredit'
++ - '!cracklib_accounts_password_pam_ucredit'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!cracklib_accounts_password_pam_dcredit'
++ # umask is configured at a different place in RHEL 10
++ - '!sudo_add_umask'
++ # Non-Red Hat keys are irrelevant on RHEL 10
+ - '!ensure_oracle_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
++ # this rule is not automated anymore
+ - '!security_patches_up_to_date'
-+ # RHEL10 unified the paths for grub2 files. These rules are selected in control file by R29.
++ # There is only chrony package on RHEL 10, no ntpd
++ - '!service_chronyd_or_ntpd_enabled'
++ - 'service_chronyd_enabled'
++ # RHEL 10 unified the paths for grub2 files. These rules are selected in control file by R29.
+ - '!file_groupowner_efi_grub2_cfg'
+ - '!file_owner_efi_grub2_cfg'
+ - '!file_permissions_efi_grub2_cfg'
@@ -7033,12 +5116,30 @@ index 000000000..54c7ada58
+ - '!grub2_enable_apparmor'
+ - '!package_apparmor_installed'
+ - '!package_pam_apparmor_installed'
++ # these packages do not exist in rhel10 (R62)
++ - '!package_dhcp_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++ - '!package_sendmail_removed'
++ - '!package_talk_removed'
++ - '!package_talk-server_removed'
++ - '!package_xinetd_removed'
++ - '!package_ypbind_removed'
++ - '!package_ypserv_removed'
++ # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
++ - '!accounts_password_pam_retry'
++ # These rules are being modified and they are causing trouble in their current state (R67)
++ - '!sssd_enable_pam_services'
++ - '!sssd_ldap_configure_tls_reqcert'
++ - '!sssd_ldap_start_tls'
++ # These rules are no longer relevant
++ - '!prefer_64bit_os'
diff --git a/products/almalinux10/profiles/anssi_bp28_high.profile b/products/almalinux10/profiles/anssi_bp28_high.profile
new file mode 100644
-index 000000000..734084764
+index 000000000..a261f345b
--- /dev/null
+++ b/products/almalinux10/profiles/anssi_bp28_high.profile
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,92 @@
+documentation_complete: true
+
+metadata:
@@ -7046,7 +5147,7 @@ index 000000000..734084764
+ - marcusburghardt
+ - vojtapolasek
+
-+title: 'DRAFT - ANSSI-BP-028 (high)'
++title: 'ANSSI-BP-028 (high)'
+
+description: |-
+ This is a draft profile for experimental purposes.
@@ -7065,44 +5166,78 @@ index 000000000..734084764
+ - anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'
-+ # Thuse rules are incompatible rhel10 product
-+ - '!partition_for_opt'
++ # Following rules are incompatible with rhel10 product
++ # tally2 is deprecated, replaced by faillock
+ - '!accounts_passwords_pam_tally2_deny_root'
-+ - '!install_PAE_kernel_on_x86-32'
-+ - '!partition_for_boot'
-+ - '!aide_periodic_checking_systemd_timer'
-+ - '!sudo_add_ignore_dot'
-+ - '!audit_rules_privileged_commands_rmmod'
-+ - '!audit_rules_privileged_commands_modprobe'
-+ - '!package_dracut-fips-aesni_installed'
-+ - '!cracklib_accounts_password_pam_lcredit'
-+ - '!partition_for_usr'
-+ - '!cracklib_accounts_password_pam_ocredit'
-+ - '!enable_pam_namespace'
-+ - '!audit_rules_privileged_commands_insmod'
-+ - '!service_chronyd_or_ntpd_enabled'
-+ - '!chronyd_configure_pool_and_server'
+ - '!accounts_passwords_pam_tally2'
-+ - '!cracklib_accounts_password_pam_ucredit'
+ - '!accounts_passwords_pam_tally2_unlock_time'
-+ - '!sudo_add_umask'
-+ - '!sudo_add_env_reset'
++ # RHEL 10 does not support 32 bit architecture
++ - '!install_PAE_kernel_on_x86-32'
++ # this timer does not exist in RHEL 10
++ - '!aide_periodic_checking_systemd_timer'
++ # the package does not exist in RHEL 10
++ - '!package_dracut-fips-aesni_installed'
++ # pam_cracklib is not used in RHEL 10
++ - '!cracklib_accounts_password_pam_lcredit'
++ - '!cracklib_accounts_password_pam_ocredit'
++ - '!cracklib_accounts_password_pam_ucredit'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!cracklib_accounts_password_pam_dcredit'
++ # umask is configured at a different place in RHEL 10
++ - '!sudo_add_umask'
++ # Non-Red Hat keys are irrelevant on RHEL 10
+ - '!ensure_oracle_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
++ # this rule is not automated anymore
+ - '!security_patches_up_to_date'
++ # There is only chrony package on RHEL 10, no ntpd
++ - '!service_chronyd_or_ntpd_enabled'
++ - 'service_chronyd_enabled'
++ # RHEL 10 unified the paths for grub2 files. These rules are selected in control file by R29.
++ - '!file_groupowner_efi_grub2_cfg'
++ - '!file_owner_efi_grub2_cfg'
++ - '!file_permissions_efi_grub2_cfg'
++ - '!file_groupowner_efi_user_cfg'
++ - '!file_owner_efi_user_cfg'
++ - '!file_permissions_efi_user_cfg'
+ # disable R45: Enable AppArmor security profiles
+ - '!apparmor_configured'
+ - '!all_apparmor_profiles_enforced'
+ - '!grub2_enable_apparmor'
+ - '!package_apparmor_installed'
+ - '!package_pam_apparmor_installed'
++ # these packages do not exist in rhel10 (R62)
++ - '!package_dhcp_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++ - '!package_sendmail_removed'
++ - '!package_talk_removed'
++ - '!package_talk-server_removed'
++ - '!package_xinetd_removed'
++ - '!package_ypbind_removed'
++ - '!package_ypserv_removed'
++ # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
++ - '!accounts_password_pam_retry'
++ # These rules are being modified and they are causing trouble in their current state (R67)
++ - '!sssd_enable_pam_services'
++ - '!sssd_ldap_configure_tls_reqcert'
++ - '!sssd_ldap_start_tls'
++ # These rules are no longer relevant
++ - '!prefer_64bit_os'
++ - '!kernel_config_devkmem'
++ - '!kernel_config_hardened_usercopy_fallback'
++ - '!kernel_config_page_poisoning_no_sanity'
++ - '!kernel_config_page_poisoning_zero'
++ - '!kernel_config_page_table_isolation'
++ - '!kernel_config_refcount_full'
++ - '!kernel_config_retpoline'
++ - '!kernel_config_security_writable_hooks'
diff --git a/products/almalinux10/profiles/anssi_bp28_intermediary.profile b/products/almalinux10/profiles/anssi_bp28_intermediary.profile
new file mode 100644
-index 000000000..168327269
+index 000000000..e4c0731ba
--- /dev/null
+++ b/products/almalinux10/profiles/anssi_bp28_intermediary.profile
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,58 @@
+documentation_complete: true
+
+metadata:
@@ -7110,7 +5245,7 @@ index 000000000..168327269
+ - marcusburghardt
+ - vojtapolasek
+
-+title: 'DRAFT - ANSSI-BP-028 (intermediary)'
++title: 'ANSSI-BP-028 (intermediary)'
+
+description: |-
+ This is a draft profile for experimental purposes.
@@ -7126,31 +5261,47 @@ index 000000000..168327269
+ https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
+
+selections:
-+ - anssi:all:intermediary
-+ # Following rules are incompatible with the rhel10 product
-+ - '!partition_for_opt'
-+ - '!cracklib_accounts_password_pam_minlen'
-+ - '!accounts_passwords_pam_tally2_deny_root'
-+ - '!accounts_passwords_pam_tally2'
-+ - '!cracklib_accounts_password_pam_ucredit'
-+ - '!cracklib_accounts_password_pam_dcredit'
-+ - '!cracklib_accounts_password_pam_lcredit'
-+ - '!partition_for_usr'
-+ - '!partition_for_boot'
-+ - '!cracklib_accounts_password_pam_ocredit'
-+ - '!enable_pam_namespace'
-+ - '!accounts_passwords_pam_tally2_unlock_time'
-+ - '!sudo_add_umask'
-+ - '!sudo_add_ignore_dot'
-+ - '!sudo_add_env_reset'
-+ - '!ensure_oracle_gpgkey_installed'
-+ - '!security_patches_up_to_date'
++ - anssi:all:intermediary
++ # Following rules are incompatible with rhel10 product
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ # pam_cracklib is not used in RHEL 10
++ - '!cracklib_accounts_password_pam_minlen'
++ - '!cracklib_accounts_password_pam_ucredit'
++ - '!cracklib_accounts_password_pam_dcredit'
++ - '!cracklib_accounts_password_pam_lcredit'
++ - '!cracklib_accounts_password_pam_ocredit'
++ # umask is configured at a different place in RHEL 10
++ - '!sudo_add_umask'
++ # Non-Red Hat keys are irrelevant on RHEL 10
++ - '!ensure_oracle_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
++ # this rule is not automated anymore
++ - '!security_patches_up_to_date'
++ # these packages do not exist in rhel10 (R62)
++ - '!package_dhcp_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++ - '!package_sendmail_removed'
++ - '!package_talk_removed'
++ - '!package_talk-server_removed'
++ - '!package_xinetd_removed'
++ - '!package_ypbind_removed'
++ - '!package_ypserv_removed'
++ # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
++ - '!accounts_password_pam_retry'
++ # These rules are being modified and they are causing trouble in their current state (R67)
++ - '!sssd_enable_pam_services'
++ - '!sssd_ldap_configure_tls_reqcert'
++ - '!sssd_ldap_start_tls'
diff --git a/products/almalinux10/profiles/anssi_bp28_minimal.profile b/products/almalinux10/profiles/anssi_bp28_minimal.profile
new file mode 100644
-index 000000000..90409f3a1
+index 000000000..0a185e8de
--- /dev/null
+++ b/products/almalinux10/profiles/anssi_bp28_minimal.profile
-@@ -0,0 +1,35 @@
+@@ -0,0 +1,52 @@
+documentation_complete: true
+
+metadata:
@@ -7158,7 +5309,7 @@ index 000000000..90409f3a1
+ - marcusburghardt
+ - vojtapolasek
+
-+title: 'DRAFT - ANSSI-BP-028 (minimal)'
++title: 'ANSSI-BP-028 (minimal)'
+
+description: |-
+ This is a draft profile for experimental purposes.
@@ -7174,21 +5325,38 @@ index 000000000..90409f3a1
+ https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
+
+selections:
-+ - anssi:all:minimal
-+ # Following are incompatible with the rhel9 product
-+ - '!cracklib_accounts_password_pam_minlen'
-+ - '!accounts_passwords_pam_tally2_deny_root'
-+ - '!accounts_passwords_pam_tally2'
-+ - '!cracklib_accounts_password_pam_ucredit'
-+ - '!cracklib_accounts_password_pam_dcredit'
-+ - '!cracklib_accounts_password_pam_lcredit'
-+ - '!cracklib_accounts_password_pam_ocredit'
-+ - '!accounts_passwords_pam_tally2_unlock_time'
-+ - '!ensure_oracle_gpgkey_installed'
-+ - '!security_patches_up_to_date'
++ - anssi:all:minimal
++ # Following rules are incompatible with rhel10 product
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ # pam_cracklib is not used in RHEL 10
++ - '!cracklib_accounts_password_pam_minlen'
++ - '!cracklib_accounts_password_pam_ucredit'
++ - '!cracklib_accounts_password_pam_dcredit'
++ - '!cracklib_accounts_password_pam_lcredit'
++ - '!cracklib_accounts_password_pam_ocredit'
++ # Non-Red Hat keys are irrelevant on RHEL 10
++ - '!ensure_oracle_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
++ # this rule is not automated anymore
++ - '!security_patches_up_to_date'
++ # these packages do not exist in rhel10 (R62)
++ - '!package_dhcp_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++ - '!package_sendmail_removed'
++ - '!package_talk_removed'
++ - '!package_talk-server_removed'
++ - '!package_xinetd_removed'
++ - '!package_ypbind_removed'
++ - '!package_ypserv_removed'
++ # these rules are failing when they are remediated with Ansible, removing then temporarily until they are fixed
++ - '!accounts_password_pam_retry'
diff --git a/products/almalinux10/profiles/cis.profile b/products/almalinux10/profiles/cis.profile
new file mode 100644
-index 000000000..e57b9c5a0
+index 000000000..32ccfff1f
--- /dev/null
+++ b/products/almalinux10/profiles/cis.profile
@@ -0,0 +1,17 @@
@@ -7204,14 +5372,14 @@ index 000000000..e57b9c5a0
+
+description: |-
+ This is a draft profile for experimental purposes.
-+ It is based on the CIS AlmaLinux 9 profile, because an equivalent policy for AlmaLinux 10 didn't yet
++ It is based on the CIS AlmaLinux OS 9 profile, because an equivalent policy for AlmaLinux OS 10 didn't yet
+ exist at time of the release.
+
+selections:
+ - cis_rhel10:all:l2_server
diff --git a/products/almalinux10/profiles/cis_server_l1.profile b/products/almalinux10/profiles/cis_server_l1.profile
new file mode 100644
-index 000000000..9385f5423
+index 000000000..d43ea6ea1
--- /dev/null
+++ b/products/almalinux10/profiles/cis_server_l1.profile
@@ -0,0 +1,17 @@
@@ -7227,14 +5395,14 @@ index 000000000..9385f5423
+
+description: |-
+ This is a draft profile for experimental purposes.
-+ It is based on the CIS AlmaLinux 9 profile, because an equivalent policy for AlmaLinux 10 didn't yet
++ It is based on the CIS AlmaLinux OS 9 profile, because an equivalent policy for AlmaLinux OS 10 didn't yet
+ exist at time of the release.
+
+selections:
+ - cis_rhel10:all:l1_server
diff --git a/products/almalinux10/profiles/cis_workstation_l1.profile b/products/almalinux10/profiles/cis_workstation_l1.profile
new file mode 100644
-index 000000000..ab27160ef
+index 000000000..27096ea00
--- /dev/null
+++ b/products/almalinux10/profiles/cis_workstation_l1.profile
@@ -0,0 +1,17 @@
@@ -7250,14 +5418,14 @@ index 000000000..ab27160ef
+
+description: |-
+ This is a draft profile for experimental purposes.
-+ It is based on the CIS AlmaLinux 9 profile, because an equivalent policy for AlmaLinux 10 didn't yet
++ It is based on the CIS AlmaLinux OS 9 profile, because an equivalent policy for AlmaLinux OS 10 didn't yet
+ exist at time of the release.
+
+selections:
+ - cis_rhel10:all:l1_workstation
diff --git a/products/almalinux10/profiles/cis_workstation_l2.profile b/products/almalinux10/profiles/cis_workstation_l2.profile
new file mode 100644
-index 000000000..99c4aca70
+index 000000000..7d905f749
--- /dev/null
+++ b/products/almalinux10/profiles/cis_workstation_l2.profile
@@ -0,0 +1,17 @@
@@ -7273,17 +5441,17 @@ index 000000000..99c4aca70
+
+description: |-
+ This is a draft profile for experimental purposes.
-+ It is based on the CIS AlmaLinux 9 profile, because an equivalent policy for AlmaLinux 10 didn't yet
++ It is based on the CIS AlmaLinux OS 9 profile, because an equivalent policy for AlmaLinux OS 10 didn't yet
+ exist at time of the release.
+
+selections:
+ - cis_rhel10:all:l2_workstation
diff --git a/products/almalinux10/profiles/e8.profile b/products/almalinux10/profiles/e8.profile
new file mode 100644
-index 000000000..a94b5f969
+index 000000000..f105bb27a
--- /dev/null
+++ b/products/almalinux10/profiles/e8.profile
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,40 @@
+documentation_complete: true
+
+metadata:
@@ -7293,12 +5461,12 @@ index 000000000..a94b5f969
+
+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
+
-+title: 'DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight'
++title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
+
+description: |-
+ This is a draft profile for experimental purposes.
+
-+ This draft profile contains configuration checks for AlmaLinux 10
++ This draft profile contains configuration checks for AlmaLinux OS 10
+ that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
+
+ A copy of the Essential Eight in Linux Environments guide can be found at the
@@ -7308,33 +5476,28 @@ index 000000000..a94b5f969
+
+selections:
+ - e8:all
-+ # audit-audispd-plugins package does not exist in RHEL 10 (based on RHEL 9)
-+ # use only package_audispd-plugins_installed
-+ - '!package_audit-audispd-plugins_installed'
++ # nosha1 crypto policy does not exist in RHEL 10
++ - var_system_crypto_policy=default_policy
+ # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
+ # https://github.com/ComplianceAsCode/content/issues/11285
+ - '!rpm_verify_permissions'
++ - '!rpm_verify_ownership'
++ # these packages do not exist in RHEL 10
+ - '!package_talk_removed'
+ - '!package_talk-server_removed'
+ - '!package_ypbind_removed'
-+ - '!package_audit-audispd-plugins_installed'
-+ - '!set_ipv6_loopback_traffic'
-+ - '!set_loopback_traffic'
-+ - '!service_ntpd_enabled'
+ - '!package_ypserv_removed'
-+ - '!package_ypbind_removed'
-+ - '!package_talk_removed'
-+ - '!package_talk-server_removed'
-+ - '!package_xinetd_removed'
+ - '!package_rsh_removed'
+ - '!package_rsh-server_removed'
+ - '!security_patches_up_to_date'
++ # this rule fails after being remediated through Ansible
++ - '!audit_rules_usergroup_modification'
diff --git a/products/almalinux10/profiles/hipaa.profile b/products/almalinux10/profiles/hipaa.profile
new file mode 100644
-index 000000000..490b2f5ab
+index 000000000..7eb6475a9
--- /dev/null
+++ b/products/almalinux10/profiles/hipaa.profile
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,58 @@
+documentation_complete: true
+
+metadata:
@@ -7343,19 +5506,19 @@ index 000000000..490b2f5ab
+
+reference: https://www.hhs.gov/hipaa/for-professionals/index.html
+
-+title: 'DRAFT - Health Insurance Portability and Accountability Act (HIPAA)'
++title: 'Health Insurance Portability and Accountability Act (HIPAA)'
+
+description: |-
+ This is a draft profile for experimental purposes.
+
-+ The HIPAA Security Rule establishes U.S. national standards to protect individuals’
++ The HIPAA Security Rule establishes U.S. national standards to protect individuals's
+ electronic personal health information that is created, received, used, or
+ maintained by a covered entity. The Security Rule requires appropriate
+ administrative, physical and technical safeguards to ensure the
+ confidentiality, integrity, and security of electronic protected health
+ information.
+
-+ This draft profile configures AlmaLinux 10 to the HIPAA Security
++ This draft profile configures AlmaLinux OS 10 to the HIPAA Security
+ Rule identified for securing of electronic protected health information.
+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
+
@@ -7365,10 +5528,14 @@ index 000000000..490b2f5ab
+ - '!coreos_audit_option'
+ - '!coreos_nousb_kernel_argument'
+ - '!coreos_enable_selinux_kernel_argument'
++ - '!dconf_gnome_remote_access_credential_prompt'
++ - '!dconf_gnome_remote_access_encryption'
+ - '!ensure_suse_gpgkey_installed'
+ - '!ensure_fedora_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
+ - '!grub2_uefi_admin_username'
+ - '!grub2_uefi_pass'
++ - '!service_ypbind_disabled'
+ - '!service_zebra_disabled'
+ - '!package_talk-server_removed'
+ - '!package_talk_removed'
@@ -7376,17 +5543,25 @@ index 000000000..490b2f5ab
+ - '!sshd_use_approved_ciphers'
+ - '!accounts_passwords_pam_tally2'
+ - '!package_audit-audispd-plugins_installed'
++ - '!auditd_audispd_syslog_plugin_activated'
+ - '!package_ypserv_removed'
+ - '!package_ypbind_removed'
+ - '!package_xinetd_removed'
+ - '!package_rsh_removed'
+ - '!package_rsh-server_removed'
++ - '!package_tcp_wrappers_removed'
++ - '!package_ypbind_removed'
++ - '!package_xinetd_removed'
++ - '!service_xinetd_disabled'
++ - '!sshd_allow_only_protocol2'
++ - '!sshd_disable_kerb_auth'
++ - '!sshd_disable_gssapi_auth'
diff --git a/products/almalinux10/profiles/ism_o.profile b/products/almalinux10/profiles/ism_o.profile
new file mode 100644
-index 000000000..9054adfeb
+index 000000000..08ce8dca1
--- /dev/null
+++ b/products/almalinux10/profiles/ism_o.profile
-@@ -0,0 +1,30 @@
+@@ -0,0 +1,49 @@
+documentation_complete: true
+
+metadata:
@@ -7399,14 +5574,14 @@ index 000000000..9054adfeb
+
+reference: https://www.cyber.gov.au/ism
+
-+title: 'DRAFT - Australian Cyber Security Centre (ACSC) ISM Official - Base'
++title: 'Australian Cyber Security Centre (ACSC) ISM Official - Base'
+
+description: |-
-+ This draft profile contains configuration checks for AlmaLinux 10
++ This draft profile contains configuration checks for AlmaLinux OS 10
+ that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
+
+ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
-+ AlmaLinux security controls with the ISM, which can be used to select controls
++ AlmaLinux OS security controls with the ISM, which can be used to select controls
+ specific to an organisation's security posture and risk profile.
+
+ A copy of the ISM can be found at the ACSC website:
@@ -7417,12 +5592,31 @@ index 000000000..9054adfeb
+
+selections:
+ - ism_o:all:base
++ # these rules do not work properly on RHEL 10 for now
++ - '!enable_dracut_fips_module'
++ - '!firewalld_sshd_port_enabled'
++ - '!require_singleuser_auth'
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ - '!audit_rules_login_events_tallylog'
++ # lastlog is not used in RHEL 10
++ - '!audit_rules_login_events_lastlog'
++ # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
++ - '!rpm_verify_hashes'
++ # this rule should not be needed anymore on RHEL 10, but investigation is recommended
++ - '!openssl_use_strong_entropy'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
++ # This rule is not applicable for RHEL 10
++ - '!force_opensc_card_drivers'
++ - '!service_chronyd_or_ntpd_enabled'
diff --git a/products/almalinux10/profiles/ism_o_secret.profile b/products/almalinux10/profiles/ism_o_secret.profile
new file mode 100644
-index 000000000..b95f4826f
+index 000000000..7e6c51815
--- /dev/null
+++ b/products/almalinux10/profiles/ism_o_secret.profile
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,51 @@
+documentation_complete: true
+
+metadata:
@@ -7435,16 +5629,16 @@ index 000000000..b95f4826f
+
+reference: https://www.cyber.gov.au/ism
+
-+title: 'DRAFT - Australian Cyber Security Centre (ACSC) ISM Official - Secret'
++title: 'Australian Cyber Security Centre (ACSC) ISM Official - Secret'
+
+description: |-
+ This is a draft profile for experimental purposes.
+
-+ This draft profile contains configuration checks for AlmaLinux 10
++ This draft profile contains configuration checks for AlmaLinux OS 10
+ that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
+
+ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
-+ AlmaLinux security controls with the ISM, which can be used to select controls
++ AlmaLinux OS security controls with the ISM, which can be used to select controls
+ specific to an organisation's security posture and risk profile.
+
+ A copy of the ISM can be found at the ACSC website:
@@ -7455,12 +5649,31 @@ index 000000000..b95f4826f
+
+selections:
+ - ism_o:all:secret
++ # these rules do not work properly on RHEL 10 for now
++ - '!enable_dracut_fips_module'
++ - '!firewalld_sshd_port_enabled'
++ - '!require_singleuser_auth'
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ - '!audit_rules_login_events_tallylog'
++ # lastlog is not used in RHEL 10
++ - '!audit_rules_login_events_lastlog'
++ # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
++ - '!rpm_verify_hashes'
++ # this rule should not be needed anymore on RHEL 10, but investigation is recommended
++ - '!openssl_use_strong_entropy'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
++ # This rule is not applicable for RHEL 10
++ - '!force_opensc_card_drivers'
++ - '!service_chronyd_or_ntpd_enabled'
diff --git a/products/almalinux10/profiles/ism_o_top_secret.profile b/products/almalinux10/profiles/ism_o_top_secret.profile
new file mode 100644
-index 000000000..a9e2ace05
+index 000000000..b53f3754b
--- /dev/null
+++ b/products/almalinux10/profiles/ism_o_top_secret.profile
-@@ -0,0 +1,30 @@
+@@ -0,0 +1,49 @@
+documentation_complete: true
+
+metadata:
@@ -7473,14 +5686,14 @@ index 000000000..a9e2ace05
+
+reference: https://www.cyber.gov.au/ism
+
-+title: 'DRAFT - Australian Cyber Security Centre (ACSC) ISM Official - Top Secret'
++title: 'Australian Cyber Security Centre (ACSC) ISM Official - Top Secret'
+
+description: |-
-+ This draft profile contains configuration checks for AlmaLinux 10
++ This draft profile contains configuration checks for AlmaLinux OS 10
+ that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
+
+ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
-+ AlmaLinux security controls with the ISM, which can be used to select controls
++ AlmaLinux OS security controls with the ISM, which can be used to select controls
+ specific to an organisation's security posture and risk profile.
+
+ A copy of the ISM can be found at the ACSC website:
@@ -7491,13 +5704,33 @@ index 000000000..a9e2ace05
+
+selections:
+ - ism_o:all:top_secret
++ # these rules do not work properly on RHEL 10 for now
++ - '!enable_dracut_fips_module'
++ - '!firewalld_sshd_port_enabled'
++ - '!require_singleuser_auth'
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ - '!audit_rules_login_events_tallylog'
++ # lastlog is not used in RHEL 10
++ - '!audit_rules_login_events_lastlog'
++ # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
++ - '!rpm_verify_hashes'
++ # this rule should not be needed anymore on RHEL 10, but investigation is recommended
++ - '!openssl_use_strong_entropy'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
++ # This rule is not applicable for RHEL 10
++ - '!force_opensc_card_drivers'
++ - '!service_chronyd_or_ntpd_enabled'
diff --git a/products/almalinux10/profiles/ospp.profile b/products/almalinux10/profiles/ospp.profile
new file mode 100644
-index 000000000..33ba7ea5b
+index 000000000..bf8780803
--- /dev/null
+++ b/products/almalinux10/profiles/ospp.profile
-@@ -0,0 +1,24 @@
-+documentation_complete: false
+@@ -0,0 +1,27 @@
++documentation_complete: true
++hidden: true
+
+metadata:
+ version: 4.3
@@ -7521,24 +5754,26 @@ index 000000000..33ba7ea5b
+ - ospp:all
+ - '!package_screen_installed'
+ - '!package_dnf-plugin-subscription-manager_installed'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
diff --git a/products/almalinux10/profiles/pci-dss.profile b/products/almalinux10/profiles/pci-dss.profile
new file mode 100644
-index 000000000..1f958e6f0
+index 000000000..dd42b3807
--- /dev/null
+++ b/products/almalinux10/profiles/pci-dss.profile
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,78 @@
+documentation_complete: true
+
+metadata:
-+ version: '4.0'
++ version: '4.0.1'
+ SMEs:
+ - marcusburghardt
+ - mab879
+ - vojtapolasek
+
-+reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
++reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
+
-+title: 'DRAFT - PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 10'
++title: 'PCI-DSS v4.0.1 Control Baseline for Red Hat Enterprise Linux 10'
+
+description: |-
+ This is a draft profile for experimental purposes.
@@ -7549,24 +5784,20 @@ index 000000000..1f958e6f0
+ financial information.
+
+ This draft profile ensures Red Hat Enterprise Linux 10 is configured in alignment
-+ with PCI-DSS v4.0 requirements.
++ with PCI-DSS v4.0.1 requirements.
+
+selections:
+ - pcidss_4:all
-+ # audit-audispd-plugins package does not exist in RHEL 10 (based on RHEL 9)
-+ # use only package_audispd-plugins_installed
-+ - '!package_audit-audispd-plugins_installed'
++ - var_password_hashing_algorithm=yescrypt
++ - var_password_hashing_algorithm_pam=yescrypt
++
+ # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
+ # https://github.com/ComplianceAsCode/content/issues/11285
+ - '!rpm_verify_permissions'
++
+ # these rules do not apply to RHEL 10
+ - '!package_audit-audispd-plugins_installed'
-+ - '!service_ntp_enabled'
-+ - '!ntpd_specify_remote_server'
-+ - '!ntpd_specify_multiple_servers'
-+ - '!set_ipv6_loopback_traffic'
-+ - '!set_loopback_traffic'
-+ - '!service_ntpd_enabled'
++ - '!package_dhcp_removed'
+ - '!package_ypserv_removed'
+ - '!package_ypbind_removed'
+ - '!package_talk_removed'
@@ -7574,37 +5805,47 @@ index 000000000..1f958e6f0
+ - '!package_xinetd_removed'
+ - '!package_rsh_removed'
+ - '!package_rsh-server_removed'
-+ # Following are incompatible with the rhel10 product (based on RHEL9)
-+ - '!service_chronyd_or_ntpd_enabled'
++
++ - '!service_ntp_enabled'
++ - '!service_ntpd_enabled'
++ - '!service_timesyncd_enabled'
++ - '!ntpd_specify_remote_server'
++ - '!ntpd_specify_multiple_servers'
++
++ - '!accounts_passwords_pam_tally2'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ - '!cracklib_accounts_password_pam_dcredit'
++ - '!cracklib_accounts_password_pam_lcredit'
++ - '!cracklib_accounts_password_pam_minlen'
++ - '!cracklib_accounts_password_pam_retry'
++ - '!ensure_firewall_rules_for_open_ports'
++ - '!ensure_shadow_group_empty'
++ - '!ensure_suse_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
+ - '!install_PAE_kernel_on_x86-32'
+ - '!mask_nonessential_services'
-+ - '!aide_periodic_checking_systemd_timer'
+ - '!nftables_ensure_default_deny_policy'
-+ - '!cracklib_accounts_password_pam_lcredit'
-+ - '!file_owner_at_allow'
-+ - '!ensure_firewall_rules_for_open_ports'
-+ - '!cracklib_accounts_password_pam_retry'
-+ - '!gnome_gdm_disable_guest_login'
++ - '!set_ipv6_loopback_traffic'
++ - '!set_ip6tables_default_rule'
++ - '!set_loopback_traffic'
++ - '!set_password_hashing_algorithm_commonauth'
++
++ # Following are incompatible with the rhel10 product (based on RHEL9)
++ - '!service_chronyd_or_ntpd_enabled'
++ - '!aide_periodic_checking_systemd_timer'
++ - '!gnome_gdm_disable_unattended_automatic_login'
++ - '!permissions_local_var_log'
+ - '!sshd_use_strong_kex'
+ - '!sshd_use_approved_macs'
-+ - '!permissions_local_var_log'
+ - '!sshd_use_approved_ciphers'
-+ - '!accounts_passwords_pam_tally2'
-+ - '!ensure_suse_gpgkey_installed'
-+ - '!gnome_gdm_disable_unattended_automatic_login'
-+ - '!accounts_passwords_pam_tally2_unlock_time'
-+ - '!cracklib_accounts_password_pam_minlen'
-+ - '!set_password_hashing_algorithm_commonauth'
-+ - '!cracklib_accounts_password_pam_dcredit'
-+ - '!ensure_shadow_group_empty'
-+ - '!service_timesyncd_enabled'
+ - '!security_patches_up_to_date'
++ - '!kernel_module_dccp_disabled'
diff --git a/products/almalinux10/profiles/stig.profile b/products/almalinux10/profiles/stig.profile
new file mode 100644
-index 000000000..1cb3caa2f
+index 000000000..aeb4b4ee8
--- /dev/null
+++ b/products/almalinux10/profiles/stig.profile
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,24 @@
+documentation_complete: true
+
+metadata:
@@ -7614,25 +5855,27 @@ index 000000000..1cb3caa2f
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
-+title: 'DRAFT - DISA STIG for Red Hat Enterprise Linux 10'
++title: 'Red Hat STIG for Red Hat Enterprise Linux 10'
+
+description: |-
-+ This is a draft profile for experimental purposes.
++ This is a profile based on what is expected in the RHEL 10 STIG.
+ It is not based on the DISA STIG for RHEL 10, because it was not available at time of
+ the release.
+
-+ In addition to being applicable to Red Hat Enterprise Linux 10, DISA recognizes this
-+ configuration baseline as applicable to the operating system tier of
++ In addition to being applicable to Red Hat Enterprise Linux 10, this
++ configuration baseline is applicable to the operating system tier of
+ Red Hat technologies that are based on Red Hat Enterprise Linux 10.
+
+selections:
+ - srg_gpos:all
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
diff --git a/products/almalinux10/profiles/stig_gui.profile b/products/almalinux10/profiles/stig_gui.profile
new file mode 100644
-index 000000000..609256d19
+index 000000000..bdc831d06
--- /dev/null
+++ b/products/almalinux10/profiles/stig_gui.profile
-@@ -0,0 +1,34 @@
+@@ -0,0 +1,39 @@
+documentation_complete: true
+
+metadata:
@@ -7642,15 +5885,15 @@ index 000000000..609256d19
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
-+title: 'DRAFT - DISA STIG for Red Hat Enterprise Linux 10'
++title: 'Red Hat STIG for Red Hat Enterprise Linux 10'
+
+description: |-
-+ This is a draft profile for experimental purposes.
++ This is a profile based on what is expected in the RHEL 10 STIG.:
+ It is not based on the DISA STIG for RHEL 10, because it was not available at time of
+ the release.
+
-+ In addition to being applicable to Red Hat Enterprise Linux 10, DISA recognizes this
-+ configuration baseline as applicable to the operating system tier of
++ In addition to being applicable to Red Hat Enterprise Linux 10, this
++ configuration baseline is applicable to the operating system tier of
+ Red Hat technologies that are based on Red Hat Enterprise Linux 10.
+
+extends: stig
@@ -7667,9 +5910,14 @@ index 000000000..609256d19
+ - '!sysctl_user_max_user_namespaces'
+ # locking of idle sessions is handled by screensaver when GUI is present, the following rule is therefore redundant
+ - '!logind_session_timeout'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
++
++ # Package gdm cannot be removed as it is required for GUI installation ('@Server with GUI' package group)
++ - '!package_gdm_removed'
diff --git a/products/almalinux10/transforms/constants.xslt b/products/almalinux10/transforms/constants.xslt
new file mode 100644
-index 000000000..707f9f2aa
+index 000000000..1b1a67317
--- /dev/null
+++ b/products/almalinux10/transforms/constants.xslt
@@ -0,0 +1,13 @@
@@ -7677,7 +5925,7 @@ index 000000000..707f9f2aa
+
+
+
-+AlmaLinux 10
++AlmaLinux OS 10
+AL10
+AL_10_STIG
+almalinux10
@@ -7743,51 +5991,49 @@ index 000000000..30419e92b
+
diff --git a/shared/checks/oval/installed_OS_is_almalinux10.xml b/shared/checks/oval/installed_OS_is_almalinux10.xml
new file mode 100644
-index 000000000..f7b8ffe04
+index 000000000..34f942d90
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_almalinux10.xml
-@@ -0,0 +1,36 @@
+@@ -0,0 +1,34 @@
+
-+
++
+
-+ AlmaLinux 10
++ AlmaLinux OS 10
+
+ multi_platform_all
+
-+
-+
-+ The operating system installed on the system is
-+ AlmaLinux 10
++
++ The operating system installed on the system is AlmaLinux OS 10
+
-+
-+
-+
-+
-+
++
++
++
++
+
+
+
-+
-+
-+
-+
-+
-+ ^10.*$
-+
-+
-+ ^almalinux.*-release
-+
++
++
++
++
++ /etc/almalinux-release
++
++
++
++
++
++
++ /etc/almalinux-release
++ ^AlmaLinux release 10.[0-9]+ .*$
++ 1
++
+
+
diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-index 14a64dbbd..21d46b509 100644
+index f803e8ff0..0d908f044 100644
--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-@@ -14,6 +14,7 @@
+@@ -16,6 +16,7 @@
multi_platform_olmulti_platform_rhcosmulti_platform_rhel
@@ -7795,20 +6041,20 @@ index 14a64dbbd..21d46b509 100644
multi_platform_rhvmulti_platform_slemulti_platform_slmicro5
-diff --git a/shared/references/disa-stig-ol7-v2r14-xccdf-manual.xml b/shared/references/disa-stig-ol7-v2r14-xccdf-manual.xml
-index 1d087be21..306818938 100644
---- a/shared/references/disa-stig-ol7-v2r14-xccdf-manual.xml
-+++ b/shared/references/disa-stig-ol7-v2r14-xccdf-manual.xml
-@@ -934,7 +934,7 @@ Check to see if an encrypted grub superusers password is set. On systems that us
+diff --git a/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml b/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml
+index e83699662..1efabcf62 100644
+--- a/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml
++++ b/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml
+@@ -917,7 +917,7 @@ Check to see if an encrypted grub superusers password is set. On systems that us
$ sudo grep -iw grub2_password /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
--If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL07-00-010491Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99143SV-108247CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
-+If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL07-00-010491Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99143SV-108247CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
+-If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL07-00-010491Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99143SV-108247CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
++If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL07-00-010491Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99143SV-108247CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
Generate an encrypted grub2 password for the grub superusers account with the following command:
-@@ -946,7 +946,7 @@ For systems that are running a version of Oracle Linux prior to 7.2, this is Not
+@@ -929,7 +929,7 @@ For systems that are running a version of Oracle Linux prior to 7.2, this is Not
Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:
@@ -7816,8 +6062,8 @@ index 1d087be21..306818938 100644
+$ sudo grep -iw grub2_password /boot/efi/EFI/almalinux/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
- If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>OL07-00-010500The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
-@@ -1838,7 +1838,7 @@ On BIOS-based machines, use the following command:
+ If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>OL07-00-010500The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
+@@ -1809,7 +1809,7 @@ On BIOS-based machines, use the following command:
On UEFI-based machines, use the following command:
@@ -7826,7 +6072,7 @@ index 1d087be21..306818938 100644
If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:
-@@ -1869,7 +1869,7 @@ dracut-fips-033-360.el7_2.x86_64.rpm
+@@ -1840,7 +1840,7 @@ dracut-fips-033-360.el7_2.x86_64.rpm
If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command:
@@ -7835,9 +6081,9 @@ index 1d087be21..306818938 100644
# grep fips /boot/grub2/grub.cfg
/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet
-@@ -1941,23 +1941,23 @@ An example rule that includes the "sha512" rule follows:
+@@ -1912,23 +1912,23 @@ An example rule that includes the "sha512" rule follows:
- If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>OL07-00-021700The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108367V-99263CCI-001813Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media.
+ If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>OL07-00-021700The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108367V-99263CCI-001813Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media.
-Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
+Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/almalinux/grub.cfg" file on UEFI machines.
@@ -7864,7 +6110,7 @@ index 1d087be21..306818938 100644
set root='hd0,gpt2'
set root='hd0,gpt2'
set root='hd0,gpt2'
-@@ -4481,12 +4481,12 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}
+@@ -4453,12 +4453,12 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}
Generate a new grub.cfg file with the following command:
@@ -7879,16 +6125,115 @@ index 1d087be21..306818938 100644
set superusers="[someuniquestringhere]"
export superusers
-diff --git a/shared/references/disa-stig-ol8-v2r1-xccdf-manual.xml b/shared/references/disa-stig-ol8-v2r1-xccdf-manual.xml
-index eb33a0297..deb9b8ec3 100644
---- a/shared/references/disa-stig-ol8-v2r1-xccdf-manual.xml
-+++ b/shared/references/disa-stig-ol8-v2r1-xccdf-manual.xml
-@@ -425,7 +425,7 @@ SHA_CRYPT_MIN_ROUNDS 5000
+ 5416
+
+ CCI-000213
+- Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file.
++ Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/almalinux/user.cfg" file.
+
+ Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+@@ -11097,7 +11097,7 @@ The "logind" service must be restarted for the changes to take effect. To restar
+ The OL8 system boots with United Extensable Firmware Interface (UEFI)
+
+
+-
++
+
+
+
+@@ -11250,11 +11250,11 @@ Passwords need to be protected at all times, and encryption is the standard meth
+
+ If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.
+
+-
+-
++
++
+
+-
+-
++
++
+
+
+
+@@ -11874,7 +11874,7 @@ Configuration settings are the set of parameters that can be changed in hardware
+ The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
+
+
+-
++
+
+
+
+@@ -15425,7 +15425,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
+
+-
++
+
+
+
+@@ -15479,11 +15479,11 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
+
+-
++
+
+
+
+-
++
+
+
+
+@@ -17231,8 +17231,8 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+ gnome-shell
+
+-
+- /boot/efi/EFI/redhat/grub.cfg
++
++ /boot/efi/EFI/almalinux/grub.cfg
+
+
+ /boot/grub2/grub.cfg
+@@ -17308,13 +17308,13 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+ ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d*)
+ 1
+
+-
+- /boot/efi/EFI/redhat/grub.cfg
++
++ /boot/efi/EFI/almalinux/grub.cfg
+ ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$
+ 1
+
+-
+- /boot/efi/EFI/redhat/user.cfg
++
++ /boot/efi/EFI/almalinux/user.cfg
+ ^\s*GRUB2_PASSWORD=(\S+)\b
+ 1
+
+diff --git a/shared/references/disa-stig-ol8-v2r3-xccdf-manual.xml b/shared/references/disa-stig-ol8-v2r3-xccdf-manual.xml
+index 7e5d2fce0..f4fc7a4be 100644
+--- a/shared/references/disa-stig-ol8-v2r3-xccdf-manual.xml
++++ b/shared/references/disa-stig-ol8-v2r3-xccdf-manual.xml
+@@ -425,7 +425,7 @@ SHA_CRYPT_MIN_ROUNDS 100000SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010140OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file.
-+If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the value for either is below "5000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010140OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/almalinux/user.cfg" file.
+-If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the value for either is below "100000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010140OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file.
++If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the value for either is below "100000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010140OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/almalinux/user.cfg" file.
Generate an encrypted grub2 password for the grub superusers account with the following command:
@@ -7915,98 +6260,16 @@ index eb33a0297..deb9b8ec3 100644
set superusers="[someuniqueUserNamehere]"
export superusers
-diff --git a/shared/references/disa-stig-rhel8-v1r13-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r13-xccdf-scap.xml
-index 2bb4af3b9..3b4e256f4 100644
---- a/shared/references/disa-stig-rhel8-v1r13-xccdf-scap.xml
-+++ b/shared/references/disa-stig-rhel8-v1r13-xccdf-scap.xml
-@@ -2584,7 +2584,7 @@ SHA_CRYPT_MIN_ROUNDS 5000
- 2921
-
- CCI-000213
-- Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
-+ Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
-
- Generate an encrypted grub2 password for the grub superusers account with the following command:
-
-@@ -10400,11 +10400,11 @@ Passwords need to be protected at all times, and encryption is the standard meth
-
- If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
-
--
--
-+
-+
-
--
--
-+
-+
-
-
-
-@@ -11040,7 +11040,7 @@ Configuration settings are the set of parameters that can be changed in hardware
- The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
-
-
--
-+
-
-
-
-@@ -14645,15 +14645,15 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
-
-
--
-+
-
-
-
--
-+
-
-
-
--
-+
-
-
-
-@@ -16481,18 +16481,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi
- ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\b
- 1
-
--
-- /boot/efi/EFI/redhat/grub.cfg
-+
-+ /boot/efi/EFI/almalinux/grub.cfg
- ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$
- 1
-
--
-- /boot/efi/EFI/redhat/user.cfg
-+
-+ /boot/efi/EFI/almalinux/user.cfg
- ^\s*GRUB2_PASSWORD=(\S+)\b
- 1
-
--
-- /boot/efi/EFI/redhat/grub.cfg
-+
-+ /boot/efi/EFI/almalinux/grub.cfg
-
-
- /boot/grub2/grub.cfg
-diff --git a/shared/references/disa-stig-rhel8-v1r14-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r14-xccdf-manual.xml
-index 89b69d69d..cf9365113 100644
---- a/shared/references/disa-stig-rhel8-v1r14-xccdf-manual.xml
-+++ b/shared/references/disa-stig-rhel8-v1r14-xccdf-manual.xml
-@@ -374,7 +374,7 @@ SHA_CRYPT_MIN_ROUNDS 5000SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
-+If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
+-If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "100000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
++If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "100000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
Generate an encrypted grub2 password for the grub superusers account with the following command:
@@ -8019,7 +6282,7 @@ index 89b69d69d..cf9365113 100644
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
-@@ -6468,11 +6468,11 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}
+@@ -6384,11 +6384,11 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}
Generate a new grub.cfg file with the following command:
@@ -8033,232 +6296,83 @@ index 89b69d69d..cf9365113 100644
set superusers="[someuniquestringhere]"
export superusers
-diff --git a/shared/references/disa-stig-rhel9-v1r1-xccdf-scap.xml b/shared/references/disa-stig-rhel9-v1r1-xccdf-scap.xml
-index c14013393..fe7d48d2c 100644
---- a/shared/references/disa-stig-rhel9-v1r1-xccdf-scap.xml
-+++ b/shared/references/disa-stig-rhel9-v1r1-xccdf-scap.xml
-@@ -20991,7 +20991,7 @@ include "/etc/crypto-policies/back-ends/bind.config";
+diff --git a/shared/references/disa-stig-rhel8-v2r2-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v2r2-xccdf-scap.xml
+index ecdb4b277..8dbe274c6 100644
+--- a/shared/references/disa-stig-rhel8-v2r2-xccdf-scap.xml
++++ b/shared/references/disa-stig-rhel8-v2r2-xccdf-scap.xml
+@@ -3264,7 +3264,7 @@ SHA_CRYPT_MIN_ROUNDS 100000
+
+
+ CCI-000213
+- Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
++ Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
+
+ Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+@@ -12501,8 +12501,8 @@ $ sudo systemctl restart systemd-logind
+
-
-
--
-+
-
-
-
-@@ -29178,7 +29178,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190
-
-
+
+-
+-
++
++
+
+
+
+@@ -20423,11 +20423,11 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
--
-+
-
-
-
-@@ -33049,7 +33049,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190
- 1
+-
++
+
+
+
+-
++
+
+
+
+@@ -22363,12 +22363,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+ 1
-
+
- /boot/efi/EFI/redhat/grub.cfg
+ /boot/efi/EFI/almalinux/grub.cfg
-
-
- /etc/grub2-efi.cfg
-diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template
-index 5a686b0b2..74a7d8c30 100644
---- a/shared/templates/audit_rules_dac_modification/ansible.template
-+++ b/shared/templates/audit_rules_dac_modification/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
- # reboot = true
- # strategy = restrict
- # complexity = low
-diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template
-index daee70210..ae6608360 100644
---- a/shared/templates/audit_rules_dac_modification/bash.template
-+++ b/shared/templates/audit_rules_dac_modification/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
-
- # First perform the remediation of the syscall rule
- # Retrieve hardware architecture of the underlying system
-diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template
-index 33b29b977..cbee8fdf7 100644
---- a/shared/templates/audit_rules_file_deletion_events/ansible.template
-+++ b/shared/templates/audit_rules_file_deletion_events/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
- # reboot = true
- # strategy = restrict
- # complexity = low
-diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template
-index b3eab4edb..da237aa3d 100644
---- a/shared/templates/audit_rules_file_deletion_events/bash.template
-+++ b/shared/templates/audit_rules_file_deletion_events/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
-
- # First perform the remediation of the syscall rule
- # Retrieve hardware architecture of the underlying system
-diff --git a/shared/templates/audit_rules_login_events/ansible.template b/shared/templates/audit_rules_login_events/ansible.template
-index e62981561..4f8c1b6e5 100644
---- a/shared/templates/audit_rules_login_events/ansible.template
-+++ b/shared/templates/audit_rules_login_events/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
- # reboot = true
- # strategy = restrict
- # complexity = low
-diff --git a/shared/templates/audit_rules_login_events/bash.template b/shared/templates/audit_rules_login_events/bash.template
-index e3c55b43a..0a13eabe8 100644
---- a/shared/templates/audit_rules_login_events/bash.template
-+++ b/shared/templates/audit_rules_login_events/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
-
- # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-
-diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template
-index 68b43b439..9d9ce2fad 100644
---- a/shared/templates/audit_rules_path_syscall/ansible.template
-+++ b/shared/templates/audit_rules_path_syscall/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
- # reboot = true
- # strategy = restrict
- # complexity = low
-diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template
-index 332c87def..cdcf6352c 100644
---- a/shared/templates/audit_rules_path_syscall/bash.template
-+++ b/shared/templates/audit_rules_path_syscall/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
-
- # First perform the remediation of the syscall rule
- # Retrieve hardware architecture of the underlying system
-diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
-index 0e2a29c80..a78d71da2 100644
---- a/shared/templates/audit_rules_privileged_commands/ansible.template
-+++ b/shared/templates/audit_rules_privileged_commands/ansible.template
-@@ -1,7 +1,7 @@
- {{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
- {{%- set perm_x=" -F perm=x" %}}
- {{%- endif %}}
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_perm_x.fail.sh b/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_perm_x.fail.sh
-index 316171011..aba627753 100644
---- a/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_perm_x.fail.sh
-+++ b/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_perm_x.fail.sh
-@@ -1,5 +1,5 @@
+ ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$
+ 1
+
+
+- /boot/efi/EFI/redhat/user.cfg
++ /boot/efi/EFI/almalinux/user.cfg
+ ^\s*GRUB2_PASSWORD=(\S+)\b
+ 1
+
+diff --git a/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh b/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
+index 8c002663d..c8d3ff1a4 100644
+--- a/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
++++ b/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
+@@ -1,6 +1,6 @@
#!/bin/bash
--# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
-+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
- # packages = audit
+ # This test only applies to platforms that check the pwquality.conf.d directory
+-# platform = Oracle Linux 8,multi_platform_rhel
++# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux
+ # variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
- source common.sh
-diff --git a/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_perm_x.fail.sh b/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_perm_x.fail.sh
-index 1cad34338..55c65dbe2 100644
---- a/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_perm_x.fail.sh
-+++ b/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_perm_x.fail.sh
-@@ -1,5 +1,5 @@
+ truncate -s 0 /etc/security/pwquality.conf
+diff --git a/shared/templates/accounts_password/tests/correct_value_directory.pass.sh b/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
+index 689093008..c25c13332 100644
+--- a/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
++++ b/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
+@@ -1,6 +1,6 @@
#!/bin/bash
--# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
-+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
+ # This test only applies to platforms that check the pwquality.conf.d directory
+-# platform = Oracle Linux 8,multi_platform_rhel
++# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux
+ # variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
- source common.sh
-
-diff --git a/shared/templates/audit_rules_syscall_events/ansible.template b/shared/templates/audit_rules_syscall_events/ansible.template
-index 16dec9827..5e953196e 100644
---- a/shared/templates/audit_rules_syscall_events/ansible.template
-+++ b/shared/templates/audit_rules_syscall_events/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
- # reboot = true
- # strategy = restrict
- # complexity = low
-diff --git a/shared/templates/audit_rules_syscall_events/bash.template b/shared/templates/audit_rules_syscall_events/bash.template
-index bd5bb94cb..d1f68626a 100644
---- a/shared/templates/audit_rules_syscall_events/bash.template
-+++ b/shared/templates/audit_rules_syscall_events/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-
- # First perform the remediation of the syscall rule
- # Retrieve hardware architecture of the underlying system
-diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
-index 9beb65537..e6da688f0 100644
---- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
-+++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
- # reboot = true
- # strategy = restrict
- # complexity = low
-diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
-index b18223c98..e82de6427 100644
---- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
-+++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
-
- # First perform the remediation of the syscall rule
- # Retrieve hardware architecture of the underlying system
-diff --git a/shared/templates/audit_rules_usergroup_modification/ansible.template b/shared/templates/audit_rules_usergroup_modification/ansible.template
-index 0ffb15ba1..a7ee3c41d 100644
---- a/shared/templates/audit_rules_usergroup_modification/ansible.template
-+++ b/shared/templates/audit_rules_usergroup_modification/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
- # reboot = true
- # strategy = restrict
- # complexity = low
-diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
-index a573b6a1b..7011157d8 100644
---- a/shared/templates/grub2_bootloader_argument/ansible.template
-+++ b/shared/templates/grub2_bootloader_argument/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
- # reboot = true
- # strategy = restrict
- # complexity = medium
-diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
-index 7a7ba6899..ac12c1878 100644
---- a/shared/templates/grub2_bootloader_argument/bash.template
-+++ b/shared/templates/grub2_bootloader_argument/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
- {{#
- See the OVAL template for more comments.
- Product-specific categorization should be synced across all template content types
-diff --git a/shared/templates/grub2_bootloader_argument/blueprint.template b/shared/templates/grub2_bootloader_argument/blueprint.template
-index 7e9ea909e..152f27303 100644
---- a/shared/templates/grub2_bootloader_argument/blueprint.template
-+++ b/shared/templates/grub2_bootloader_argument/blueprint.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
- {{%- if ARG_VARIABLE %}}
- {{%- set ARG_NAME_VALUE = ARG_NAME ~ "=(blueprint-populate " ~ ARG_VARIABLE ~ ")" -%}}
- {{%- endif %}}
+ # This test will ensure that OVAL also checks the configuration in
diff --git a/shared/templates/grub2_bootloader_argument/kickstart.template b/shared/templates/grub2_bootloader_argument/kickstart.template
index c5051bcf7..846c0e661 100644
--- a/shared/templates/grub2_bootloader_argument/kickstart.template
@@ -8269,62 +6383,42 @@ index c5051bcf7..846c0e661 100644
# reboot = true
# strategy = restrict
# complexity = medium
-diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
-index b594abe6d..bac3e9fc6 100644
---- a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
-+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
+diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
+index 4c25b2d95..26100fc4e 100644
+--- a/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
++++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
--# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- {{%- if 'ubuntu' in product %}}
- # packages = grub2
- {{%- else %}}
+-# platform = multi_platform_fedora,multi_platform_rhel
++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
+ # packages = grub2,grubby
+
+ source common.sh
diff --git a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
-index c6d5b6b1b..cd30da7ac 100644
+index c6d5b6b1b..0557b2f03 100644
--- a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
+++ b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_fedora
-+# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux 10,multi_platform_fedora
++# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_fedora
# packages = grub2,grubby
{{%- if ARG_VARIABLE %}}
# variables = {{{ ARG_VARIABLE }}}=correct_value
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
-index f43aa99c4..9327235a9 100644
+index 0ee7a41ca..a31c37bc4 100644
--- a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
--# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_fedora
-+# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux 10,multi_platform_fedora
+-# platform = multi_platform_fedora,multi_platform_rhel
++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
# packages = grub2,grubby
source common.sh
-diff --git a/shared/templates/grub2_bootloader_argument_absent/ansible.template b/shared/templates/grub2_bootloader_argument_absent/ansible.template
-index 51fc98b7a..c6b147d87 100644
---- a/shared/templates/grub2_bootloader_argument_absent/ansible.template
-+++ b/shared/templates/grub2_bootloader_argument_absent/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
- # reboot = true
- # strategy = restrict
- # complexity = medium
-diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template
-index 8d7d6e9ea..18b900e51 100644
---- a/shared/templates/grub2_bootloader_argument_absent/bash.template
-+++ b/shared/templates/grub2_bootloader_argument_absent/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
- {{#
- See the OVAL template for more comments.
- Product-specific categorization should be synced across all template content types
diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh
index fc3db8ccd..a12bef4b2 100644
--- a/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh
@@ -8350,35 +6444,15 @@ index e51f669fd..00a74f76f 100644
# Adds argument with a value from kernel command line in /etc/default/grub
diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh
-index 9eda41566..538fca94a 100644
+index 9eda41566..e47a76f51 100644
--- a/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh
+++ b/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10
-+# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux 10
++# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10
# packages = grub2,grubby
# Ensure the kernel command line for each installed kernel in the bootloader
-diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
-index 88e846697..a329cbe76 100644
---- a/shared/templates/kernel_module_disabled/ansible.template
-+++ b/shared/templates/kernel_module_disabled/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
- # reboot = true
- # strategy = disable
- # complexity = low
-diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template
-index df7229bc4..d6dc65bff 100644
---- a/shared/templates/kernel_module_disabled/bash.template
-+++ b/shared/templates/kernel_module_disabled/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
- # reboot = true
- # strategy = disable
- # complexity = low
diff --git a/shared/templates/kernel_module_disabled/kubernetes.template b/shared/templates/kernel_module_disabled/kubernetes.template
index c77cebfbb..2820e9745 100644
--- a/shared/templates/kernel_module_disabled/kubernetes.template
@@ -8390,27 +6464,6 @@ index c77cebfbb..2820e9745 100644
# reboot = true
# strategy = disable
# complexity = low
-diff --git a/shared/templates/kernel_module_disabled/tests/missing_blacklist.fail.sh b/shared/templates/kernel_module_disabled/tests/missing_blacklist.fail.sh
-index 8a1319eed..fb20c3b4a 100644
---- a/shared/templates/kernel_module_disabled/tests/missing_blacklist.fail.sh
-+++ b/shared/templates/kernel_module_disabled/tests/missing_blacklist.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_ol,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_ubuntu
-
- echo > /etc/modprobe.d/{{{ KERNMODULE }}}.conf
- echo "install {{{ KERNMODULE }}} /bin/true" > /etc/modprobe.d/{{{ KERNMODULE }}}.conf
-diff --git a/shared/templates/mount/anaconda.template b/shared/templates/mount/anaconda.template
-index fdcb4ee3e..0d1d8dc24 100644
---- a/shared/templates/mount/anaconda.template
-+++ b/shared/templates/mount/anaconda.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- # reboot = false
- # strategy = enable
- # complexity = low
diff --git a/shared/templates/mount/blueprint.template b/shared/templates/mount/blueprint.template
index 56617467d..3cdacd4db 100644
--- a/shared/templates/mount/blueprint.template
@@ -8430,43 +6483,13 @@ index fc2bdebd7..3c7833aa7 100644
+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
logvol {{{ MOUNTPOINT }}} {{{ MIN_SIZE_MB }}}
-diff --git a/shared/templates/mount_option/anaconda.template b/shared/templates/mount_option/anaconda.template
-index 083b0ef00..14f7018a9 100644
---- a/shared/templates/mount_option/anaconda.template
-+++ b/shared/templates/mount_option/anaconda.template
+diff --git a/shared/templates/package_installed/bootc.template b/shared/templates/package_installed/bootc.template
+index ddac8ef40..86cb91791 100644
+--- a/shared/templates/package_installed/bootc.template
++++ b/shared/templates/package_installed/bootc.template
@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- # reboot = false
- # strategy = enable
- # complexity = low
-diff --git a/shared/templates/mount_option_removable_partitions/anaconda.template b/shared/templates/mount_option_removable_partitions/anaconda.template
-index 8665fb913..07cd9e3ad 100644
---- a/shared/templates/mount_option_removable_partitions/anaconda.template
-+++ b/shared/templates/mount_option_removable_partitions/anaconda.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- # reboot = false
- # strategy = enable
- # complexity = low
-diff --git a/shared/templates/package_installed/anaconda.template b/shared/templates/package_installed/anaconda.template
-index 0ac55f51f..dd0bcddea 100644
---- a/shared/templates/package_installed/anaconda.template
-+++ b/shared/templates/package_installed/anaconda.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- # reboot = false
- # strategy = enable
- # complexity = low
-diff --git a/shared/templates/package_installed/bash.template b/shared/templates/package_installed/bash.template
-index 65c48d381..ee1e6386d 100644
---- a/shared/templates/package_installed/bash.template
-+++ b/shared/templates/package_installed/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
# reboot = false
# strategy = enable
# complexity = low
@@ -8480,13 +6503,13 @@ index be0fc1de8..8284a5711 100644
# reboot = false
# strategy = enable
# complexity = low
-diff --git a/shared/templates/package_removed/anaconda.template b/shared/templates/package_removed/anaconda.template
-index 489f9bb0f..0120d927c 100644
---- a/shared/templates/package_removed/anaconda.template
-+++ b/shared/templates/package_removed/anaconda.template
+diff --git a/shared/templates/package_removed/bootc.template b/shared/templates/package_removed/bootc.template
+index 9e3535578..f0a418432 100644
+--- a/shared/templates/package_removed/bootc.template
++++ b/shared/templates/package_removed/bootc.template
@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
# reboot = false
# strategy = disable
# complexity = low
@@ -8500,289 +6523,18 @@ index 486ebbbdc..963412bac 100644
# reboot = false
# strategy = disable
# complexity = low
-diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
-index 67c1b593b..74bb77abe 100644
---- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
-+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
-@@ -1,5 +1,5 @@
+diff --git a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
+index 1e4ab26a7..88a935f88 100644
+--- a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
++++ b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
+@@ -1,6 +1,6 @@
#!/bin/bash
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv,multi_platform_sle
- # packages = authselect
- # variables = var_accounts_passwords_pam_faillock_deny=3
+ # packages = authselect,pam
+-# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
++# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
-diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
-index e3ec96da0..56c6b75f3 100644
---- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
-+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_rhv,multi_platform_sle
- # packages = authselect
- # remediation = none
- # variables = var_accounts_passwords_pam_faillock_deny=3
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh
-index 0fa452ba0..8e9abbe3a 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
+ {{{ tests_init_faillock_vars("correct") }}}
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh
-index 54804685b..1c4b4f3e1 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr.fail.sh
-index 1ba8e0cda..02f0e77e9 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr.fail.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_include.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_include.fail.sh
-index 321df77d9..756bdb524 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_include.fail.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_include.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_stricter_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_stricter_attr.pass.sh
-index dc362ae00..36867bb2b 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_stricter_attr.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_stricter_attr.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh
-index 4aef9fb84..0b7cbcd5f 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr_include.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr_include.pass.sh
-index 203f640f5..a127500e8 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr_include.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr_include.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_cloudinit.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_cloudinit.fail.sh
-index f623b6be4..8d4399023 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_cloudinit.fail.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_cloudinit.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy.fail.sh
-index c825c0b08..746d6dfa4 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy.fail.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy_include.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy_include.fail.sh
-index a8e723bee..a1e6b245c 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy_include.fail.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_legacy_include.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer.fail.sh
-index d3f639a2b..b5d757274 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer.fail.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer_include.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer_include.fail.sh
-index d3be7ffc3..5b4b11307 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer_include.fail.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_lenient_attr_rainer_include.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_stricter_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_stricter_attr.pass.sh
-index c1c5758d8..3e7441a4a 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_stricter_attr.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_stricter_attr.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh
-index 3d3bbbd8e..ae10153cd 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_exceptions.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_exceptions.pass.sh
-index 868318728..d744d549d 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_exceptions.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_exceptions.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_include.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_include.pass.sh
-index 96e9ddaf3..8c8a59a3a 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_include.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_include.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_multiline_include.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_multiline_include.pass.sh
-index ec9296694..6bd64894b 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_multiline_include.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr_multiline_include.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr.fail.sh
-index 9dcbe0c2e..b7f6323c9 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr.fail.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr_include.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr_include.fail.sh
-index dc9ea0eef..9c6694804 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr_include.fail.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_attr_include.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_multiline_attr_include.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_multiline_attr_include.fail.sh
-index 6acb37ad7..d235e6249 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_multiline_attr_include.fail.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_multiline_attr_include.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_stricter_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_stricter_attr.pass.sh
-index abdb09c48..9cc24d061 100755
---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_stricter_attr.pass.sh
-+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_stricter_attr.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
- # Declare variables used for the tests and define the create_rsyslog_test_logs function
- source $SHARED/rsyslog_log_utils.sh
-diff --git a/shared/templates/sebool/ansible.template b/shared/templates/sebool/ansible.template
-index a17337508..1e9769b17 100644
---- a/shared/templates/sebool/ansible.template
-+++ b/shared/templates/sebool/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,SUSE Linux Enterprise 15
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,SUSE Linux Enterprise 15
- # reboot = false
- # strategy = enable
- # complexity = low
-diff --git a/shared/templates/sebool/bash.template b/shared/templates/sebool/bash.template
-index 7bc1bd15d..b5534afd7 100644
---- a/shared/templates/sebool/bash.template
-+++ b/shared/templates/sebool/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,SUSE Linux Enterprise 15
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,SUSE Linux Enterprise 15
- # reboot = false
- # strategy = enable
- # complexity = low
-diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template
-index c8b6826b2..6bbb8eb2a 100644
---- a/shared/templates/service_disabled/bash.template
-+++ b/shared/templates/service_disabled/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
- # reboot = false
- # strategy = disable
- # complexity = low
diff --git a/shared/templates/service_disabled/kickstart.template b/shared/templates/service_disabled/kickstart.template
index d1e39ae29..7ecd5523e 100644
--- a/shared/templates/service_disabled/kickstart.template
@@ -8803,15 +6555,15 @@ index 1ab456524..724e7b779 100644
# reboot = true
# strategy = disable
# complexity = low
-diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template
-index 00fd1ee2f..2d99ec854 100644
---- a/shared/templates/service_enabled/bash.template
-+++ b/shared/templates/service_enabled/bash.template
+diff --git a/shared/templates/service_disabled_guard_var/bash.template b/shared/templates/service_disabled_guard_var/bash.template
+index 0afd3332d..62c4762e7 100644
+--- a/shared/templates/service_disabled_guard_var/bash.template
++++ b/shared/templates/service_disabled_guard_var/bash.template
@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
# reboot = false
- # strategy = enable
+ # strategy = disable
# complexity = low
diff --git a/shared/templates/service_enabled/kickstart.template b/shared/templates/service_enabled/kickstart.template
index 451af774a..27ac615a2 100644
@@ -8824,160 +6576,221 @@ index 451af774a..27ac615a2 100644
# strategy = disable
# complexity = low
diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
-index 7db352eda..0c07614e5 100644
+index 6432aa5ce..9c3234fd3 100644
--- a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
+++ b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux 10,multi_platform_ubuntu
++# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_ubuntu
source common.sh
diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
-index e0cd64de1..2b87db594 100644
+index c5390ff13..9f596cf48 100644
--- a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
+++ b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux 10,multi_platform_ubuntu
++# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_ubuntu
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/nothing
diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
-index fd2cfeb10..d43541136 100644
+index 7d55e3d0d..f8ea20e04 100644
--- a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
+++ b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux 10,multi_platform_ubuntu
++# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_ubuntu
- SSHD_PARAM={{{ PARAMETER }}}
- SSHD_VAL={{{ VALUE }}}
+
+ {{% if XCCDF_VARIABLE %}}
diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
-index 2322e1d7c..c727f8d43 100644
+index c68680483..6c35a7465 100644
--- a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
+++ b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux 10,multi_platform_ubuntu
++# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_ubuntu
- SSHD_PARAM={{{ PARAMETER }}}
- SSHD_VAL={{{ VALUE }}}
+ {{% if XCCDF_VARIABLE %}}
+ # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
-index 1810d779a..802e6f5c3 100644
+index 983eb3fda..176f386e7 100644
--- a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
+++ b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux 10,multi_platform_ubuntu
++# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_ubuntu
- SSHD_PARAM={{{ PARAMETER }}}
- SSHD_VAL="bad_val"
-diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
-index 887adae43..b4395c5a7 100644
---- a/shared/templates/sysctl/bash.template
-+++ b/shared/templates/sysctl/bash.template
+ {{% if XCCDF_VARIABLE %}}
+ # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+diff --git a/shared/templates/zipl_bls_entries_option/ansible.template b/shared/templates/zipl_bls_entries_option/ansible.template
+index 73810f216..54434bb42 100644
+--- a/shared/templates/zipl_bls_entries_option/ansible.template
++++ b/shared/templates/zipl_bls_entries_option/ansible.template
@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
+-# platform = multi_platform_rhel
++# platform = multi_platform_rhel,multi_platform_almalinux
# reboot = true
- # strategy = disable
- # complexity = low
-diff --git a/shared/templates/systemd_mount_enabled/anaconda.template b/shared/templates/systemd_mount_enabled/anaconda.template
-index 42ec0778d..475010b6a 100644
---- a/shared/templates/systemd_mount_enabled/anaconda.template
-+++ b/shared/templates/systemd_mount_enabled/anaconda.template
+ # strategy = configure
+ # complexity = medium
+diff --git a/shared/templates/zipl_bls_entries_option/bash.template b/shared/templates/zipl_bls_entries_option/bash.template
+index e14d59dfc..1b236a130 100644
+--- a/shared/templates/zipl_bls_entries_option/bash.template
++++ b/shared/templates/zipl_bls_entries_option/bash.template
@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- # reboot = false
- # strategy = enable
- # complexity = low
+-# platform = multi_platform_rhel
++# platform = multi_platform_rhel,multi_platform_almalinux
+
+ # Correct BLS option using grubby, which is a thin wrapper around BLS operations
+ grubby --update-kernel=ALL --args="{{{ ARG_NAME }}}={{{ ARG_VALUE }}}"
diff --git a/ssg/constants.py b/ssg/constants.py
-index 7f8910743..9d5b185e6 100644
+index cf58db6a1..7e1bdd841 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
-@@ -40,6 +40,7 @@ SSG_REF_URIS = {
+@@ -40,7 +40,7 @@ SSG_REF_URIS = {
product_directories = [
'alinux2',
'alinux3',
+- 'almalinux9',
+ 'almalinux10',
'anolis8',
'anolis23',
'al2023',
-@@ -201,6 +202,7 @@ PKG_MANAGER_TO_CONFIG_FILE = {
+@@ -204,7 +204,7 @@ PKG_MANAGER_TO_CONFIG_FILE = {
FULL_NAME_TO_PRODUCT_MAPPING = {
"Alibaba Cloud Linux 2": "alinux2",
"Alibaba Cloud Linux 3": "alinux3",
-+ "AlmaLinux 10": "almalinux10",
+- "AlmaLinux OS 9": "almalinux9",
++ "AlmaLinux OS 10": "almalinux10",
"Anolis OS 8": "anolis8",
"Anolis OS 23": "anolis23",
"Amazon Linux 2023": "al2023",
-@@ -281,7 +283,7 @@ REFERENCES = dict(
- )
-
-
--MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
-+MULTI_PLATFORM_LIST = ["almalinux", "rhel", "fedora", "rhv", "debian", "ubuntu",
- "openeuler",
- "opensuse", "sle", "ol", "ocp", "rhcos",
- "example", "eks", "alinux", "uos", "anolis", "openembedded", "al",
-@@ -289,6 +291,7 @@ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+@@ -295,7 +295,7 @@ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
MULTI_PLATFORM_MAPPING = {
"multi_platform_alinux": ["alinux2", "alinux3"],
+- "multi_platform_almalinux": ["almalinux9"],
+ "multi_platform_almalinux": ["almalinux10"],
"multi_platform_anolis": ["anolis8", "anolis23"],
"multi_platform_debian": ["debian11", "debian12"],
"multi_platform_example": ["example"],
-@@ -413,6 +416,7 @@ XCCDF_PLATFORM_TO_PACKAGE = {
- # _version_name_map = {
- MAKEFILE_ID_TO_PRODUCT_MAP = {
- 'alinux': 'Alibaba Cloud Linux',
-+ 'almalinux': 'AlmaLinux',
- 'anolis': 'Anolis OS',
- 'chromium': 'Google Chromium Browser',
- 'fedora': 'Fedora',
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/fixes/selinux_state.yml b/tests/unit/ssg-module/test_playbook_builder_data/fixes/selinux_state.yml
-index ff0b30f03..0116294f1 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/fixes/selinux_state.yml
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/fixes/selinux_state.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml
-index 1c1560a86..fc86b614e 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh
-index 10ecee505..3d3098f4e 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- # reboot = true
- # strategy = restrict
- # complexity = low
+diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml
+index eb1005de9..6c1f3517b 100644
+--- a/tests/data/product_stability/ol7.yml
++++ b/tests/data/product_stability/ol7.yml
+@@ -29,7 +29,7 @@ groups:
+ dedicated_ssh_keyowner:
+ name: ssh_keys
+ grub2_boot_path: /boot/grub2
+-grub2_uefi_boot_path: /boot/efi/EFI/redhat
++grub2_uefi_boot_path: /boot/efi/EFI/almalinux
+ grub_helper_executable: grubby
+ init_system: systemd
+ major_version_ordinal: 7
+diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml
+index ec49ad45f..67008023e 100644
+--- a/tests/data/product_stability/ol8.yml
++++ b/tests/data/product_stability/ol8.yml
+@@ -29,7 +29,7 @@ groups:
+ dedicated_ssh_keyowner:
+ name: ssh_keys
+ grub2_boot_path: /boot/grub2
+-grub2_uefi_boot_path: /boot/efi/EFI/redhat
++grub2_uefi_boot_path: /boot/efi/EFI/almalinux
+ grub_helper_executable: grubby
+ init_system: systemd
+ major_version_ordinal: 8
+diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml
+index cec14308a..b7e6596bf 100644
+--- a/tests/data/product_stability/rhel8.yml
++++ b/tests/data/product_stability/rhel8.yml
+@@ -80,7 +80,7 @@ groups:
+ dedicated_ssh_keyowner:
+ name: ssh_keys
+ grub2_boot_path: /boot/grub2
+-grub2_uefi_boot_path: /boot/efi/EFI/redhat
++grub2_uefi_boot_path: /boot/efi/EFI/almalinux
+ grub_helper_executable: grubby
+ init_system: systemd
+ journald_conf_dir_path: /etc/systemd/journald.conf.d
+diff --git a/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml b/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml
+index 849ab06f6..1a4927eec 100644
+--- a/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml
++++ b/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml
+@@ -368,7 +368,7 @@ $ sudo egrep "^SHA_CRYPT_" /etc/login.defs
+
+ If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding.
+
+-If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
++If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
+
+ Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+@@ -378,7 +378,7 @@ Confirm password:For systems that use BIOS, this is Not Applicable.
++$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable.
+
+ Verify that a unique name is set as the "superusers" account:
+
+-$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
++$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg
+ set superusers="[someuniquestringhere]"
+ export superusers
+
+diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
+index d11a2ea48..2a0d14294 100644
+--- a/tests/shared/grub2.sh
++++ b/tests/shared/grub2.sh
+@@ -7,10 +7,10 @@ function set_grub_uefi_root {
+ if grep VERSION /etc/os-release | grep -q '9\.0'; then
+ GRUB_CFG_ROOT=/boot/grub2
+ else
+- GRUB_CFG_ROOT=/boot/efi/EFI/redhat
++ GRUB_CFG_ROOT=/boot/efi/EFI/almalinux
+ fi
+ elif grep NAME /etc/os-release | grep -iq "Oracle"; then
+- GRUB_CFG_ROOT=/boot/efi/EFI/redhat
++ GRUB_CFG_ROOT=/boot/efi/EFI/almalinux
+ fi
+ }
+
+diff --git a/tests/unit/ssg-module/data/product.yml b/tests/unit/ssg-module/data/product.yml
+index 540ab0181..191dde4ec 100644
+--- a/tests/unit/ssg-module/data/product.yml
++++ b/tests/unit/ssg-module/data/product.yml
+@@ -25,7 +25,7 @@ aux_pkg_version: "5a6340b3"
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "7E4624258C406535D56D6F135054E4A45A6340B3"
+
+-grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
++grub2_uefi_boot_path: "/boot/efi/EFI/almalinux"
+
+ cpes_root: "./applicability"
+ cpes:
diff --git a/tests/unit/ssg_test_suite/data/correct.pass.sh b/tests/unit/ssg_test_suite/data/correct.pass.sh
index 5a2bc1005..c3dfe6dce 100644
--- a/tests/unit/ssg_test_suite/data/correct.pass.sh
@@ -8990,3 +6803,15 @@ index 5a2bc1005..c3dfe6dce 100644
# profiles = xccdf_org.ssgproject.content_profile_cis
# check = oval
# remediation = none
+diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py
+index e3c4bc4ae..fe2220ac0 100755
+--- a/utils/ansible_playbook_to_role.py
++++ b/utils/ansible_playbook_to_role.py
+@@ -65,6 +65,7 @@ yaml.add_constructor(_mapping_tag, dict_constructor)
+ PRODUCT_ALLOWLIST = set([
+ "rhel8",
+ "rhel9",
++ "almalinux10",
+ ])
+
+ PROFILE_ALLOWLIST = set([