scap-security-guide/SOURCES/scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch

From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 16:16:17 +0100
Subject: [PATCH 1/4] create new rules, add missing reference to older rule

---
 .../rule.yml                                  | 26 +++++++++++++++
 .../package_openssh-server_installed/rule.yml |  1 +
 .../rule.yml                                  | 32 +++++++++++++++++++
 .../rule.yml                                  | 29 +++++++++++++++++
 5 files changed, 88 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
 create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
 create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml

diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
new file mode 100644
index 0000000000..9b3c55f23b
--- /dev/null
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install OpenSSH client software'
+
+description: |-
+    {{{ describe_package_install(package="openssh-clients") }}}
+
+rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82722-0
+
+references:
+    srg: SRG-OS-000480-GPOS-00227
+    ospp: FIA_UAU.5,FTP_ITC_EXT.1
+
+{{{ complete_ocil_entry_package(package='openssh-clients') }}}
+
+template:
+    name: package_installed
+    vars:
+        pkgname: openssh-clients
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
index c18e604a5c..ba013ec509 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
@@ -28,6 +28,7 @@ references:
     cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
     cis-csc: 13,14
+    ospp: FIA_UAU.5,FTP_ITC_EXT.1
 
 ocil_clause: 'the package is not installed'
 
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
new file mode 100644
index 0000000000..6025f0cd33
--- /dev/null
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install policycoreutils-python-utils package'
+
+description: |-
+    {{{ describe_package_install(package="policycoreutils-python-utils") }}}
+
+rationale: |-
+    Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
+    with enhanced security functionality designed to add mandatory access controls to Linux.
+    The Security-enhanced Linux kernel contains new architectural components originally
+    developed to improve security of the Flask operating system. These architectural components
+    provide general support for the enforcement of many kinds of mandatory access control
+    policies, including those based on the concepts of Type Enforcement, Role-based Access
+    Control, and Multi-level Security. 
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82724-6
+
+references:
+    srg: SRG-OS-000480-GPOS-00227 
+
+{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}}
+
+template:
+    name: package_installed
+    vars:
+        pkgname: policycoreutils-python-utils
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
new file mode 100644
index 0000000000..c418518e7a
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install crypto-policies package'
+
+description: |-
+    {{{ describe_package_install(package="crypto-policies") }}}
+
+rationale: |-
+    The <tt>crypto-policies</tt> package provides configuration and tools to
+    apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
+    
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82723-8
+
+references:
+    ospp: FCS_COP*
+    srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+
+{{{ complete_ocil_entry_package(package='crypto-policies') }}}
+
+template:
+    name: package_installed
+    vars:
+        pkgname: crypto-policies
From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 16:18:03 +0100
Subject: [PATCH 2/4] modify ospp profile

---
 rhel8/profiles/ospp.profile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 4d5a9edd8e..c672066050 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -169,17 +169,17 @@ selections:
     - package_dnf-plugin-subscription-manager_installed
     - package_firewalld_installed
     - package_iptables_installed
-    - package_libcap-ng-utils_installed
     - package_openscap-scanner_installed
     - package_policycoreutils_installed
     - package_rng-tools_installed
     - package_sudo_installed
     - package_usbguard_installed
-    - package_audispd-plugins_installed
     - package_scap-security-guide_installed
     - package_audit_installed
-    - package_gnutls-utils_installed
-    - package_nss-tools_installed
+    - package_crypto-policies_installed
+    - package_openssh-server_installed
+    - package_openssh-clients_installed
+    - package_policycoreutils-python-utils_installed
 
     ### Remove Prohibited Packages
     - package_sendmail_removed
@@ -316,7 +316,7 @@ selections:
     ## Configure the System to Offload Audit Records to a Log
     ##  Server
     ## AU-4(1) / FAU_GEN.1.1.c
-    - auditd_audispd_syslog_plugin_activated
+    # temporarily dropped
 
     ## Set Logon Warning Banner
     ## AC-8(a) / FMT_MOF_EXT.1

From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 16:18:52 +0100
Subject: [PATCH 3/4] add rules to rhel8 stig profile

---
 rhel8/profiles/stig.profile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 821cc26914..7eb1869a3c 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -33,6 +33,9 @@ selections:
     - encrypt_partitions
     - sysctl_net_ipv4_tcp_syncookies
     - clean_components_post_updating
+    - package_audispd-plugins_installed
+    - package_libcap-ng-utils_installed
+    - auditd_audispd_syslog_plugin_activated
 
     # Configure TLS for remote logging
     - package_rsyslog_installed

From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 17:42:43 +0100
Subject: [PATCH 4/4] rephrase some rationales, fix SFR

---
 .../ssh/package_openssh-clients_installed/rule.yml       | 4 +++-
 .../rule.yml                                             | 9 ++-------
 .../crypto/package_crypto-policies_installed/rule.yml    | 8 ++++----
 3 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
index 9b3c55f23b..f5b29d32e8 100644
--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
@@ -7,7 +7,9 @@ title: 'Install OpenSSH client software'
 description: |-
     {{{ describe_package_install(package="openssh-clients") }}}
 
-rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
+rationale: |-
+    This package includes utilities to make encrypted connections and transfer
+    files securely to SSH servers. 
 
 severity: medium
 
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
index 6025f0cd33..7ae7461077 100644
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
@@ -8,13 +8,8 @@ description: |-
     {{{ describe_package_install(package="policycoreutils-python-utils") }}}
 
 rationale: |-
-    Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
-    with enhanced security functionality designed to add mandatory access controls to Linux.
-    The Security-enhanced Linux kernel contains new architectural components originally
-    developed to improve security of the Flask operating system. These architectural components
-    provide general support for the enforcement of many kinds of mandatory access control
-    policies, including those based on the concepts of Type Enforcement, Role-based Access
-    Control, and Multi-level Security. 
+    This package is required to operate and manage an SELinux environment and its policies.
+    It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.
 
 severity: medium
 
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
index c418518e7a..bb07f9d617 100644
--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
@@ -8,9 +8,9 @@ description: |-
     {{{ describe_package_install(package="crypto-policies") }}}
 
 rationale: |-
-    The <tt>crypto-policies</tt> package provides configuration and tools to
-    apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
-    
+    Centralized cryptographic policies simplify applying secure ciphers across an operating system and
+    the applications that run on that operating system. Use of weak or untested encryption algorithms
+    undermines the purposes of utilizing encryption to protect data.
 
 severity: medium
 
@@ -18,7 +18,7 @@ identifiers:
     cce@rhel8: 82723-8
 
 references:
-    ospp: FCS_COP*
+    ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4)
     srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
 
 {{{ complete_ocil_entry_package(package='crypto-policies') }}}
import scap-security-guide-0.1.48-7.el8 2020-04-28 09:32:22 +00:00			`From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001`
			`From: Vojtech Polasek <vpolasek@redhat.com>`
			`Date: Mon, 10 Feb 2020 16:16:17 +0100`
			`Subject: [PATCH 1/4] create new rules, add missing reference to older rule`

			`---`
			`.../rule.yml \| 26 +++++++++++++++`
			`.../package_openssh-server_installed/rule.yml \| 1 +`
			`.../rule.yml \| 32 +++++++++++++++++++`
			`.../rule.yml \| 29 +++++++++++++++++`
			`5 files changed, 88 insertions(+), 3 deletions(-)`
			`create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml`
			`create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml`
			`create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml`

			`diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml`
			`new file mode 100644`
			`index 0000000000..9b3c55f23b`
			`--- /dev/null`
			`+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml`
			`@@ -0,0 +1,26 @@`
			`+documentation_complete: true`
			`+`
			`+prodtype: rhel8`
			`+`
			`+title: 'Install OpenSSH client software'`
			`+`
			`+description: \|-`
			`+ {{{ describe_package_install(package="openssh-clients") }}}`
			`+`
			`+rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'`
			`+`
			`+severity: medium`
			`+`
			`+identifiers:`
			`+ cce@rhel8: 82722-0`
			`+`
			`+references:`
			`+ srg: SRG-OS-000480-GPOS-00227`
			`+ ospp: FIA_UAU.5,FTP_ITC_EXT.1`
			`+`
			`+{{{ complete_ocil_entry_package(package='openssh-clients') }}}`
			`+`
			`+template:`
			`+ name: package_installed`
			`+ vars:`
			`+ pkgname: openssh-clients`
			`diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml`
			`index c18e604a5c..ba013ec509 100644`
			`--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml`
			`+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml`
			`@@ -28,6 +28,7 @@ references:`
			`cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06`
			`iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5`
			`cis-csc: 13,14`
			`+ ospp: FIA_UAU.5,FTP_ITC_EXT.1`

			`ocil_clause: 'the package is not installed'`

			`diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml`
			`new file mode 100644`
			`index 0000000000..6025f0cd33`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml`
			`@@ -0,0 +1,32 @@`
			`+documentation_complete: true`
			`+`
			`+prodtype: rhel8`
			`+`
			`+title: 'Install policycoreutils-python-utils package'`
			`+`
			`+description: \|-`
			`+ {{{ describe_package_install(package="policycoreutils-python-utils") }}}`
			`+`
			`+rationale: \|-`
			`+ Security-enhanced Linux is a feature of the Linux kernel and a number of utilities`
			`+ with enhanced security functionality designed to add mandatory access controls to Linux.`
			`+ The Security-enhanced Linux kernel contains new architectural components originally`
			`+ developed to improve security of the Flask operating system. These architectural components`
			`+ provide general support for the enforcement of many kinds of mandatory access control`
			`+ policies, including those based on the concepts of Type Enforcement, Role-based Access`
			`+ Control, and Multi-level Security.`
			`+`
			`+severity: medium`
			`+`
			`+identifiers:`
			`+ cce@rhel8: 82724-6`
			`+`
			`+references:`
			`+ srg: SRG-OS-000480-GPOS-00227`
			`+`
			`+{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}}`
			`+`
			`+template:`
			`+ name: package_installed`
			`+ vars:`
			`+ pkgname: policycoreutils-python-utils`
			`diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml`
			`new file mode 100644`
			`index 0000000000..c418518e7a`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml`
			`@@ -0,0 +1,29 @@`
			`+documentation_complete: true`
			`+`
			`+prodtype: rhel8`
			`+`
			`+title: 'Install crypto-policies package'`
			`+`
			`+description: \|-`
			`+ {{{ describe_package_install(package="crypto-policies") }}}`
			`+`
			`+rationale: \|-`
			`+ The <tt>crypto-policies</tt> package provides configuration and tools to`
			`+ apply centralizet cryptographic policies for backends such as SSL/TLS libraries.`
			`+`
			`+`
			`+severity: medium`
			`+`
			`+identifiers:`
			`+ cce@rhel8: 82723-8`
			`+`
			`+references:`
			`+ ospp: FCS_COP*`
			`+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174`
			`+`
			`+{{{ complete_ocil_entry_package(package='crypto-policies') }}}`
			`+`
			`+template:`
			`+ name: package_installed`
			`+ vars:`
			`+ pkgname: crypto-policies`
			`From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001`
			`From: Vojtech Polasek <vpolasek@redhat.com>`
			`Date: Mon, 10 Feb 2020 16:18:03 +0100`
			`Subject: [PATCH 2/4] modify ospp profile`

			`---`
			`rhel8/profiles/ospp.profile \| 10 +++++-----`
			`1 file changed, 5 insertions(+), 5 deletions(-)`

			`diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile`
			`index 4d5a9edd8e..c672066050 100644`
			`--- a/rhel8/profiles/ospp.profile`
			`+++ b/rhel8/profiles/ospp.profile`
			`@@ -169,17 +169,17 @@ selections:`
			`- package_dnf-plugin-subscription-manager_installed`
			`- package_firewalld_installed`
			`- package_iptables_installed`
			`- - package_libcap-ng-utils_installed`
			`- package_openscap-scanner_installed`
			`- package_policycoreutils_installed`
			`- package_rng-tools_installed`
			`- package_sudo_installed`
			`- package_usbguard_installed`
			`- - package_audispd-plugins_installed`
			`- package_scap-security-guide_installed`
			`- package_audit_installed`
			`- - package_gnutls-utils_installed`
			`- - package_nss-tools_installed`
			`+ - package_crypto-policies_installed`
			`+ - package_openssh-server_installed`
			`+ - package_openssh-clients_installed`
			`+ - package_policycoreutils-python-utils_installed`

			`### Remove Prohibited Packages`
			`- package_sendmail_removed`
			`@@ -316,7 +316,7 @@ selections:`
			`## Configure the System to Offload Audit Records to a Log`
			`## Server`
			`## AU-4(1) / FAU_GEN.1.1.c`
			`- - auditd_audispd_syslog_plugin_activated`
			`+ # temporarily dropped`

			`## Set Logon Warning Banner`
			`## AC-8(a) / FMT_MOF_EXT.1`

			`From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001`
			`From: Vojtech Polasek <vpolasek@redhat.com>`
			`Date: Mon, 10 Feb 2020 16:18:52 +0100`
			`Subject: [PATCH 3/4] add rules to rhel8 stig profile`

			`---`
			`rhel8/profiles/stig.profile \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile`
			`index 821cc26914..7eb1869a3c 100644`
			`--- a/rhel8/profiles/stig.profile`
			`+++ b/rhel8/profiles/stig.profile`
			`@@ -33,6 +33,9 @@ selections:`
			`- encrypt_partitions`
			`- sysctl_net_ipv4_tcp_syncookies`
			`- clean_components_post_updating`
			`+ - package_audispd-plugins_installed`
			`+ - package_libcap-ng-utils_installed`
			`+ - auditd_audispd_syslog_plugin_activated`

			`# Configure TLS for remote logging`
			`- package_rsyslog_installed`

			`From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001`
			`From: Vojtech Polasek <vpolasek@redhat.com>`
			`Date: Mon, 10 Feb 2020 17:42:43 +0100`
			`Subject: [PATCH 4/4] rephrase some rationales, fix SFR`

			`---`
			`.../ssh/package_openssh-clients_installed/rule.yml \| 4 +++-`
			`.../rule.yml \| 9 ++-------`
			`.../crypto/package_crypto-policies_installed/rule.yml \| 8 ++++----`
			`3 files changed, 9 insertions(+), 12 deletions(-)`

			`diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml`
			`index 9b3c55f23b..f5b29d32e8 100644`
			`--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml`
			`+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml`
			`@@ -7,7 +7,9 @@ title: 'Install OpenSSH client software'`
			`description: \|-`
			`{{{ describe_package_install(package="openssh-clients") }}}`

			`-rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'`
			`+rationale: \|-`
			`+ This package includes utilities to make encrypted connections and transfer`
			`+ files securely to SSH servers.`

			`severity: medium`

			`diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml`
			`index 6025f0cd33..7ae7461077 100644`
			`--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml`
			`+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml`
			`@@ -8,13 +8,8 @@ description: \|-`
			`{{{ describe_package_install(package="policycoreutils-python-utils") }}}`

			`rationale: \|-`
			`- Security-enhanced Linux is a feature of the Linux kernel and a number of utilities`
			`- with enhanced security functionality designed to add mandatory access controls to Linux.`
			`- The Security-enhanced Linux kernel contains new architectural components originally`
			`- developed to improve security of the Flask operating system. These architectural components`
			`- provide general support for the enforcement of many kinds of mandatory access control`
			`- policies, including those based on the concepts of Type Enforcement, Role-based Access`
			`- Control, and Multi-level Security.`
			`+ This package is required to operate and manage an SELinux environment and its policies.`
			`+ It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.`

			`severity: medium`

			`diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml`
			`index c418518e7a..bb07f9d617 100644`
			`--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml`
			`+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml`
			`@@ -8,9 +8,9 @@ description: \|-`
			`{{{ describe_package_install(package="crypto-policies") }}}`

			`rationale: \|-`
			`- The <tt>crypto-policies</tt> package provides configuration and tools to`
			`- apply centralizet cryptographic policies for backends such as SSL/TLS libraries.`
			`-`
			`+ Centralized cryptographic policies simplify applying secure ciphers across an operating system and`
			`+ the applications that run on that operating system. Use of weak or untested encryption algorithms`
			`+ undermines the purposes of utilizing encryption to protect data.`

			`severity: medium`

			`@@ -18,7 +18,7 @@ identifiers:`
			`cce@rhel8: 82723-8`

			`references:`
			`- ospp: FCS_COP*`
			`+ ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4)`
			`srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174`

			`{{{ complete_ocil_entry_package(package='crypto-policies') }}}`