import scap-security-guide-0.1.63-4.el8

2022-11-08 01:43:24 -05:00 · 2022-11-08 01:43:24 -05:00 · 1d4339f8b0
commit 1d4339f8b0
parent 48dd54229e
19 changed files with 4980 additions and 2473 deletions
--- a/SOURCES/disable-not-in-good-shape-profiles.patch
+++ b/SOURCES/disable-not-in-good-shape-profiles.patch
@ -1,24 +1,8 @@
-From eaa73e6d6e3de62e9ed895de7b4b1f2f1c1280ca Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 9 Aug 2022 10:04:01 +0200
-Subject: [PATCH 1/8] Disable profiles not in a good shape
-
-Patch-name: disable-not-in-good-shape-profiles.patch
-Patch-status: |-
-    Disable profiles that are not in good shape for products/rhel8
-Patch-id: 0
---
- products/rhel8/CMakeLists.txt            | 1 -
- products/rhel8/profiles/cjis.profile     | 2 +-
- products/rhel8/profiles/rht-ccp.profile  | 2 +-
- products/rhel8/profiles/standard.profile | 2 +-
- 4 files changed, 3 insertions(+), 4 deletions(-)
-
 diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
-index 9c044b68ab..8f6ca03de8 100644
+index 5258591c7f..cc4b9c5720 100644
 --- a/products/rhel8/CMakeLists.txt
 +++ b/products/rhel8/CMakeLists.txt
-@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT})
+@@ -11,7 +11,6 @@ ssg_build_product(${PRODUCT})
 ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
 
 ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist")
@ -26,8 +10,8 @@ index 9c044b68ab..8f6ca03de8 100644
 ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
 
 ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi")
-diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
-index 30843b692e..18394802b9 100644
+diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
+index 035d2705b..c6475f33e 100644
 --- a/products/rhel8/profiles/cjis.profile
 +++ b/products/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
@ -36,8 +20,8 @@ index 30843b692e..18394802b9 100644
 
 metadata:
     version: 5.4
-diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
-index e8e7e3a72f..d293c779bb 100644
+diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
+index c84579592..164ec98c4 100644
 --- a/products/rhel8/profiles/rht-ccp.profile
 +++ b/products/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
@ -46,8 +30,8 @@ index e8e7e3a72f..d293c779bb 100644
 
 title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
 
-diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
-index a63ae2cf32..da669bb843 100644
+diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
+index a63ae2cf3..da669bb84 100644
 --- a/products/rhel8/profiles/standard.profile
 +++ b/products/rhel8/profiles/standard.profile
@@ -1,4 +1,4 @@
@ -57,5 +41,5 @@ index a63ae2cf32..da669bb843 100644
 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
 
 -- 
-2.37.1
+2.26.2

--- a/SOURCES/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
+++ b/SOURCES/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
@ -1,52 +1,21 @@
-From c4ce06ce707529c14376ca8bb6e2b03f072e81fd Mon Sep 17 00:00:00 2001
-From: Evgeny Kolesnikov <ekolesni@redhat.com>
-Date: Wed, 10 Aug 2022 13:20:29 +0200
-Subject: [PATCH 11/12] Merge pull request #9204 from
- matejak/applicability_var_tmp
+From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Thu, 21 Jul 2022 16:42:41 +0200
+Subject: [PATCH 1/3] Add platforms for partition existence

-Patch-name: scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch
-Patch-status: Introduce and apply the "partition exists" platform
 ---
- .../mount_option_var_tmp_nodev/rule.yml       |  3 ++-
- .../tests/notapplicable.pass.sh               |  5 +++++
 shared/applicability/general.yml              | 14 +++++++++++++
- .../checks/oval/installed_env_mounts_tmp.xml  | 10 ++++++++++
- .../oval/installed_env_mounts_var_tmp.xml     | 10 ++++++++++
+ .../checks/oval/installed_env_mounts_tmp.xml  | 10 +++++++++
+ .../oval/installed_env_mounts_var_tmp.xml     | 10 +++++++++
 shared/macros/10-ansible.jinja                |  5 +++++
 shared/macros/10-bash.jinja                   |  5 +++++
- shared/macros/10-oval.jinja                   | 20 +++++++++++++++++++
- 8 files changed, 71 insertions(+), 1 deletion(-)
- create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
+ shared/macros/10-oval.jinja                   | 21 +++++++++++++++++++
+ 6 files changed, 65 insertions(+)
 create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml
 create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml

-diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
-index 8ee8c8b12e..741d097328 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
-+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
-@@ -38,7 +38,8 @@ references:
-     stigid@ol8: OL08-00-040132
-     stigid@rhel8: RHEL-08-040132
- 
-platform: machine
-+platforms:
-+  - machine and partition-var-tmp
- 
- template:
-     name: mount_option
-diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
-new file mode 100644
-index 0000000000..241c0103d8
--- /dev/null
-+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+
-+. $SHARED/partition.sh
-+
-+clean_up_partition /var/tmp  # Remove the partition from the system, and unmount it
 diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
-index 2d23d75314..e2f5d04ce0 100644
+index 2d23d753148..e2f5d04ce00 100644
 --- a/shared/applicability/general.yml
 +++ b/shared/applicability/general.yml
@@ -77,6 +77,20 @@ cpes:
@ -72,7 +41,7 @@ index 2d23d75314..e2f5d04ce0 100644
       title: "Package polkit is installed"
 diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
 new file mode 100644
-index 0000000000..edd8ad050f
+index 00000000000..c1bcd6b2431
 --- /dev/null
 +++ b/shared/checks/oval/installed_env_mounts_tmp.xml
@@ -0,0 +1,10 @@
@ -84,11 +53,11 @@ index 0000000000..edd8ad050f
 +    </criteria>
 +  </definition>
 +
-+  {{{ partition_exists_test_object("/tmp") }}}
+  {{{ partition_exists_tos("/tmp") }}}
 +</def-group>
 diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
 new file mode 100644
-index 0000000000..cf9aafbdb0
+index 00000000000..a72f49c8a8f
 --- /dev/null
 +++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
@@ -0,0 +1,10 @@
@ -100,13 +69,13 @@ index 0000000000..cf9aafbdb0
 +    </criteria>
 +  </definition>
 +
-+  {{{ partition_exists_test_object("/var/tmp") }}}
+  {{{ partition_exists_tos("/var/tmp") }}}
 +</def-group>
 diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
-index 20dc2020e4..5e40fe4aa2 100644
+index 2d24f730d3f..478f0072bc7 100644
 --- a/shared/macros/10-ansible.jinja
 +++ b/shared/macros/10-ansible.jinja
-@@ -1432,3 +1432,8 @@ Part of the grub2_bootloader_argument_absent template.
+@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template.
   when:
     - result_pam_file_present.stat.exists
 {{%- endmacro -%}}
@ -116,10 +85,10 @@ index 20dc2020e4..5e40fe4aa2 100644
 +"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
 +{{%- endmacro -%}}
 diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
-index 41d9e18a1e..b0f7f3cf4a 100644
+index 94c3c6f9570..6a7fb165fd2 100644
 --- a/shared/macros/10-bash.jinja
 +++ b/shared/macros/10-bash.jinja
-@@ -2073,3 +2073,8 @@ else
+@@ -2085,3 +2085,8 @@ else
     echo "{{{ pam_file }}} was not found" >&2
 fi
 {{%- endmacro -%}}
@ -129,33 +98,130 @@ index 41d9e18a1e..b0f7f3cf4a 100644
 +'findmnt --mountpoint "{{{ path }}}" > /dev/null'
 +{{%- endmacro -%}}
 diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
-index c8d7bbeffb..f302091f7d 100644
+index c8d7bbeffb7..1ec93b6ef7d 100644
 --- a/shared/macros/10-oval.jinja
 +++ b/shared/macros/10-oval.jinja
-@@ -926,3 +926,23 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
+@@ -926,3 +926,24 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 {{%- else %}}
   {{%- set user_list="nobody" %}}
 {{%- endif %}}
 +
 +
 +{{%- macro partition_exists_criterion(path) %}}
-+{{%- set escaped_path = path | escape_id %}}
+{{%- set escaped_path = path | replace("/", "_") %}}
 +      <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path  }}}_exists" />
 +{{%- endmacro %}}
 +
-+{{%- macro partition_exists_test_object(path) %}}
-+{{%- set escaped_path = path | escape_id %}}
+{{%- macro partition_exists_tos(path) %}}
+{{%- set escaped_path = path | replace("/", "_") %}}
 +  <linux:partition_test check="all" check_existence="all_exist"
 +      comment="Partition {{{ path }}} exists"
 +      id="test_partition_{{{ escaped_path }}}_exists"
 +  version="1">
 +    <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
+    {{#- <linux:partition_state state_ref="" /> #}}
 +  </linux:partition_test>
 +
 +  <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
 +    <linux:mount_point>{{{ path }}}</linux:mount_point>
 +  </linux:partition_object>
 +{{%- endmacro %}}
-- 
-2.37.1

+From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Thu, 21 Jul 2022 16:43:21 +0200
+Subject: [PATCH 2/3] Use partition exist platforms on a real rule
+
+---
+ .../partitions/mount_option_var_tmp_nodev/rule.yml           | 3 ++-
+ .../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh   | 5 +++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
+
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+index 8ee8c8b12e0..741d0973283 100644
+--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+@@ -38,7 +38,8 @@ references:
+     stigid@ol8: OL08-00-040132
+     stigid@rhel8: RHEL-08-040132
+ 
+-platform: machine
+platforms:
+  - machine and partition-var-tmp
+ 
+ template:
+     name: mount_option
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
+new file mode 100644
+index 00000000000..241c0103d82
+--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
+@@ -0,0 +1,5 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+clean_up_partition /var/tmp  # Remove the partition from the system, and unmount it
+
+From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 10 Aug 2022 11:32:38 +0200
+Subject: [PATCH 3/3] Improve code style
+
+- Improve description of OVAL macro
+- Use the escape_id filter to produce IDs
+---
+ shared/checks/oval/installed_env_mounts_tmp.xml     | 2 +-
+ shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +-
+ shared/macros/10-oval.jinja                         | 7 +++----
+ 3 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
+index c1bcd6b2431..edd8ad050f5 100644
+--- a/shared/checks/oval/installed_env_mounts_tmp.xml
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
+@@ -6,5 +6,5 @@
+     </criteria>
+   </definition>
+ 
+-  {{{ partition_exists_tos("/tmp") }}}
+  {{{ partition_exists_test_object("/tmp") }}}
+ </def-group>
+diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
+index a72f49c8a8f..cf9aafbdb04 100644
+--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
+@@ -6,5 +6,5 @@
+     </criteria>
+   </definition>
+ 
+-  {{{ partition_exists_tos("/var/tmp") }}}
+  {{{ partition_exists_test_object("/var/tmp") }}}
+ </def-group>
+diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
+index 1ec93b6ef7d..f302091f7df 100644
+--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
+@@ -929,18 +929,17 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
+ 
+ 
+ {{%- macro partition_exists_criterion(path) %}}
+-{{%- set escaped_path = path | replace("/", "_") %}}
+{{%- set escaped_path = path | escape_id %}}
+       <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path  }}}_exists" />
+ {{%- endmacro %}}
+ 
+-{{%- macro partition_exists_tos(path) %}}
+-{{%- set escaped_path = path | replace("/", "_") %}}
+{{%- macro partition_exists_test_object(path) %}}
+{{%- set escaped_path = path | escape_id %}}
+   <linux:partition_test check="all" check_existence="all_exist"
+       comment="Partition {{{ path }}} exists"
+       id="test_partition_{{{ escaped_path }}}_exists"
+   version="1">
+     <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
+-    {{#- <linux:partition_state state_ref="" /> #}}
+   </linux:partition_test>
+ 
+   <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
--- a/SOURCES/scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path
+++ b/SOURCES/scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path
@ -1,11 +1,8 @@
-From 89687cb88490f24428ae553021c667303980d8f4 Mon Sep 17 00:00:00 2001
-From: Evgeny Kolesnikov <ekolesni@redhat.com>
-Date: Wed, 10 Aug 2022 16:16:54 +0200
-Subject: [PATCH 12/12] Merge pull request #9324 from
- matejak/applicability_var_tmp
+From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 10 Aug 2022 13:35:50 +0200
+Subject: [PATCH] Add the platform applicability to relevant rules

-Patch-name: scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path
-Patch-status: Add the platform applicability to relevant rules
 ---
 .../permissions/partitions/mount_option_tmp_nodev/rule.yml      | 2 +-
 .../permissions/partitions/mount_option_tmp_noexec/rule.yml     | 2 +-
@ -16,7 +13,7 @@ Patch-status: Add the platform applicability to relevant rules
 6 files changed, 6 insertions(+), 6 deletions(-)

 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
-index 45a73e0286..79a19a8d30 100644
+index 45a73e0286a..79a19a8d30b 100644
 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
 +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
@@ -45,7 +45,7 @@ references:
@ -29,7 +26,7 @@ index 45a73e0286..79a19a8d30 100644
 template:
     name: mount_option
 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
-index 7356183bab..d3f6d6175e 100644
+index 7356183bab3..d3f6d6175e5 100644
 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
 +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -44,7 +44,7 @@ references:
@ -42,7 +39,7 @@ index 7356183bab..d3f6d6175e 100644
 template:
     name: mount_option
 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
-index d153b86934..10790dc95a 100644
+index d153b86934f..10790dc95a7 100644
 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
 +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -45,7 +45,7 @@ references:
@ -55,7 +52,7 @@ index d153b86934..10790dc95a 100644
 template:
     name: mount_option
 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
-index 133e7727ca..05992df4b4 100644
+index 133e7727ca7..05992df4b49 100644
 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
 +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
@@ -31,7 +31,7 @@ references:
@ -68,7 +65,7 @@ index 133e7727ca..05992df4b4 100644
 template:
     name: mount_option
 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
-index 39fd458ec6..dc00b2f237 100644
+index 39fd458ec6b..dc00b2f2376 100644
 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
 +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
@@ -38,7 +38,7 @@ references:
@ -81,7 +78,7 @@ index 39fd458ec6..dc00b2f237 100644
 template:
     name: mount_option
 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
-index 349f334895..f0c26b6d9c 100644
+index 349f3348955..f0c26b6d9c5 100644
 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
 +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
@@ -38,7 +38,7 @@ references:
@ -93,6 +90,3 @@ index 349f334895..f0c26b6d9c 100644
 
 template:
     name: mount_option
-- 
-2.37.1
-
--- a/SOURCES/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
+++ b/SOURCES/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
@ -1,26 +1,48 @@
-From 7db8ad5f312b632d6b8a176b615929ffa5cb1de3 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 15 Aug 2022 14:47:40 +0200
-Subject: [PATCH 13/13] Merge pull request #9339 from
- yuumasato/fix_ansible_partition_conditionals
+From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 15 Aug 2022 13:14:58 +0200
+Subject: [PATCH 1/2] Access the mounts via ansible_mounts

-Patch-name: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
-Patch-status: Fix ansible partition conditionals
+It seems that the data about ansible_mounts should be accessed without
+the 'ansible_facts' prefix.
 ---
 shared/macros/10-ansible.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
-index 5e40fe4aa2..55a78c3a8b 100644
+index 478f0072bc7..e8bff0973f5 100644
 --- a/shared/macros/10-ansible.jinja
 +++ b/shared/macros/10-ansible.jinja
-@@ -1435,5 +1435,5 @@ Part of the grub2_bootloader_argument_absent template.
+@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
 
 
 {{%- macro ansible_partition_conditional(path) -%}}
 -"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+ {{%- endmacro -%}}
+
+From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 15 Aug 2022 13:16:24 +0200
+Subject: [PATCH 2/2] Avoid use of json_query and additional dependency
+
+The json_query filter requires package jmespath to be installed.
+
+This also avoids mismatchs in python version between ansible and
+python3-jmespath. Some distros (RHEL8) don't have jmespath module
+available for the same python version ansible is using.
+---
+ shared/macros/10-ansible.jinja | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
+index e8bff0973f5..beb2bc11403 100644
+--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
+@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
+ 
+ 
+ {{%- macro ansible_partition_conditional(path) -%}}
+-"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
 +'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list'
 {{%- endmacro -%}}
-- 
-2.37.2
-
--- a/SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
+++ b/SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
@ -0,0 +1,33 @@
+From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 16 Aug 2022 18:53:02 +0200
+Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x
+
+There is no need to check  /etc/grubenv for fips=1 on s390x systems, it
+uses zIPL.
+---
+ .../integrity/fips/enable_fips_mode/oval/shared.xml      | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+index 65056a654c6..7af675de0d3 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+@@ -7,9 +7,16 @@
+       <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
+       <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
+       <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
+-      {{% if product in ["ol8","rhel8"] %}}
+      {{% if product in ["ol8"] %}}
+       <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
+       test_ref="test_grubenv_fips_mode" />
+      {{% elif product in ["rhel8"] %}}
+      <criteria operator="OR">
+        <extend_definition comment="Generic test for s390x architecture"
+        definition_ref="system_info_architecture_s390_64" />
+        <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
+        test_ref="test_grubenv_fips_mode" />
+      </criteria>
+       {{% endif %}}
+     </criteria>
+   </definition>
--- a/SOURCES/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
+++ b/SOURCES/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
@ -0,0 +1,107 @@
+From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 5 Aug 2022 12:45:24 +0200
+Subject: [PATCH] Fix rule sudo_custom_logfile
+
+- Allow only white space after the Default keyword to avoid
+  matching words that only start with Default.
+- If the variable value contains slashes they need to be escaped
+  because the sed command uses slashes as a separator, otherwise
+  the sed doesn't replace the wrong line during a remediation.
+
+Also adds 2 test scenarios.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109
+---
+ .../guide/system/software/sudo/sudo_custom_logfile/rule.yml  | 2 +-
+ .../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh   | 4 ++++
+ .../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh     | 4 ++++
+ shared/templates/sudo_defaults_option/ansible.template       | 2 +-
+ shared/templates/sudo_defaults_option/bash.template          | 5 +++--
+ shared/templates/sudo_defaults_option/oval.template          | 2 +-
+ 6 files changed, 14 insertions(+), 5 deletions(-)
+ create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
+
+diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+index 739f5f14936..94fbaaa33ed 100644
+--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo'
+ 
+ ocil: |-
+     To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
+-    <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
+    <pre>$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
+     The command should return a matching output.
+ 
+ template:
+diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
+new file mode 100644
+index 00000000000..13ff4559edb
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
+@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
+new file mode 100644
+index 00000000000..ec24854f0f9
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
+@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers
+diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template
+index 094fa430b64..c9e344ec772 100644
+--- a/shared/templates/sudo_defaults_option/ansible.template
+++ b/shared/templates/sudo_defaults_option/ansible.template
+@@ -8,7 +8,7 @@
+ - name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers
+   lineinfile:
+     path: /etc/sudoers
+-    regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$'
+    regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$'
+     line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2'
+     validate: /usr/sbin/visudo -cf %s
+     backrefs: yes
+diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template
+index e3563d42db6..e7d962a668d 100644
+--- a/shared/templates/sudo_defaults_option/bash.template
+++ b/shared/templates/sudo_defaults_option/bash.template
+@@ -9,7 +9,7 @@
+ {{% endif %}}
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+     cp /etc/sudoers /etc/sudoers.bak
+-    if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
+    if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
+         # sudoers file doesn't define Option {{{ OPTION }}}
+         echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers
+     {{%- if not VARIABLE_NAME %}}
+@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
+             {{% if '/' in OPTION %}}
+             {{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}}
+             {{% endif %}}
+-            sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers
+            escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}}
+            sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
+         fi
+     fi
+     {{% endif %}}
+diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template
+index c0d81c95093..a9636a7204a 100644
+--- a/shared/templates/sudo_defaults_option/oval.template
+++ b/shared/templates/sudo_defaults_option/oval.template
+@@ -13,7 +13,7 @@
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="object_{{{ OPTION }}}_sudoers" version="1">
+     <ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
+-    <ind:pattern operation="pattern match">^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal" >1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
--- a/SOURCES/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
+++ b/SOURCES/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
@ -0,0 +1,967 @@
+From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Wed, 13 Apr 2022 20:06:18 +0800
+Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard
+
+This patch fixes the issue that the array is expanded to wildcard path instead of its elements.
+A simple test case as follows:
+
+    /etc/rsyslog.conf
+    include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
+    /etc/rsyslog.d/custom1.conf
+    local1.*    /tmp/local1.out
+
+    /etc/rsyslog.d/custom2.conf
+    local2.*    /tmp/local2.out
+---
+ .../rsyslog_files_permissions/bash/shared.sh                  | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+index b794ea8db31..02b0c36d899 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+@@ -5,8 +5,8 @@
+ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
+ # * And also the log file paths listed after rsyslog's $IncludeConfig directive
+ #   (store the result into array for the case there's shell glob used as value of IncludeConfig)
+-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
+ 
+ # Declare an array to hold the final list of different log file paths
+ declare -a LOG_FILE_PATHS
+
+From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Thu, 14 Apr 2022 15:58:04 +0800
+Subject: [PATCH 02/15] A better fix.
+
+  * Should also fixed the CI failure.
+---
+ .../rsyslog_files_permissions/bash/shared.sh                | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+index 02b0c36d899..1aebb8f9da5 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+@@ -5,8 +5,10 @@
+ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
+ # * And also the log file paths listed after rsyslog's $IncludeConfig directive
+ #   (store the result into array for the case there's shell glob used as value of IncludeConfig)
+-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
+-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
+ 
+ # Declare an array to hold the final list of different log file paths
+ declare -a LOG_FILE_PATHS
+
+From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Fri, 15 Apr 2022 10:47:37 +0800
+Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog
+
+---
+ .../include_config_syntax_perms_0600.pass.sh  | 56 ++++++++++++++++++
+ .../include_config_syntax_perms_0601.fail.sh  | 57 +++++++++++++++++++
+ 2 files changed, 113 insertions(+)
+ create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+ create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+new file mode 100755
+index 00000000000..7cb09128d78
+--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+@@ -0,0 +1,56 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
+
+# Check rsyslog.conf with log file permissions 0600 from rules and
+# log file permissions 0600 from $IncludeConfig passes.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS=0600
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+mkdir ${conf_subdir}
+test_subdir_conf=${conf_subdir}/test_subdir.conf
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
+cat << EOF > ${test_subdir_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+
+EOF
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+new file mode 100755
+index 00000000000..942eaf086a1
+--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+@@ -0,0 +1,57 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+
+# Check rsyslog.conf with log file permissions 0600 from rules and
+# log file permissions 0601 from $IncludeConfig fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+mkdir ${conf_subdir}
+test_subdir_conf=${conf_subdir}/test_subdir.conf
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
+cat << EOF > ${test_subdir_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+
+EOF
+
+From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Thu, 19 May 2022 01:22:19 +0800
+Subject: [PATCH 04/15] The way using 'find' can be retired.
+
+---
+ .../rsyslog_files_permissions/bash/shared.sh  | 20 +++++--------------
+ 1 file changed, 5 insertions(+), 15 deletions(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+index 1aebb8f9da5..cece5930ee8 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
+ # Declare an array to hold the final list of different log file paths
+ declare -a LOG_FILE_PATHS
+ 
+-RSYSLOG_CONFIGS=()
+-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+declare -a RSYSLOG_CONFIGS
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+ 
+-# Get full list of files to be checked
+-# RSYSLOG_CONFIGS may contain globs such as 
+-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
+-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
+-RSYSLOG_FILES=()
+-for ENTRY in "${RSYSLOG_CONFIGS[@]}"
+-do
+-     mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
+-     RSYSLOG_FILES+=("${FINDOUT[@]}")
+-done
+-
+-# Check file and fix if needed.
+-for LOG_FILE in "${RSYSLOG_FILES[@]}"
+# Browse each file selected above as containing paths of log files
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
+ do
+ 	# From each of these files extract just particular log file path(s), thus:
+ 	# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
+
+From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Fri, 20 May 2022 01:30:37 +0800
+Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/'
+
+---
+ .../rsyslog_files_permissions/bash/shared.sh  | 20 ++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+index cece5930ee8..50d36d7426f 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
+ # Declare an array to hold the final list of different log file paths
+ declare -a LOG_FILE_PATHS
+ 
+# Array to hold all rsyslog config entries
+ declare -a RSYSLOG_CONFIGS
+ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+ 
+# Array to hold all rsyslog config files
+declare -a RSYSLOG_CONFIG_FILES
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
+do
+	# If directory, need to include files recursively
+	if [ -d "${ENTRY}" ]
+	then
+		readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
+		RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
+	elif [ -f "${ENTRY}" ]
+	then
+		RSYSLOG_CONFIG_FILES+=("${ENTRY}")
+	else
+		echo "Invalid include object: ${ENTRY}"
+	fi
+done
+
+ # Browse each file selected above as containing paths of log files
+ # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
+-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
+ do
+ 	# From each of these files extract just particular log file path(s), thus:
+ 	# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
+
+From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Fri, 20 May 2022 01:46:33 +0800
+Subject: [PATCH 06/15] Update test files.
+
+---
+ .../tests/include_config_syntax_perms_0600.pass.sh              | 2 ++
+ .../tests/include_config_syntax_perms_0601.fail.sh              | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+index 7cb09128d78..2ddd9fcb697 100755
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF
+ 
+ include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+ include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
+ 
+ \$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+ \$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
+ 
+ EOF
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+index 942eaf086a1..73ff3332c6d 100755
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF
+ 
+ include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+ include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
+ 
+ \$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+ \$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
+ 
+ EOF
+
+From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Fri, 20 May 2022 10:03:32 +0800
+Subject: [PATCH 07/15] Rsyslog says we should include all files
+
+---
+ .../rsyslog_files_permissions/bash/shared.sh     |  2 +-
+ .../include_config_syntax_perms_0600.pass.sh     | 16 +++++++++++++++-
+ .../include_config_syntax_perms_0601.fail.sh     | 16 +++++++++++++++-
+ 3 files changed, 31 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+index 50d36d7426f..cd5014105e9 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+@@ -24,7 +24,7 @@ do
+ 	# If directory, need to include files recursively
+ 	if [ -d "${ENTRY}" ]
+ 	then
+-		readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
+		readarray -t FINDOUT < <(find "${ENTRY}" -type f)
+ 		RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
+ 	elif [ -f "${ENTRY}" ]
+ 	then
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+index 2ddd9fcb697..755865ca522 100755
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh
+ PERMS=0600
+ 
+ # setup test data
+-create_rsyslog_test_logs 3
+create_rsyslog_test_logs 4
+ 
+ # setup test log files and permissions
+ chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
+ chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
+ chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
+ 
+ # create test configuration file
+ conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+ mkdir ${conf_subdir}
+ test_subdir_conf=${conf_subdir}/test_subdir.conf
+ test_conf=${RSYSLOG_TEST_DIR}/test.conf
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
+
+ cat << EOF > ${test_subdir_conf}
+ # rsyslog configuration file
+# test_subdir_conf
+ 
+ #### RULES ####
+ 
+@@ -31,12 +35,22 @@ EOF
+ 
+ cat << EOF > ${test_conf}
+ # rsyslog configuration file
+# test_conf
+ 
+ #### RULES ####
+ 
+ *.*     ${RSYSLOG_TEST_LOGS[1]}
+ EOF
+ 
+cat << EOF > ${test_bak}
+# rsyslog configuration file
+# test_bak
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[3]}
+EOF
+
+ # create rsyslog.conf configuration file
+ cat << EOF > $RSYSLOG_CONF
+ # rsyslog configuration file
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+index 73ff3332c6d..063b1a0cbe5 100755
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+@@ -10,20 +10,24 @@ PERMS_PASS=0600
+ PERMS_FAIL=0601
+ 
+ # setup test data
+-create_rsyslog_test_logs 3
+create_rsyslog_test_logs 4
+ 
+ # setup test log files and permissions
+ chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+ chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
+ chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
+ 
+ # create test configuration file
+ conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+ mkdir ${conf_subdir}
+ test_subdir_conf=${conf_subdir}/test_subdir.conf
+ test_conf=${RSYSLOG_TEST_DIR}/test.conf
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
+
+ cat << EOF > ${test_subdir_conf}
+ # rsyslog configuration file
+# test_subdir_conf
+ 
+ #### RULES ####
+ 
+@@ -32,12 +36,22 @@ EOF
+ 
+ cat << EOF > ${test_conf}
+ # rsyslog configuration file
+# test_conf
+ 
+ #### RULES ####
+ 
+ *.*     ${RSYSLOG_TEST_LOGS[1]}
+ EOF
+ 
+cat << EOF > ${test_bak}
+# rsyslog configuration file
+# test_bak
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[3]}
+EOF
+
+ # create rsyslog.conf configuration file
+ cat << EOF > $RSYSLOG_CONF
+ # rsyslog configuration file
+
+From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Sat, 21 May 2022 16:02:26 +0800
+Subject: [PATCH 08/15] Match glob() function of rsyslog
+
+---
+ .../rsyslog_files_permissions/bash/shared.sh  |  5 ++-
+ .../include_config_syntax_perms_0600.pass.sh  | 39 ++++++++++++-------
+ .../include_config_syntax_perms_0601.fail.sh  | 39 ++++++++++++-------
+ 3 files changed, 55 insertions(+), 28 deletions(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+index cd5014105e9..38105bf086b 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS
+ declare -a RSYSLOG_CONFIG_FILES
+ for ENTRY in "${RSYSLOG_CONFIGS[@]}"
+ do
+-	# If directory, need to include files recursively
+	# If directory, rsyslog will search for config files in recursively.
+	# However, files in hidden sub-directories or hidden files will be ignored.
+ 	if [ -d "${ENTRY}" ]
+ 	then
+-		readarray -t FINDOUT < <(find "${ENTRY}" -type f)
+		readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
+ 		RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
+ 	elif [ -f "${ENTRY}" ]
+ 	then
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+index 755865ca522..a5a2f67fadc 100755
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh
+ PERMS=0600
+ 
+ # setup test data
+-create_rsyslog_test_logs 4
+create_rsyslog_test_logs 5
+ 
+ # setup test log files and permissions
+ chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
+ chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
+ chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+ chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]}
+ 
+-# create test configuration file
+# create test configuration files
+ conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
+ mkdir ${conf_subdir}
+-test_subdir_conf=${conf_subdir}/test_subdir.conf
+-test_conf=${RSYSLOG_TEST_DIR}/test.conf
+-test_bak=${RSYSLOG_TEST_DIR}/test.bak
+mkdir ${conf_hiddir}
+ 
+-cat << EOF > ${test_subdir_conf}
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
+
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
+
+cat << EOF > ${test_conf_in_subdir}
+ # rsyslog configuration file
+-# test_subdir_conf
+ 
+ #### RULES ####
+ 
+-*.*     ${RSYSLOG_TEST_LOGS[2]}
+*.*     ${RSYSLOG_TEST_LOGS[1]}
+ EOF
+ 
+-cat << EOF > ${test_conf}
+cat << EOF > ${test_conf_name_bak}
+ # rsyslog configuration file
+-# test_conf
+ 
+ #### RULES ####
+ 
+-*.*     ${RSYSLOG_TEST_LOGS[1]}
+*.*     ${RSYSLOG_TEST_LOGS[2]}
+ EOF
+ 
+-cat << EOF > ${test_bak}
+cat << EOF > ${test_conf_in_hiddir}
+ # rsyslog configuration file
+-# test_bak
+# not used
+ 
+ #### RULES ####
+ 
+ *.*     ${RSYSLOG_TEST_LOGS[3]}
+ EOF
+ 
+cat << EOF > ${test_conf_dot_name}
+# rsyslog configuration file
+# not used
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[4]}
+EOF
+
+ # create rsyslog.conf configuration file
+ cat << EOF > $RSYSLOG_CONF
+ # rsyslog configuration file
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+index 063b1a0cbe5..a9d0adfb727 100755
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+@@ -10,48 +10,61 @@ PERMS_PASS=0600
+ PERMS_FAIL=0601
+ 
+ # setup test data
+-create_rsyslog_test_logs 4
+create_rsyslog_test_logs 5
+ 
+ # setup test log files and permissions
+ chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+ chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
+ chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+ chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]}
+ 
+-# create test configuration file
+# create test configuration files
+ conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
+ mkdir ${conf_subdir}
+-test_subdir_conf=${conf_subdir}/test_subdir.conf
+-test_conf=${RSYSLOG_TEST_DIR}/test.conf
+-test_bak=${RSYSLOG_TEST_DIR}/test.bak
+mkdir ${conf_hiddir}
+ 
+-cat << EOF > ${test_subdir_conf}
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
+
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
+
+cat << EOF > ${test_conf_in_subdir}
+ # rsyslog configuration file
+-# test_subdir_conf
+ 
+ #### RULES ####
+ 
+-*.*     ${RSYSLOG_TEST_LOGS[2]}
+*.*     ${RSYSLOG_TEST_LOGS[1]}
+ EOF
+ 
+-cat << EOF > ${test_conf}
+cat << EOF > ${test_conf_name_bak}
+ # rsyslog configuration file
+-# test_conf
+ 
+ #### RULES ####
+ 
+-*.*     ${RSYSLOG_TEST_LOGS[1]}
+*.*     ${RSYSLOG_TEST_LOGS[2]}
+ EOF
+ 
+-cat << EOF > ${test_bak}
+cat << EOF > ${test_conf_in_hiddir}
+ # rsyslog configuration file
+-# test_bak
+# not used
+ 
+ #### RULES ####
+ 
+ *.*     ${RSYSLOG_TEST_LOGS[3]}
+ EOF
+ 
+cat << EOF > ${test_conf_dot_name}
+# rsyslog configuration file
+# not used
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[4]}
+EOF
+
+ # create rsyslog.conf configuration file
+ cat << EOF > $RSYSLOG_CONF
+ # rsyslog configuration file
+
+From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Sun, 22 May 2022 21:10:16 +0800
+Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code
+
+---
+ .../rsyslog_files_permissions/bash/shared.sh                    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+index 38105bf086b..e1129e34c81 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+@@ -54,7 +54,7 @@ do
+ 	then
+ 		NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
+ 		LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
+-		FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
+		FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
+ 		CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
+ 		MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
+ 		# Since above sed command might return more than one item (delimited by newline), split the particular
+
+From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001
+From: Flos Lonicerae <lonicerae@gmail.com>
+Date: Tue, 24 May 2022 00:42:17 +0800
+Subject: [PATCH 10/15] Added platform.
+
+---
+ .../tests/include_config_syntax_perms_0601.fail.sh              | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+index a9d0adfb727..fe4db0a3c91 100755
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+@@ -1,5 +1,5 @@
+ #!/bin/bash
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
+ 
+ # Check rsyslog.conf with log file permissions 0600 from rules and
+ # log file permissions 0601 from $IncludeConfig fails.
+
+From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 10 Aug 2022 13:56:39 +0200
+Subject: [PATCH 11/15] Reset the arrays before using them
+
+When bash remediations for a profile are generated, it can happen that a
+variable with same name is used for multiple remediations.
+So let's reset the array before using it.
+---
+ .../rsyslog_files_permissions/bash/shared.sh          | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+index e1129e34c81..d1856ffbe7b 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
+ declare -a LOG_FILE_PATHS
+ 
+ # Array to hold all rsyslog config entries
+-declare -a RSYSLOG_CONFIGS
+-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+RSYSLOG_CONFIGS=()
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+ 
+-# Array to hold all rsyslog config files
+-declare -a RSYSLOG_CONFIG_FILES
+# Get full list of files to be checked
+# RSYSLOG_CONFIGS may contain globs such as 
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
+RSYSLOG_CONFIG_FILES=()
+ for ENTRY in "${RSYSLOG_CONFIGS[@]}"
+ do
+ 	# If directory, rsyslog will search for config files in recursively.
+
+From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 10 Aug 2022 14:55:37 +0200
+Subject: [PATCH 12/15] Don't parse hidden config files for Includes
+
+Let's follow rsyslog behavior and not capture process hidden config
+files for includes.
+---
+ .../rsyslog_files_permissions/oval/shared.xml |  9 ++++
+ ...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++
+ 2 files changed, 62 insertions(+)
+ create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+index a04e6fd8900..d13177216c3 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+@@ -17,8 +17,17 @@
+     <ind:filepath>/etc/rsyslog.conf</ind:filepath>
+     <ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <filter action="exclude">state_permissions_ignore_hidden_paths</filter>
+   </ind:textfilecontent54_object>
+ 
+  <ind:textfilecontent54_state id="state_permissions_ignore_hidden_paths" comment="ignore hidden conf files" version="1">
+    <!-- Among the paths matched in object_rfp_rsyslog_include_config_value there can be paths from
+         include() or $IncludeConfig that point to hidden dirs or files.
+         Rsyslog ignores these conf files, so we should ignore them too.
+    -->
+    <ind:subexpression operation="pattern match">^.*\/\..*$</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+   <!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
+   <local_variable id="var_rfp_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
+     <unique>
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
+new file mode 100644
+index 00000000000..9b0185c6b2f
+--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
+@@ -0,0 +1,53 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+
+# Check rsyslog.conf with log file permisssions 0600 from rules and
+# log file permissions 0601 from include() fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create hidden test2 configuration file
+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf
+cat << EOF > ${test_conf2}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${test_conf}")
+
+\$IncludeConfig ${test_conf2}
+EOF
+
+From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 10 Aug 2022 15:49:11 +0200
+Subject: [PATCH 13/15] Add test for for missing rsyslog included files
+
+The rsyslog conf file may include other config files.
+If the included missing files are missing rsyslog will generate an
+error, but will still continue working.
+https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file
+
+There is not a good way of ensuring that all files defined in a list of paths exist.
+---
+ ...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+ create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
+new file mode 100644
+index 00000000000..b929f2a94ab
+--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
+@@ -0,0 +1,45 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+
+# Check rsyslog.conf with log file permisssions 0600 from rules and
+# log file permissions 0601 from include() fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# Skip creation test2 configuration file
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.*     ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${test_conf}")
+
+\$IncludeConfig ${test_conf2}
+EOF
+
+From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 10 Aug 2022 21:47:18 +0200
+Subject: [PATCH 14/15] Align Ansible remediation with Bash
+
+The remediation now expands the glob expressions and doesn't collect
+hidden files or directories to check for their permissions.
+---
+ .../rsyslog_files_permissions/ansible/shared.yml  | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+index 635b72f7352..c558bf46c71 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+@@ -19,19 +19,26 @@
+   shell: |
+     set -o pipefail
+     grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
+-  register: include_config_output
+  register: rsyslog_old_inc
+   changed_when: False
+ 
+ - name: "Get include files directives"
+   shell: |
+     set -o pipefail
+     grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut  -d"\"" -f 2 || true
+-  register: include_files_output
+  register: rsyslog_new_inc
+   changed_when: False
+ 
+- name: "Expand glob expressions"
+  shell: |
+    set -o pipefail
+    eval printf '%s\\n' {{ item }}
+  register: include_config_output
+  loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
+
+ - name: "List all config files"
+-  shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")"
+-  loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}"
+  shell: find {{ item }} -not -path "*/.*" -type f
+  loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
+   register: rsyslog_config_files
+   changed_when: False
+ 
+
+From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 10 Aug 2022 21:56:05 +0200
+Subject: [PATCH 15/15] Ignore invalid or non existing include objects
+
+Let's not fail the task when the find doesn't find the include object.
+When the include is a glob expression that doesn't evaluate to any file
+the glob itself is used in find command.
+
+The Bash remediation prints a message for each include that is not a
+file is not a directory or doesn't exist.
+---
+ .../rsyslog_files_permissions/ansible/shared.yml                 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+index c558bf46c71..3a9380cf13b 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+@@ -40,6 +40,7 @@
+   shell: find {{ item }} -not -path "*/.*" -type f
+   loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
+   register: rsyslog_config_files
+  failed_when: False
+   changed_when: False
+ 
+ - name: "Extract log files"
--- a/SOURCES/scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch
+++ b/SOURCES/scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch
@ -1,19 +1,14 @@
-From f802557b2a84b830a8a8742b535a5602925e438d Mon Sep 17 00:00:00 2001
-From: Watson Yuuma Sato <wsato@redhat.com>
-Date: Mon, 8 Aug 2022 15:28:37 +0200
-Subject: [PATCH 09/10] Merge pull request #9298 from vojtapolasek/rhbz2114979
+From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 11:45:15 +0200
+Subject: [PATCH 1/4] fix ospp references

-Patch-name: scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch
-Patch-status: Make OSPP profiles use minimal Authselect profile
 ---
 linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
- products/rhel8/profiles/ospp.profile                      | 2 +-
- products/rhel9/profiles/ospp.profile                      | 2 +-
- tests/data/profile_stability/rhel8/ospp.profile           | 2 +-
- 4 files changed, 4 insertions(+), 3 deletions(-)
+ 1 file changed, 1 insertion(+)

 diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
-index 8d1758e8c9..3edb3642df 100644
+index c151d3c4aa1..f9b46c51ddd 100644
 --- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
 +++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
@@ -34,6 +34,7 @@ references:
@ -24,21 +19,18 @@ index 8d1758e8c9..3edb3642df 100644
     srg: SRG-OS-000480-GPOS-00227
 
 ocil: |-
-diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
-index 39ad1797c7..ebec8a3a6f 100644
--- a/products/rhel8/profiles/ospp.profile
-+++ b/products/rhel8/profiles/ospp.profile
-@@ -220,7 +220,7 @@ selections:
-     - var_accounts_max_concurrent_login_sessions=10
-     - accounts_max_concurrent_login_sessions
-     - securetty_root_login_console_only
-    - var_authselect_profile=sssd
-+    - var_authselect_profile=minimal
-     - enable_authselect
-     - var_password_pam_unix_remember=5
-     - accounts_password_pam_unix_remember
+
+From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 11:45:42 +0200
+Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
+
+---
+ products/rhel9/profiles/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
 diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
-index f27f961a7a..b21ddcee6d 100644
+index b47630c62b0..dcc41970043 100644
 --- a/products/rhel9/profiles/ospp.profile
 +++ b/products/rhel9/profiles/ospp.profile
@@ -115,7 +115,7 @@ selections:
@ -50,8 +42,41 @@ index f27f961a7a..b21ddcee6d 100644
     - enable_authselect
     - use_pam_wheel_for_su
 
+
+From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 11:45:54 +0200
+Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
+
+---
+ products/rhel8/profiles/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
+index 39ad1797c7a..ebec8a3a6f9 100644
+--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
+@@ -220,7 +220,7 @@ selections:
+     - var_accounts_max_concurrent_login_sessions=10
+     - accounts_max_concurrent_login_sessions
+     - securetty_root_login_console_only
+-    - var_authselect_profile=sssd
+    - var_authselect_profile=minimal
+     - enable_authselect
+     - var_password_pam_unix_remember=5
+     - accounts_password_pam_unix_remember
+
+From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 13:55:05 +0200
+Subject: [PATCH 4/4] update profile stability test
+
+---
+ tests/data/profile_stability/rhel8/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
 diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
-index 5d73a8c6fe..21e93e310d 100644
+index 5d73a8c6fef..21e93e310d5 100644
 --- a/tests/data/profile_stability/rhel8/ospp.profile
 +++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -242,7 +242,7 @@ selections:
@ -63,6 +88,3 @@ index 5d73a8c6fe..21e93e310d 100644
 - var_password_pam_unix_remember=5
 - var_selinux_state=enforcing
 - var_selinux_policy_name=targeted
-- 
-2.37.1
-
--- a/SOURCES/scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch
+++ b/SOURCES/scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch
@ -1,20 +1,17 @@
-From 8d36cef25fc9d890f7ec9756246513a92110b3db Mon Sep 17 00:00:00 2001
-From: Watson Yuuma Sato <wsato@redhat.com>
-Date: Wed, 10 Aug 2022 10:53:26 +0200
-Subject: [PATCH 10/10] Merge pull request #9321 from
- vojtapolasek/fix_rhel8_iboot
+From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 10 Aug 2022 09:59:57 +0200
+Subject: [PATCH] switch rule grub2_disable_interactive_boot for
+ grub2_disable_recovery in rhel8 ospp

-Patch-name: scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch
-Patch-status: change rules protecting boot in RHEL8 OSPP
 ---
- .../bootloader-grub2/grub2_disable_recovery/rule.yml  |  1 +
+ .../system/bootloader-grub2/grub2_disable_recovery/rule.yml     | 1 +
 products/rhel8/profiles/ospp.profile                            | 2 +-
- shared/references/cce-redhat-avail.txt                | 11 -----------
 tests/data/profile_stability/rhel8/ospp.profile                 | 2 +-
- 4 files changed, 3 insertions(+), 13 deletions(-)
+ 4 files changed, 3 insertions(+), 3 deletions(-)

 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
-index 4f8d4ddcfd..fb126cbe7d 100644
+index 4f8d4ddcfde..fb126cbe7d8 100644
 --- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
 +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
@@ -17,6 +17,7 @@ rationale: |-
@ -26,7 +23,7 @@ index 4f8d4ddcfd..fb126cbe7d 100644
 
 references:
 diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
-index ebec8a3a6f..6e3b30f64b 100644
+index ebec8a3a6f9..6e3b30f64bb 100644
 --- a/products/rhel8/profiles/ospp.profile
 +++ b/products/rhel8/profiles/ospp.profile
@@ -304,7 +304,7 @@ selections:
@ -38,27 +35,8 @@ index ebec8a3a6f..6e3b30f64b 100644
     - grub2_uefi_password
     - no_empty_passwords
 
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index 9480db3eae..903fc848eb 100644
--- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -1,14 +1,3 @@
-CCE-85985-0
-CCE-85988-4
-CCE-85997-5
-CCE-85998-3
-CCE-85999-1
-CCE-86000-7
-CCE-86001-5
-CCE-86002-3
-CCE-86003-1
-CCE-86005-6
-CCE-86006-4
- CCE-86007-2
- CCE-86008-0
- CCE-86009-8
 diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
-index 21e93e310d..267b66a4f8 100644
+index 21e93e310d5..267b66a4f89 100644
 --- a/tests/data/profile_stability/rhel8/ospp.profile
 +++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -89,7 +89,7 @@ selections:
@ -70,6 +48,3 @@ index 21e93e310d..267b66a4f8 100644
 - grub2_kernel_trust_cpu_rng
 - grub2_page_poison_argument
 - grub2_pti_argument
-- 
-2.37.1
-
--- a/SOURCES/scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch
+++ b/SOURCES/scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch
@ -1,11 +1,9 @@
-From 04459c1b82cc495af2bfcaac301a3805ec0addf6 Mon Sep 17 00:00:00 2001
-From: Matthew Burket <mburket@redhat.com>
-Date: Wed, 3 Aug 2022 07:42:59 -0500
-Subject: [PATCH 5/8] Merge pull request #9282 from
- yuumasato/rhel_align_aide_check_tools
+From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 2 Aug 2022 15:01:42 +0200
+Subject: [PATCH] Add rsyslogd to the list of tools check by aide

-Patch-name: scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch
-Patch-status: Add rsyslogd to the list of tools checked by aide
+RHEL products will also check for integrity of /usr/sbin/rsyslogd.
 ---
 .../aide/aide_check_audit_tools/ansible/shared.yml             | 1 +
 .../aide/aide_check_audit_tools/bash/shared.sh                 | 3 +--
@ -16,7 +14,7 @@ Patch-status: Add rsyslogd to the list of tools checked by aide
 6 files changed, 6 insertions(+), 6 deletions(-)

 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
-index 9d1b7b675c..5905ea8d0e 100644
+index 9d1b7b675c9..5905ea8d0e6 100644
 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
 +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
@@ -22,6 +22,7 @@
@ -28,7 +26,7 @@ index 9d1b7b675c..5905ea8d0e 100644
 - name: Ensure existing AIDE configuration for audit tools are correct
   lineinfile:
 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
-index d0a1ba2522..a81e25c395 100644
+index d0a1ba2522f..a81e25c3950 100644
 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
 +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
@@ -18,12 +18,11 @@
@ -46,7 +44,7 @@ index d0a1ba2522..a81e25c395 100644
 sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}}
 else
 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
-index 6ce56c1137..ca9bf4f94d 100644
+index 6ce56c1137a..ca9bf4f94d0 100644
 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
 +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
@@ -11,7 +11,7 @@
@ -59,7 +57,7 @@ index 6ce56c1137..ca9bf4f94d 100644
       {{% endif %}}
       <criterion comment="augenrules is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_augenrules" />
 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
-index 756b88d8a2..071dde1329 100644
+index 756b88d8a23..071dde13295 100644
 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
 +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
@@ -7,7 +7,7 @@ aide --init
@ -72,7 +70,7 @@ index 756b88d8a2..071dde1329 100644
 for theFile in "${bins[@]}"
 do
 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
-index f3a2a126d3..cb9bbfa735 100644
+index f3a2a126d3d..cb9bbfa7350 100644
 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
 +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
@@ -4,7 +4,7 @@
@ -85,7 +83,7 @@ index f3a2a126d3..cb9bbfa735 100644
 for theFile in "${bins[@]}"
 do
 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
-index 4315cef207..a22aecb000 100644
+index 4315cef2073..a22aecb0000 100644
 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
 +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
@@ -6,7 +6,7 @@ yum -y install aide
@ -97,6 +95,3 @@ index 4315cef207..a22aecb000 100644
 
 for theFile in "${bins[@]}"
 do
-- 
-2.37.1
-
--- a/SOURCES/scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch
+++ b/SOURCES/scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch
--- a/SOURCES/scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch
+++ b/SOURCES/scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch
@ -1,26 +1,21 @@
-From 26ca545c89207d2ac2ba2fb68824c1c323fece79 Mon Sep 17 00:00:00 2001
-From: Matthew Burket <mburket@redhat.com>
-Date: Wed, 3 Aug 2022 07:44:35 -0500
-Subject: [PATCH 4/8] Merge pull request #9277 from
- yuumasato/new_sysctl_ipv4_forwarding_rule
+From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 1 Aug 2022 17:50:37 +0200
+Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding

-Patch-name: scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch
-Patch-status: New sysctl ipv4 forwarding rule
+This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and
+sysctl_net_ipv4_forward.
 ---
 .../rule.yml                                  | 44 +++++++++++++++++++
 ...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
- .../sysctl_net_ipv4_ip_forward/rule.yml       |  1 -
- products/rhel8/profiles/stig.profile          |  2 +-
 shared/references/cce-redhat-avail.txt        |  1 -
- .../data/profile_stability/rhel8/stig.profile |  4 +-
- .../profile_stability/rhel8/stig_gui.profile  |  2 +-
- 7 files changed, 65 insertions(+), 6 deletions(-)
+ 3 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var

 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
 new file mode 100644
-index 0000000000..7b0066f7c2
+index 00000000000..7b0066f7c29
 --- /dev/null
 +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
@@ -0,0 +1,44 @@
@ -70,7 +65,7 @@ index 0000000000..7b0066f7c2
 +
 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
 new file mode 100644
-index 0000000000..2aedd6e643
+index 00000000000..2aedd6e6432
 --- /dev/null
 +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
@@ -0,0 +1,17 @@
@ -91,8 +86,35 @@ index 0000000000..2aedd6e643
 +    disabled: "0"
 +    enabled: 1
 +
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 914233f06bf..3e14b73dd71 100644
+--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
+@@ -168,7 +168,6 @@ CCE-86216-9
+ CCE-86217-7
+ CCE-86218-5
+ CCE-86219-3
+-CCE-86220-1
+ CCE-86221-9
+ CCE-86222-7
+ CCE-86223-5
+
+From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 1 Aug 2022 17:53:32 +0200
+Subject: [PATCH 2/2] Better align with RHEL-08-040259
+
+The item is about net.ipv4.conf.all.forwarding
+The update to V1R7 made brought this misalignment to light.
+---
+ .../sysctl_net_ipv4_ip_forward/rule.yml                       | 1 -
+ products/rhel8/profiles/stig.profile                          | 2 +-
+ tests/data/profile_stability/rhel8/stig.profile               | 4 ++--
+ tests/data/profile_stability/rhel8/stig_gui.profile           | 2 +-
+ 4 files changed, 4 insertions(+), 5 deletions(-)
+
 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
-index 5c449db7f3..7acfc0b05b 100644
+index 5c449db7f3a..7acfc0b05b6 100644
 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
 +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -45,7 +45,6 @@ references:
@ -104,7 +126,7 @@ index 5c449db7f3..7acfc0b05b 100644
     stigid@sle15: SLES-15-040380
 
 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
-index 4b480bd2c1..6b44436a2b 100644
+index 4b480bd2c11..6b44436a2b1 100644
 --- a/products/rhel8/profiles/stig.profile
 +++ b/products/rhel8/profiles/stig.profile
@@ -1127,7 +1127,7 @@ selections:
@ -116,20 +138,8 @@ index 4b480bd2c1..6b44436a2b 100644
 
     # RHEL-08-040260
     - sysctl_net_ipv6_conf_all_forwarding
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index a613a152ae..9480db3eae 100644
--- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -176,7 +176,6 @@ CCE-86216-9
- CCE-86217-7
- CCE-86218-5
- CCE-86219-3
-CCE-86220-1
- CCE-86221-9
- CCE-86222-7
- CCE-86223-5
 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
-index 4bee72830d..47f53a9d02 100644
+index 4bee72830d0..47f53a9d023 100644
 --- a/tests/data/profile_stability/rhel8/stig.profile
 +++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -1,7 +1,7 @@
@ -157,7 +167,7 @@ index 4bee72830d..47f53a9d02 100644
 - sysctl_net_ipv6_conf_all_accept_redirects
 - sysctl_net_ipv6_conf_all_accept_source_route
 diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
-index ece32d06a6..c4e60ddcde 100644
+index ece32d06a6f..c4e60ddcde5 100644
 --- a/tests/data/profile_stability/rhel8/stig_gui.profile
 +++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -405,13 +405,13 @@ selections:
@ -175,6 +185,3 @@ index ece32d06a6..c4e60ddcde 100644
 - sysctl_net_ipv6_conf_all_accept_ra
 - sysctl_net_ipv6_conf_all_accept_redirects
 - sysctl_net_ipv6_conf_all_accept_source_route
-- 
-2.37.1
-
--- a/SOURCES/scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch
+++ b/SOURCES/scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch
@ -1,11 +1,9 @@
-From 44bcccbe3a3b00ef1151089b0faacf82770bdc98 Mon Sep 17 00:00:00 2001
-From: Matthew Burket <mburket@redhat.com>
-Date: Tue, 9 Aug 2022 13:09:07 -0500
-Subject: [PATCH 8/8] Merge pull request #9318 from
- ggbecker/reintroduce-sshd-timeout
+From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Tue, 9 Aug 2022 17:28:33 +0200
+Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG
+ profile.

-Patch-name: scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch
-Patch-status: Reintroduce back the sshd timeout rules in RHEL8 STIG profile
 ---
 .../ssh/ssh_server/sshd_set_idle_timeout/rule.yml  |  1 +
 .../ssh/ssh_server/sshd_set_keepalive_0/rule.yml   |  1 +
@ -15,7 +13,7 @@ Patch-status: Reintroduce back the sshd timeout rules in RHEL8 STIG profile
 5 files changed, 13 insertions(+), 7 deletions(-)

 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
-index 46ea0558a4..1e9c617275 100644
+index 46ea0558a42..1e9c6172758 100644
 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
 +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -57,6 +57,7 @@ references:
@ -27,7 +25,7 @@ index 46ea0558a4..1e9c617275 100644
     stigid@sle15: SLES-15-010280
     stigid@ubuntu2004: UBTU-20-010037
 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
-index 0f0693ddc6..f6e98a61d9 100644
+index 0f0693ddc6c..f6e98a61d9a 100644
 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
 +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
@@ -53,6 +53,7 @@ references:
@ -39,7 +37,7 @@ index 0f0693ddc6..f6e98a61d9 100644
     stigid@sle15: SLES-15-010320
     vmmsrg: SRG-OS-000480-VMM-002000
 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
-index 6b44436a2b..124b7520d3 100644
+index 6b44436a2b1..124b7520d3a 100644
 --- a/products/rhel8/profiles/stig.profile
 +++ b/products/rhel8/profiles/stig.profile
@@ -170,13 +170,13 @@ selections:
@ -64,7 +62,7 @@ index 6b44436a2b..124b7520d3 100644
     # RHEL-08-010210
     - file_permissions_var_log_messages
 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
-index 47f53a9d02..6c75d0ae1b 100644
+index 47f53a9d023..6c75d0ae1b1 100644
 --- a/tests/data/profile_stability/rhel8/stig.profile
 +++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -369,6 +369,8 @@ selections:
@ -77,7 +75,7 @@ index 47f53a9d02..6c75d0ae1b 100644
 - sshd_x11_use_localhost
 - sssd_certificate_verification
 diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
-index c4e60ddcde..8a7a469b94 100644
+index c4e60ddcde5..8a7a469b940 100644
 --- a/tests/data/profile_stability/rhel8/stig_gui.profile
 +++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -379,6 +379,8 @@ selections:
@ -89,6 +87,3 @@ index c4e60ddcde..8a7a469b94 100644
 - sshd_use_strong_rng
 - sshd_x11_use_localhost
 - sssd_certificate_verification
-- 
-2.37.1
-
--- a/SOURCES/scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch
+++ b/SOURCES/scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch
@ -1,11 +1,10 @@
-From 07261c69afcdc5f9afcdd5aefc2ee9510d705f37 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 3 Aug 2022 13:08:25 +0200
-Subject: [PATCH 6/8] Merge pull request #9283 from
- yuumasato/accept_sudoers_without_includes
+From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 2 Aug 2022 15:57:52 +0200
+Subject: [PATCH 1/2] Accept sudoers files without includes as compliant

-Patch-name: scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch
-Patch-status: Accept sudoers files without includes as compliant
+Update rule sudoers_default_includedir to accept as compliant sudoers
+files that don't have any #include or #includedir directive
 ---
 .../oval/shared.xml                           | 24 +++++++++++++++----
 .../sudo/sudoers_default_includedir/rule.yml  |  8 ++++---
@ -14,7 +13,7 @@ Patch-status: Accept sudoers files without includes as compliant
 rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%)

 diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
-index 59cab0b89d..82095acc6e 100644
+index 59cab0b89de..629fbe8c6d2 100644
 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
 +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
@@ -1,10 +1,16 @@
@ -32,8 +31,8 @@ index 59cab0b89d..82095acc6e 100644
 +      </criteria>
 +      <criteria operator="AND">
 +        <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
-+        <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
-+        <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
+        <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
+        <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
 +      </criteria>
     </criteria>
   </definition>
@ -56,7 +55,7 @@ index 59cab0b89d..82095acc6e 100644
       comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
     <ind:object object_ref="object_sudoersd_without_includes" />
 diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
-index aa2aaee19f..83bfb0183b 100644
+index aa2aaee19f8..83bfb0183bd 100644
 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
 +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
@@ -8,9 +8,11 @@ description: |-
@ -78,7 +77,7 @@ diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/test
 similarity index 51%
 rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
 rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
-index 1e0ab8aea9..fe73cb2507 100644
+index 1e0ab8aea92..fe73cb25076 100644
 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
 +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
@@ -1,4 +1,4 @@
@ -87,6 +86,28 @@ index 1e0ab8aea9..fe73cb2507 100644
 
 -sed -i "/#includedir.*/d" /etc/sudoers
 +sed -i "/#include(dir)?.*/d" /etc/sudoers
-- 
-2.37.1

+From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 3 Aug 2022 12:01:12 +0200
+Subject: [PATCH 2/2] Improve definition's comments
+
+---
+ .../software/sudo/sudoers_default_includedir/oval/shared.xml  | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+index 629fbe8c6d2..82095acc6ed 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+@@ -8,8 +8,8 @@
+       </criteria>
+       <criteria operator="AND">
+         <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
+-        <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
+-        <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+        <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
+        <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
+       </criteria>
+     </criteria>
+   </definition>
--- a/SOURCES/scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch
+++ b/SOURCES/scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch
@ -1,31 +1,276 @@
-From b4f98a72871d3f8f277e3357eed843b041a248a3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Thu, 4 Aug 2022 14:20:20 +0200
-Subject: [PATCH 7/8] Merge pull request #9286 from
- yuumasato/update_sysctl_rules_with_new_compliant_values
+From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 3 Aug 2022 09:57:33 +0200
+Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values

-Update few sysctl rules to accept multiple compliant values
-
-Patch-name: scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch
-Patch-status: Update few sysctl rules to accept multiple compliant values
+This also removes value '0' from the list of possible configurations.
+This change aligns the rule better with STIG.
 ---
- .../rule.yml                                  | 35 +++++++++++++++++--
- .../tests/value_1.pass.sh                     | 11 ++++++
- .../tests/value_2.pass.sh                     | 11 ++++++
- ...sctl_net_ipv4_conf_all_rp_filter_value.var |  2 +-
- .../sysctl_kernel_kptr_restrict/rule.yml      | 35 ++++++++++++++++++-
- .../tests/value_1.pass.sh                     | 11 ++++++
- .../tests/value_2.pass.sh                     | 11 ++++++
- .../sysctl_kernel_kptr_restrict_value.var     |  1 -
- ...kernel_unprivileged_bpf_disabled_value.var |  1 -
- 9 files changed, 112 insertions(+), 6 deletions(-)
+ .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml        |  4 ++++
+ .../tests/value_1.pass.sh                              | 10 ++++++++++
+ .../tests/value_2.pass.sh                              | 10 ++++++++++
+ .../sysctl_net_ipv4_conf_all_rp_filter_value.var       |  2 +-
+ 4 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
+
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+index 496a8491f32..697f79fa872 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+@@ -59,4 +59,8 @@ template:
+     name: sysctl
+     vars:
+         sysctlvar: net.ipv4.conf.all.rp_filter
+        sysctlval:
+        - '1'
+        - '2'
+        wrong_sysctlval_for_testing: "0"
+         datatype: int
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
+new file mode 100644
+index 00000000000..516bfaf1369
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="1"
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
+new file mode 100644
+index 00000000000..ef1b8da0479
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="2"
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
+index e3fc78e3f05..1eae854f6b0 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
+@@ -17,5 +17,5 @@ interactive: false
+ 
+ options:
+     default: 1
+-    disabled: "0"
+     enabled: 1
+    loose: 2
+
+From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 3 Aug 2022 10:53:40 +0200
+Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values
+
+This also removes value '0' from the list of possible configurations.
+This change aligns the rule better with STIG.
+---
+ .../sysctl_kernel_kptr_restrict/rule.yml               |  4 ++++
+ .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh  | 10 ++++++++++
+ .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh  | 10 ++++++++++
+ .../sysctl_kernel_kptr_restrict_value.var              |  1 -
+ 4 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
 create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh

+diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+index 1984b3c8691..5706eee0a0a 100644
+--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+@@ -42,6 +42,10 @@ template:
+     name: sysctl
+     vars:
+         sysctlvar: kernel.kptr_restrict
+        sysctlval:
+        - '1'
+        - '2'
+        wrong_sysctlval_for_testing: "0"
+         datatype: int
+ 
+ fixtext: |-
+diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
+new file mode 100644
+index 00000000000..e6efae48b25
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="1"
+diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
+new file mode 100644
+index 00000000000..be3f2b743ef
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="2"
+diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
+index 452328e3efd..268550de53d 100644
+--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
+@@ -12,6 +12,5 @@ interactive: false
+ 
+ options:
+     default: 1
+-    0: 0
+     1: 1
+     2: 2
+
+From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 3 Aug 2022 11:08:34 +0200
+Subject: [PATCH 3/5] Remove variable selector that will result in error
+
+The rule only accepts values 1 or 2 as compliant, the XCCDF Variable
+cannot have the value 0, it will never result in pass.
+---
+ .../sysctl_kernel_unprivileged_bpf_disabled_value.var            | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
+index b8bf965a255..cbfd9bafa91 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
+@@ -13,6 +13,5 @@ interactive: false
+ 
+ options:
+     default: 2
+-    0: "0"
+     1: "1"
+     2: "2"
+
+From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 3 Aug 2022 11:33:03 +0200
+Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol
+
+For now, the only STIGs I see that adopted this change were RHEL's and
+OL's.
+---
+ .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml                 | 2 ++
+ .../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh    | 1 +
+ .../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh    | 1 +
+ .../sysctl_kernel_kptr_restrict/rule.yml                        | 2 ++
+ .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh           | 1 +
+ .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh           | 1 +
+ 6 files changed, 8 insertions(+)
+
 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
-index 496a8491f3..4d31c6c3eb 100644
+index 697f79fa872..f04ae37c13d 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+@@ -59,8 +59,10 @@ template:
+     name: sysctl
+     vars:
+         sysctlvar: net.ipv4.conf.all.rp_filter
+        {{% if 'ol' in product or 'rhel' in product %}}
+         sysctlval:
+         - '1'
+         - '2'
+         wrong_sysctlval_for_testing: "0"
+        {{% endif %}}
+         datatype: int
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
+index 516bfaf1369..583b70a3b97 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
+@@ -1,4 +1,5 @@
+ #!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+ 
+ # Clean sysctl config directories
+ rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
+index ef1b8da0479..ef545976dc6 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
+@@ -1,4 +1,5 @@
+ #!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+ 
+ # Clean sysctl config directories
+ rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+index 5706eee0a0a..f53e035effa 100644
+--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+@@ -42,10 +42,12 @@ template:
+     name: sysctl
+     vars:
+         sysctlvar: kernel.kptr_restrict
+        {{% if 'ol' in product or 'rhel' in product %}}
+         sysctlval:
+         - '1'
+         - '2'
+         wrong_sysctlval_for_testing: "0"
+        {{% endif %}}
+         datatype: int
+ 
+ fixtext: |-
+diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
+index e6efae48b25..70189666c16 100644
+--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
+@@ -1,4 +1,5 @@
+ #!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+ 
+ # Clean sysctl config directories
+ rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
+index be3f2b743ef..209395fa9a1 100644
+--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
+@@ -1,4 +1,5 @@
+ #!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+ 
+ # Clean sysctl config directories
+ rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 3 Aug 2022 14:01:40 +0200
+Subject: [PATCH 5/5] Update OCIL check along with the rule
+
+The OCIL should should mention both compliant values.
+---
+ .../rule.yml                                  | 29 +++++++++++++++++--
+ .../sysctl_kernel_kptr_restrict/rule.yml      | 29 ++++++++++++++++++-
+ 2 files changed, 55 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+index f04ae37c13d..4d31c6c3ebd 100644
 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
 +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -47,11 +47,36 @@ references:
@ -67,64 +312,8 @@ index 496a8491f3..4d31c6c3eb 100644
 
 srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'
 
-@@ -59,4 +84,10 @@ template:
-     name: sysctl
-     vars:
-         sysctlvar: net.ipv4.conf.all.rp_filter
-+        {{% if 'ol' in product or 'rhel' in product %}}
-+        sysctlval:
-+        - '1'
-+        - '2'
-+        wrong_sysctlval_for_testing: "0"
-+        {{% endif %}}
-         datatype: int
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
-new file mode 100644
-index 0000000000..583b70a3b9
--- /dev/null
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# platform = multi_platform_ol,multi_platform_rhel
-+
-+# Clean sysctl config directories
-+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-+
-+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
-+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
-+
-+# set correct runtime value to check if the filesystem configuration is evaluated properly
-+sysctl -w net.ipv4.conf.all.rp_filter="1"
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
-new file mode 100644
-index 0000000000..ef545976dc
--- /dev/null
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# platform = multi_platform_ol,multi_platform_rhel
-+
-+# Clean sysctl config directories
-+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-+
-+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
-+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
-+
-+# set correct runtime value to check if the filesystem configuration is evaluated properly
-+sysctl -w net.ipv4.conf.all.rp_filter="2"
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
-index e3fc78e3f0..1eae854f6b 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
-@@ -17,5 +17,5 @@ interactive: false
- 
- options:
-     default: 1
-    disabled: "0"
-     enabled: 1
-+    loose: 2
 diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
-index 1984b3c869..367934b567 100644
+index f53e035effa..367934b5672 100644
 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
 +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -34,6 +34,33 @@ references:
@ -161,78 +350,9 @@ index 1984b3c869..367934b567 100644
 srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
 
 platform: machine
-@@ -42,8 +69,14 @@ template:
-     name: sysctl
-     vars:
-         sysctlvar: kernel.kptr_restrict
-+        {{% if 'ol' in product or 'rhel' in product %}}
-+        sysctlval:
-+        - '1'
-+        - '2'
-+        wrong_sysctlval_for_testing: "0"
-+        {{% endif %}}
-         datatype: int
+@@ -52,4 +79,4 @@ template:
 
 fixtext: |-
     Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.
 -    {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}
 +    {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}
-diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
-new file mode 100644
-index 0000000000..70189666c1
--- /dev/null
-+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# platform = multi_platform_ol,multi_platform_rhel
-+
-+# Clean sysctl config directories
-+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-+
-+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
-+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
-+
-+# set correct runtime value to check if the filesystem configuration is evaluated properly
-+sysctl -w kernel.kptr_restrict="1"
-diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
-new file mode 100644
-index 0000000000..209395fa9a
--- /dev/null
-+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# platform = multi_platform_ol,multi_platform_rhel
-+
-+# Clean sysctl config directories
-+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-+
-+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
-+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
-+
-+# set correct runtime value to check if the filesystem configuration is evaluated properly
-+sysctl -w kernel.kptr_restrict="2"
-diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
-index 452328e3ef..268550de53 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
-+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
-@@ -12,6 +12,5 @@ interactive: false
- 
- options:
-     default: 1
-    0: 0
-     1: 1
-     2: 2
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
-index b8bf965a25..cbfd9bafa9 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
-@@ -13,6 +13,5 @@ interactive: false
- 
- options:
-     default: 2
-    0: "0"
-     1: "1"
-     2: "2"
-- 
-2.37.1
-
--- a/SOURCES/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
+++ b/SOURCES/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
--- a/SOURCES/scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch
+++ b/SOURCES/scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch
@ -1,801 +0,0 @@
-From 48a361a41eff571e8c0d6f8c759c56d41cec5c5a Mon Sep 17 00:00:00 2001
-From: vojtapolasek <vpolasek@redhat.com>
-Date: Tue, 2 Aug 2022 13:21:45 +0200
-Subject: [PATCH 3/8] Merge pull request #9147 from jan-cerny/rhbz2081728
-
-Patch-name: scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch
-Patch-status: Refresh BPF related rules in RHEL 9 OSPP profile
---
- docs/templates/template_reference.md          |  24 +-
- .../rule.yml                                  |  82 +++++++
- .../tests/system_default.pass.sh              |   5 +
- .../tests/test_config.yml                     |   6 +
- .../tests/value_0.fail.sh                     |  11 +
- .../tests/value_1.pass.sh                     |  11 +
- .../tests/value_2.pass.sh                     |  11 +
- ...kernel_unprivileged_bpf_disabled_value.var |  18 ++
- products/rhel9/profiles/ospp.profile          |   4 +-
- .../oval/sysctl_kernel_ipv6_disable.xml       |   4 +-
- shared/references/cce-redhat-avail.txt        |   1 -
- shared/templates/sysctl/ansible.template      |   2 +-
- shared/templates/sysctl/bash.template         |   2 +-
- shared/templates/sysctl/oval.template         | 213 +++++++++++-------
- shared/templates/sysctl/template.py           |  24 +-
- 15 files changed, 316 insertions(+), 102 deletions(-)
- create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml
- create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
- create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml
- create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
- create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
- create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
- create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
-
-diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
-index a439e3dca9..e73b95450f 100644
--- a/docs/templates/template_reference.md
-+++ b/docs/templates/template_reference.md
-@@ -815,8 +815,28 @@ The selected value can be changed in the profile (consult the actual variable fo
- 
-     -   **datatype** - data type of the sysctl value, eg. `int`.
- 
-    -   **sysctlval** - value of the sysctl value, eg. `'1'`. If this
-        parameter is not specified, XCCDF Value is used instead.
-+    -   **sysctlval** - value of the sysctl value. This can be either not
-+        specified, or an atomic value, eg. `'1'`, or a list of values,
-+        eg. `['1','2']`.
-+        -   If this parameter is not specified, an XCCDF Value is used instead
-+            in OVAL check and remediations. The XCCDF Value should have a file
-+            name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`,
-+            where the `escaped_sysctlvar` is a value of the **sysctlvar**
-+            parameter in which all characters that don't match the `\w` regular
-+            expression are replaced by an underscore (`_`).
-+        -   If this parameter is set to an atomic value, this atomic value
-+            will be used in OVAL check and remediations.
-+        -   If this parameter is set to a list of values, the list will be used
-+            in the OVAL check, but won't be used in the remediations.
-+            All remediations will use an XCCDF value instead.
-+
-+    -   **wrong_sysctlval_for_testing** - the value that is always wrong. This
-+        will be used in templated test scenarios when **sysctlval** is a list.
-+
-+    -   **missing_parameter_pass** - if set to `true` the check will pass if the
-+        setting for the given **sysctlvar** is not present in sysctl
-+        configuration files. In other words, the check will pass if the system
-+        default isn't overriden by configuration. Default value: `false`.
- 
-     -   **operation** - operation used for comparison of collected object
-         with **sysctlval**. Default value: `equals`.
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml
-new file mode 100644
-index 0000000000..259d1f901c
--- /dev/null
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml
-@@ -0,0 +1,82 @@
-+documentation_complete: true
-+
-+prodtype: rhel9
-+
-+title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes'
-+
-+description: |-
-+    To prevent unprivileged processes from using the <code>bpf()</code> syscall
-+    the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter must
-+    be set to <code>1</code> or <code>2</code>.
-+
-+    Writing <code>1</code> to this entry will disable unprivileged calls to <code>bpf()</code>; once
-+    disabled, calling <code>bpf()</code> without <code>CAP_SYS_ADMIN</code> or <code>CAP_BPF</code> will return <code>-EPERM</code>.
-+    Once set to <code>1</code>, this can't be cleared from the running kernel anymore.
-+
-+    {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}}
-+
-+    Writing <code>2</code> to this entry will also disable unprivileged calls to <code>bpf()</code>,
-+    however, an admin can still change this setting later on, if needed, by
-+    writing <code>0</code> or <code>1</code> to this entry.
-+
-+    {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}}
-+
-+rationale: |-
-+    Loading and accessing the packet filters programs and maps using the bpf()
-+    syscall has the potential of revealing sensitive information about the kernel state.
-+
-+severity: medium
-+
-+identifiers:
-+    cce@rhel9: CCE-87712-6
-+
-+references:
-+    disa: CCI-000366
-+    nist: AC-6,SC-7(10)
-+    ospp: FMT_SMF_EXT.1
-+    srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227
-+
-+ocil: |-
-+    The runtime status of the <code>kernel.unprivileged_bpf_disabled</code>
-+    kernel parameter can be queried by running the following command:
-+    <pre>$ sysctl kernel.unprivileged_bpf_disabled</pre>
-+    The output of the command should indicate either:
-+    kernel.unprivileged_bpf_disabled = 1
-+    or:
-+    kernel.unprivileged_bpf_disabled = 2
-+    The output of the command should not indicate:
-+    kernel.unprivileged_bpf_disabled = 0
-+
-+    The preferable way how to assure the runtime compliance is to have
-+    correct persistent configuration, and rebooting the system.
-+
-+    The persistent kernel parameter configuration is performed by specifying the appropriate
-+    assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
-+    Verify that there is not any existing incorrect configuration by executing the following command:
-+    <pre>$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
-+    The command should not find any assignments other than:
-+    kernel.unprivileged_bpf_disabled = 1
-+    or:
-+    kernel.unprivileged_bpf_disabled = 2
-+
-+    Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2.
-+
-+ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0"
-+
-+fixtext: |-
-+    Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall.
-+
-+srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.'
-+
-+platform: machine
-+
-+template:
-+    name: sysctl
-+    vars:
-+        sysctlvar: kernel.unprivileged_bpf_disabled
-+        sysctlval:
-+        - '1'
-+        - '2'
-+        wrong_sysctlval_for_testing: "0"
-+        missing_parameter_pass: "true"
-+        datatype: int
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
-new file mode 100644
-index 0000000000..b9776227bd
--- /dev/null
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+# platform = Red Hat Enterprise Linux 9
-+
-+# Clean sysctl config directories
-+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml
-new file mode 100644
-index 0000000000..5cf6807405
--- /dev/null
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml
-@@ -0,0 +1,6 @@
-+deny_templated_scenarios:
-+  # this rule uses missing_parameter_pass: true which means the check should pass
-+  # if the configuration is missing (or commented out) therefore we disable
-+  # line_not_there.fail.sh and comment.fail.sh test scenarios
-+  - line_not_there.fail.sh
-+  - comment.fail.sh
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
-new file mode 100644
-index 0000000000..9f19e0140b
--- /dev/null
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# platform = Red Hat Enterprise Linux 9
-+
-+# Clean sysctl config directories
-+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-+
-+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf
-+echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf
-+
-+# set correct runtime value to check if the filesystem configuration is evaluated properly
-+sysctl -w kernel.unprivileged_bpf_disabled="0"
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
-new file mode 100644
-index 0000000000..e976db594c
--- /dev/null
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# platform = Red Hat Enterprise Linux 9
-+
-+# Clean sysctl config directories
-+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-+
-+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf
-+echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf
-+
-+# set correct runtime value to check if the filesystem configuration is evaluated properly
-+sysctl -w kernel.unprivileged_bpf_disabled="1"
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
-new file mode 100644
-index 0000000000..b1537175eb
--- /dev/null
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# platform = Red Hat Enterprise Linux 9
-+
-+# Clean sysctl config directories
-+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-+
-+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf
-+echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf
-+
-+# set correct runtime value to check if the filesystem configuration is evaluated properly
-+sysctl -w kernel.unprivileged_bpf_disabled="2"
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
-new file mode 100644
-index 0000000000..b8bf965a25
--- /dev/null
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
-@@ -0,0 +1,18 @@
-+documentation_complete: true
-+
-+title: kernel.unprivileged_bpf_disabled
-+
-+description: |-
-+    Prevent unprivileged processes from using the bpf() syscall.
-+
-+type: number
-+
-+operator: equals
-+
-+interactive: false
-+
-+options:
-+    default: 2
-+    0: "0"
-+    1: "1"
-+    2: "2"
-diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
-index feb96501a9..f27f961a7a 100644
--- a/products/rhel9/profiles/ospp.profile
-+++ b/products/rhel9/profiles/ospp.profile
-@@ -74,8 +74,8 @@ selections:
-     - sysctl_kernel_yama_ptrace_scope
-     - sysctl_kernel_perf_event_paranoid
-     - sysctl_user_max_user_namespaces
-    - sysctl_kernel_unprivileged_bpf_disabled
-    - sysctl_net_core_bpf_jit_harden
-+    - sysctl_kernel_unprivileged_bpf_disabled_accept_default
-+    - sysctl_kernel_unprivileged_bpf_disabled_value=2
-     - service_kdump_disabled
- 
-     ### Audit
-diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-index 1195cea518..f971d28a04 100644
--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-@@ -19,8 +19,8 @@
-     </metadata>
-     <criteria comment="IPv6 disabled or net.ipv6.conf.all.disable_ipv6 set correctly" operator="OR">
-       <criteria operator="AND">
-        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="sysctl_static_net_ipv6_conf_all_disable_ipv6" />
-        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="sysctl_runtime_net_ipv6_conf_all_disable_ipv6" />
-+        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="sysctl_net_ipv6_conf_all_disable_ipv6_static" />
-+        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="sysctl_net_ipv6_conf_all_disable_ipv6_runtime" />
-       </criteria>
-     </criteria>
-   </definition>
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index fb2f59fd09..a613a152ae 100644
--- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -1443,7 +1443,6 @@ CCE-87708-4
- CCE-87709-2
- CCE-87710-0
- CCE-87711-8
-CCE-87712-6
- CCE-87713-4
- CCE-87714-2
- CCE-87715-9
-diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
-index c13bb6637f..edc4d3fb66 100644
--- a/shared/templates/sysctl/ansible.template
-+++ b/shared/templates/sysctl/ansible.template
-@@ -21,7 +21,7 @@
-     replace: '#{{{ SYSCTLVAR }}}'
-   loop: "{{ find_sysctl_d.files }}"
- 
-{{%- if SYSCTLVAL == "" %}}
-+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string  %}}
- - (xccdf-var sysctl_{{{ SYSCTLID }}}_value)
- 
- - name: Ensure sysctl {{{ SYSCTLVAR }}} is set
-diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
-index d67a59c388..cd3424b022 100644
--- a/shared/templates/sysctl/bash.template
-+++ b/shared/templates/sysctl/bash.template
-@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
-   fi
- done
- 
-{{%- if SYSCTLVAL == "" %}}
-+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}}
- {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}}
- 
- #
-diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
-index 74583dbee1..1a7c4979bb 100644
--- a/shared/templates/sysctl/oval.template
-+++ b/shared/templates/sysctl/oval.template
-@@ -1,12 +1,20 @@
- {{%- if SYSCTLVAL == "" %}}
- {{%- set COMMENT_VALUE="the appropriate value" %}}
-+{{%- elif SYSCTLVAL is sequence %}}
-+{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}}
- {{%- else %}}
- {{%- set COMMENT_VALUE=SYSCTLVAL %}}
- {{%- endif %}}
- 
- {{% macro state_static_sysctld(prefix) -%}}
-    <ind:object object_ref="object_static_{{{ prefix }}}_{{{ SYSCTLID }}}"/>
-    <ind:state state_ref="state_static_sysctld_{{{ SYSCTLID }}}"/>
-+    <ind:object object_ref="object_static_{{{ prefix }}}_{{{ rule_id }}}"/>
-+{{% if SYSCTLVAL is string %}}
-+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}"/>
-+{{% elif SYSCTLVAL is sequence %}}
-+{{% for x in SYSCTLVAL %}}
-+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" />
-+{{% endfor %}}
-+{{% endif %}}
- {{%- endmacro -%}}
- {{%- macro sysctl_match() -%}}
- {{%- if SYSCTLVAL == "" -%}}
-@@ -20,13 +28,13 @@
- {{%- if "P" in FLAGS -%}}
- 
- <def-group>
-  <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="3">
-+  <definition class="compliance" id="{{{ rule_id }}}" version="3">
-     {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
-                         definition_ref="sysctl_static_{{{ SYSCTLID }}}"/>
-+                         definition_ref="{{{ rule_id }}}_static"/>
-       <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
-                         definition_ref="sysctl_runtime_{{{ SYSCTLID }}}"/>
-+                         definition_ref="{{{ rule_id }}}_runtime"/>
-     </criteria>
-   </definition>
- </def-group>
-@@ -34,7 +42,7 @@
- {{%- elif "I" in FLAGS -%}}
- 
- <def-group>
-  <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="4">
-+  <definition class="compliance" id="{{{ rule_id }}}" version="4">
-     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
-     <criteria comment="IPv6 disabled or {{{ SYSCTLVAR }}} set correctly" operator="OR">
- {{% if product in ["ubuntu1604", "ubuntu1804"] %}}
-@@ -46,9 +54,9 @@
- {{% endif %}}
-       <criteria operator="AND">
-         <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
-                           definition_ref="sysctl_static_{{{ SYSCTLID }}}"/>
-+                           definition_ref="{{{ rule_id }}}_static"/>
-         <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
-                           definition_ref="sysctl_runtime_{{{ SYSCTLID }}}"/>
-+                           definition_ref="{{{ rule_id }}}_runtime"/>
-       </criteria>
-     </criteria>
-   </definition>
-@@ -58,33 +66,41 @@
- {{%- if "R" in FLAGS -%}}
- 
- <def-group>
-  <definition class="compliance" id="sysctl_runtime_{{{ SYSCTLID }}}" version="3">
-+  <definition class="compliance" id="{{{ rule_id }}}_runtime" version="3">
-     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}}
-     <criteria operator="AND">
-       <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"
-                 test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}"/>
-+                 test_ref="test_{{{ rule_id }}}_runtime"/>
-     </criteria>
-   </definition>
-  <unix:sysctl_test id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1"
-+
-+  <unix:sysctl_test id="test_{{{ rule_id }}}_runtime" version="1"
-                     comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"
-                    check="all" check_existence="all_exist">
-    <unix:object object_ref="object_sysctl_runtime_{{{ SYSCTLID }}}"/>
-    <unix:state state_ref="state_sysctl_runtime_{{{ SYSCTLID }}}"/>
-+                    check="all" check_existence="all_exist" state_operator="OR">
-+    <unix:object object_ref="object_{{{ rule_id }}}_runtime"/>
-+{{% if SYSCTLVAL is string %}}
-+    <unix:state state_ref="state_{{{ rule_id }}}_runtime"/>
-+{{% elif SYSCTLVAL is sequence %}}
-+{{% for x in SYSCTLVAL %}}
-+    <unix:state state_ref="state_{{{ rule_id }}}_runtime_{{{ x }}}" />
-+{{% endfor %}}
-+{{% endif %}}
-   </unix:sysctl_test>
- 
-  <unix:sysctl_object id="object_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
-+  <unix:sysctl_object id="object_{{{ rule_id }}}_runtime" version="1">
-     <unix:name>{{{ SYSCTLVAR }}}</unix:name>
-   </unix:sysctl_object>
-+{{% if SYSCTLVAL is string %}}
- {{% if SYSCTLVAL == "" %}}
-  <unix:sysctl_state id="state_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
-+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">
-     <unix:value datatype="{{{ DATATYPE }}}" operation="equals"
-                var_ref="sysctl_{{{ SYSCTLID }}}_value"/>
-+                var_ref="{{{ rule_id }}}_value"/>
-   </unix:sysctl_state>
- 
-  <external_variable id="sysctl_{{{ SYSCTLID }}}_value" version="1"
-+  <external_variable id="{{{ rule_id }}}_value" version="1"
-                      comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>
- {{%- else %}}
-  <unix:sysctl_state id="state_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
-+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">
- {{% if OPERATION == "pattern match" %}}
-     <unix:value datatype="{{{ DATATYPE }}}"
-                 operation="{{{ OPERATION }}}">{{{ SYSCTLVAL_REGEX }}}</unix:value>
-@@ -94,133 +110,156 @@
- {{% endif %}}
-   </unix:sysctl_state>
- {{%- endif %}}
-+{{% elif SYSCTLVAL is sequence %}}
-+{{% for x in SYSCTLVAL %}}
-+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime_{{{ x }}}" version="1">
-+    <unix:value datatype="{{{ DATATYPE }}}"
-+                operation="{{{ OPERATION }}}">{{{ x }}}</unix:value>
-+  </unix:sysctl_state>
-+{{% endfor %}}
-+{{% endif %}}
- </def-group>
- 
- {{%- endif -%}}
- {{%- if "S" in FLAGS -%}}
- 
- <def-group>
-  <definition class="compliance" id="sysctl_static_{{{ SYSCTLID }}}" version="3">
-+  <definition class="compliance" id="{{{ rule_id }}}_static" version="3">
-     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}
-+{{% if MISSING_PARAMETER_PASS == "true" %}}
-+    <criteria operator="OR">
-+{{% endif %}}
-     <criteria operator="AND">
-       <criteria operator="OR">
-         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.conf"
-                   test_ref="test_static_sysctl_{{{ SYSCTLID }}}"/>
-+                   test_ref="test_{{{ rule_id }}}_static"/>
-         <!-- see sysctl.d(5) -->
-         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.d/*.conf"
-                   test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
-+                   test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/>
-         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
-                   test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
-+                   test_ref="test_{{{ rule_id }}}_static_run_sysctld"/>
- {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
-                   test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
-+                   test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>
- {{% endif %}}
-       </criteria>
- {{% if target_oval_version >= [5, 11] %}}
-      <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
-+      <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_{{{ rule_id }}}_defined_in_one_file" />
- {{% endif %}}
-     </criteria>
-+{{% if MISSING_PARAMETER_PASS == "true" %}}
-+      <criterion comment="Check that {{{ SYSCTLID }}} is not defined in any file" test_ref="test_{{{ rule_id }}}_not_defined" />
-+    </criteria>
-+{{% endif %}}
-   </definition>
- 
-  <ind:textfilecontent54_test id="test_static_sysctl_{{{ SYSCTLID }}}" version="1"
-                              check="all" check_existence="all_exist"
-+{{% if MISSING_PARAMETER_PASS == "true" %}}
-+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_not_defined" version="1"
-+                              check="all" check_existence="none_exist"
-                               comment="{{{ SYSCTLVAR }}} static configuration">
-+    <ind:object object_ref="object_{{{ rule_id }}}_static_set_sysctls" />
-+  </ind:textfilecontent54_test>
-+{{% endif %}}
-+
-+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static" version="1"
-+                              check="all" check_existence="all_exist"
-+                              comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR">
-     {{{ state_static_sysctld("sysctl") }}}
-   </ind:textfilecontent54_test>
- 
-  <ind:textfilecontent54_test id="test_static_etc_sysctld_{{{ SYSCTLID }}}" version="1" check="all"
-                          comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf">
-+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_etc_sysctld" version="1" check="all"
-+                          comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-     {{{ state_static_sysctld("etc_sysctld") }}}
-   </ind:textfilecontent54_test>
- 
-  <ind:textfilecontent54_test id="test_static_run_sysctld_{{{ SYSCTLID }}}" version="1" check="all"
-                          comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf">
-+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_run_sysctld" version="1" check="all"
-+                          comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-     {{{ state_static_sysctld("run_sysctld") }}}
-   </ind:textfilecontent54_test>
- 
- {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-  <ind:textfilecontent54_test id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1"
-+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_usr_lib_sysctld" version="1"
-                           check="all"
-                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf">
-+                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR">
-     {{{ state_static_sysctld("usr_lib_sysctld") }}}
-   </ind:textfilecontent54_test>
- {{% endif %}}
- 
- {{% if target_oval_version >= [5, 11] %}}
-   <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
-  id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
-    <ind:object object_ref="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
-    <ind:state state_ref="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
-+  id="test_{{{ rule_id }}}_defined_in_one_file" version="1">
-+    <ind:object object_ref="object_{{{ rule_id }}}_defined_in_one_file" />
-+    <ind:state state_ref="state_{{{ rule_id }}}_defined_in_one_file" />
-   </ind:variable_test>
- 
-  <ind:variable_object id="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
-    <ind:var_ref>local_var_unique_sysctl_{{{ SYSCTLID }}}_counter</ind:var_ref>
-+  <ind:variable_object id="object_{{{ rule_id }}}_defined_in_one_file" version="1">
-+    <ind:var_ref>local_var_{{{ rule_id }}}_counter</ind:var_ref>
-   </ind:variable_object>
- 
-  <ind:variable_state id="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
-+  <ind:variable_state id="state_{{{ rule_id }}}_defined_in_one_file" version="1">
-     <ind:value operation="equals" datatype="int">1</ind:value>
-   </ind:variable_state>
- 
-  <local_variable comment="Count unique sysctls" datatype="int" id="local_var_unique_sysctl_{{{ SYSCTLID }}}_counter" version="1">
-+  <local_variable comment="Count unique sysctls" datatype="int" id="local_var_{{{ rule_id }}}_counter" version="1">
-     <count>
-       <unique>
-        <object_component object_ref="object_static_set_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
-+        <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls" item_field="filepath" />
-       </unique>
-     </count>
-   </local_variable>
- 
-  <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
-+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls" version="1">
-     <set>
-      <object_reference>object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}</object_reference>
-      <filter action="exclude">state_{{{ SYSCTLID }}}_filepath_is_symlink</filter>
-+      <object_reference>object_{{{ rule_id }}}_static_set_sysctls_unfiltered</object_reference>
-+      <filter action="exclude">state_{{{ rule_id }}}_filepath_is_symlink</filter>
-     </set>
-   </ind:textfilecontent54_object>
- 
-  <ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">
-    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_safe_symlinks_{{{ SYSCTLID }}}" datatype="string" />
-+  <ind:textfilecontent54_state id="state_{{{ rule_id }}}_filepath_is_symlink" version="1">
-+    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_{{{ rule_id }}}_safe_symlinks" datatype="string" />
-   </ind:textfilecontent54_state>
- 
-  <!-- <no simlink handling> -->
-+  <!-- <no symlink handling> -->
-   <!-- We craft a variable with blank string to combine with the symlink paths found.
-        This ultimately avoids referencing a variable with "no values",
-        we reference a variable with a blank string -->
-  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_safe_symlinks_{{{ SYSCTLID }}}" version="1">
-+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_{{{ rule_id }}}_safe_symlinks" version="1">
-     <unique>
-      <object_component object_ref="var_object_symlink_{{{ SYSCTLID }}}" item_field="value" />
-+      <object_component object_ref="var_object_symlink_{{{ rule_id }}}" item_field="value" />
-     </unique>
-   </local_variable>
- 
-  <ind:variable_object id="var_object_symlink_{{{ SYSCTLID }}}" comment="combine the blank string with symlink paths found" version="1">
-+  <ind:variable_object id="var_object_symlink_{{{ rule_id }}}" comment="combine the blank string with symlink paths found" version="1">
-     <set>
-      <object_reference>var_obj_symlink_{{{ SYSCTLID }}}</object_reference>
-      <object_reference>var_obj_blank_{{{ SYSCTLID }}}</object_reference>
-+      <object_reference>var_obj_symlink_{{{ rule_id }}}</object_reference>
-+      <object_reference>var_obj_blank_{{{ rule_id }}}</object_reference>
-     </set>
-   </ind:variable_object>
- 
-  <ind:variable_object id="var_obj_blank_{{{ SYSCTLID }}}" comment="variable object of the blank string" version="1">
-    <ind:var_ref>local_var_blank_path_{{{ SYSCTLID }}}</ind:var_ref>
-+  <ind:variable_object id="var_obj_blank_{{{ rule_id }}}" comment="variable object of the blank string" version="1">
-+    <ind:var_ref>local_var_blank_path_{{{ rule_id }}}</ind:var_ref>
-   </ind:variable_object>
- 
-  <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ SYSCTLID }}}" version="1">
-+  <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ rule_id }}}" version="1">
-     <literal_component datatype="string"></literal_component>
-   </local_variable>
- 
-  <ind:variable_object id="var_obj_symlink_{{{ SYSCTLID }}}" comment="variable object of the symlinks found" version="1">
-    <ind:var_ref>local_var_symlinks_{{{ SYSCTLID }}}</ind:var_ref>
-+  <ind:variable_object id="var_obj_symlink_{{{ rule_id }}}" comment="variable object of the symlinks found" version="1">
-+    <ind:var_ref>local_var_symlinks_{{{ rule_id }}}</ind:var_ref>
-   </ind:variable_object>
-  <!-- </no simlink handling> -->
-+  <!-- </no symlink handling> -->
- 
-  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">
-+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ rule_id }}}" version="1">
-     <unique>
-      <object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />
-+      <object_component object_ref="object_{{{ rule_id }}}_symlinks" item_field="filepath" />
-     </unique>
-   </local_variable>
- 
-   <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
-        Workaround by querying for all conf files found -->
-  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
-    <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
-    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>
-+  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ rule_id }}}_symlinks" version="1">
-+    <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ rule_id }}}" />
-+    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ rule_id }}}</filter>
-   </unix:symlink_object>
- 
-   <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
-@@ -228,75 +267,76 @@
-        ^/etc/sysctl.d/.*$
-        ^/run/sysctl.d/.*$
-        ^/usr/lib/sysctl.d/.*$ -->
-  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">
-+  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ rule_id }}}" version="1">
-     <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-   </unix:symlink_state>
- {{% endif %}}
- 
-  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
-    <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
-+  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">
-+    <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />
-   </local_variable>
- 
-   <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
-        variable to have no value even when there are valid objects. -->
-  <ind:textfilecontent54_object id="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" version="1">
-+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">
-     <set>
-      <object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>
-      <object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>
-+      <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
-+      <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
-     </set>
-   </ind:textfilecontent54_object>
- 
-  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ SYSCTLID }}}" version="1">
-+  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ rule_id }}}" version="1">
-     <set>
-      <object_reference>object_static_sysctl_{{{ SYSCTLID }}}</object_reference>
-      <object_reference>object_static_etc_sysctld_{{{ SYSCTLID }}}</object_reference>
-+      <object_reference>object_static_sysctl_{{{ rule_id }}}</object_reference>
-+      <object_reference>object_static_etc_sysctld_{{{ rule_id }}}</object_reference>
-     </set>
-   </ind:textfilecontent54_object>
- 
-  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
-+  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">
-     <set>
-      <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
-+      <object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
- {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-      <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
-+      <object_reference>object_static_usr_lib_sysctld_{{{ rule_id }}}</object_reference>
- {{% endif %}}
-     </set>
-   </ind:textfilecontent54_object>
- 
-  <ind:textfilecontent54_object id="object_static_sysctl_{{{ SYSCTLID }}}" version="1">
-+  <ind:textfilecontent54_object id="object_static_sysctl_{{{ rule_id }}}" version="1">
-     <ind:filepath>/etc/sysctl.conf</ind:filepath>
-     {{{ sysctl_match() }}}
-   </ind:textfilecontent54_object>
- 
-  <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ SYSCTLID }}}" version="1">
-+  <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ rule_id }}}" version="1">
-     <ind:path>/etc/sysctl.d</ind:path>
-     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-     {{{ sysctl_match() }}}
-   </ind:textfilecontent54_object>
- 
-  <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ SYSCTLID }}}" version="1">
-+  <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ rule_id }}}" version="1">
-     <ind:path>/run/sysctl.d</ind:path>
-     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-     {{{ sysctl_match() }}}
-   </ind:textfilecontent54_object>
- 
- {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
-+  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
-     <ind:path>/usr/lib/sysctl.d</ind:path>
-     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-     {{{ sysctl_match() }}}
-   </ind:textfilecontent54_object>
- {{% endif %}}
-+{{% if SYSCTLVAL is string %}}
- {{% if SYSCTLVAL == "" %}}
- 
-  <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
-    <ind:subexpression operation="{{{ OPERATION }}}" var_ref="sysctl_{{{ SYSCTLID }}}_value"
-+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">
-+    <ind:subexpression operation="{{{ OPERATION }}}" var_ref="{{{ rule_id }}}_value"
-                        datatype="{{{ DATATYPE }}}" />
-   </ind:textfilecontent54_state>
- 
-  <external_variable id="sysctl_{{{ SYSCTLID }}}_value" version="1"
-+  <external_variable id="{{{ rule_id }}}_value" version="1"
-                      comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>
- {{% else %}}
-  <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
-+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">
- {{% if OPERATION == "pattern match" %}}
-     <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL_REGEX }}}</ind:subexpression>
- {{% else %}}
-@@ -304,5 +344,12 @@
- {{% endif %}}
-   </ind:textfilecontent54_state>
- {{% endif %}}
-+{{% elif SYSCTLVAL is sequence %}}
-+{{% for x in SYSCTLVAL %}}
-+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" version="1">
-+    <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ x }}}</ind:subexpression>
-+  </ind:textfilecontent54_state>
-+{{% endfor %}}
-+{{% endif %}}
- </def-group>
- {{%- endif -%}}
-diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py
-index fa981a9dce..9083a6a418 100644
--- a/shared/templates/sysctl/template.py
-+++ b/shared/templates/sysctl/template.py
-@@ -11,8 +11,19 @@ def preprocess(data, lang):
-     data["flags"] = "SR" + ipv6_flag
-     if "operation" not in data:
-         data["operation"] = "equals"
-+    if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0:
-+        raise ValueError(
-+            "The sysctlval parameter of {0} is an empty list".format(
-+                data["_rule_id"]))
- 
-     # Configure data for test scenarios
-+    if data["datatype"] not in ["string", "int"]:
-+        raise ValueError(
-+            "Test scenarios for data type '{0}' are not implemented yet.\n"
-+            "Please check if rule '{1}' has correct data type and edit "
-+            "{2} to add tests for it.".format(
-+                data["datatype"], data["_rule_id"], __file__))
-+
-     if data["sysctlval"] == "":
-         if data["datatype"] == "int":
-             data["sysctl_correct_value"] = "0"
-@@ -20,20 +31,13 @@ def preprocess(data, lang):
-         elif data["datatype"] == "string":
-             data["sysctl_correct_value"] = "correct_value"
-             data["sysctl_wrong_value"] = "wrong_value"
-        else:
-            raise ValueError(
-                "Test scenarios for data type '{0}' are not implemented yet.\n"
-                "Please check if rule '{1}' has correct data type and edit "
-                "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__))
-+    elif isinstance(data["sysctlval"], list):
-+        data["sysctl_correct_value"] = data["sysctlval"][0]
-+        data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"]
-     else:
-         data["sysctl_correct_value"] = data["sysctlval"]
-         if data["datatype"] == "int":
-             data["sysctl_wrong_value"] = "1" + data["sysctlval"]
-         elif data["datatype"] == "string":
-             data["sysctl_wrong_value"] = "wrong_value"
-        else:
-            raise ValueError(
-                "Test scenarios for data type '{0}' are not implemented yet.\n"
-                "Please check if rule '{1}' has correct data type and edit "
-                "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__))
-     return data
-- 
-2.37.1
-
--- a/SOURCES/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
+++ b/SOURCES/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
@ -0,0 +1,92 @@
+From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 8 Aug 2022 14:34:34 +0200
+Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about
+ configuring queues
+
+---
+ .../rsyslog_remote_loghost/rule.yml             | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+index 4ce56d2e6a5..c73d9ec95a6 100644
+--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+@@ -90,3 +90,20 @@ fixtext: |-
+     *.* @@[remoteloggingserver]:[port]"
+ 
+ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.'
+
+warnings:
+    - functionality: |-
+        It is important to configure queues in case the client is sending log
+        messages to a remote server. If queues are not configured, there is a
+        danger that the system will stop functioning in case that the connection
+        to the remote server is not available. Please consult Rsyslog
+        documentation for more information about configuration of queues. The
+        example configuration which should go into <tt>/etc/rsyslog.conf</tt>
+        can look like the following lines:
+        <pre>
+        $ActionQueueType LinkedList
+        $ActionQueueFileName somenameforprefix
+        $ActionQueueMaxDiskSpace 1g
+        $ActionQueueSaveOnShutdown on
+        $ActionResumeRetryCount -1
+        </pre>
+
+From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001
+From: vojtapolasek <krecoun@gmail.com>
+Date: Tue, 9 Aug 2022 09:41:00 +0200
+Subject: [PATCH 2/3] Apply suggestions from code review
+
+Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
+---
+ .../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml  | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+index c73d9ec95a6..706d3265a08 100644
+--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+@@ -95,14 +95,14 @@ warnings:
+     - functionality: |-
+         It is important to configure queues in case the client is sending log
+         messages to a remote server. If queues are not configured, there is a
+-        danger that the system will stop functioning in case that the connection
+        the system will stop functioning when the connection
+         to the remote server is not available. Please consult Rsyslog
+         documentation for more information about configuration of queues. The
+         example configuration which should go into <tt>/etc/rsyslog.conf</tt>
+         can look like the following lines:
+         <pre>
+         $ActionQueueType LinkedList
+-        $ActionQueueFileName somenameforprefix
+        $ActionQueueFileName queuefilename
+         $ActionQueueMaxDiskSpace 1g
+         $ActionQueueSaveOnShutdown on
+         $ActionResumeRetryCount -1
+
+From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
+From: vojtapolasek <krecoun@gmail.com>
+Date: Tue, 9 Aug 2022 10:55:04 +0200
+Subject: [PATCH 3/3] Update
+ linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+
+Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
+---
+ .../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+index 706d3265a08..cce4d5cac1d 100644
+--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
+ warnings:
+     - functionality: |-
+         It is important to configure queues in case the client is sending log
+-        messages to a remote server. If queues are not configured, there is a
+        messages to a remote server. If queues are not configured,
+         the system will stop functioning when the connection
+         to the remote server is not available. Please consult Rsyslog
+         documentation for more information about configuration of queues. The
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -2,11 +2,11 @@
 %global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
 # https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
 %global _vpath_builddir build
-%global _default_patch_fuzz 2
+# global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly

 Name:		scap-security-guide
 Version:	0.1.63
-Release:	1%{?dist}
+Release:	4%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@ -14,35 +14,28 @@ URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
 # Include tarball with last released rhel6 content
 Source1:	%{_static_rhel6_content}.tar.bz2
-# Disable profiles that are not in good shape for products/rhel8
-Patch0:	 disable-not-in-good-shape-profiles.patch
-# Update RHEL8 STIG to V1R7
-Patch1:	 scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch
-# Refresh BPF related rules in RHEL 9 OSPP profile
-Patch2:	 scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch
-# New sysctl ipv4 forwarding rule
-Patch3:	 scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch
-# Add rsyslogd to the list of tools checked by aide
-Patch4:	 scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch
-# Accept sudoers files without includes as compliant
-Patch5:	 scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch
-# Update few sysctl rules to accept multiple compliant values
-Patch6:	 scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch
-# Reintroduce back the sshd timeout rules in RHEL8 STIG profile
-Patch7:	 scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch
-# Make OSPP profiles use minimal Authselect profile
-Patch8:	 scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch
-# change rules protecting boot in RHEL8 OSPP
-Patch9:	 scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch
-# Introduce and apply the "partition exists" platform
-Patch10:	scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch
-# Add the platform applicability to relevant rules
-Patch11:	scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path
-# Fix ansible partition conditionals
-Patch12:	scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch

 BuildArch:	noarch

+# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
+Patch0:		disable-not-in-good-shape-profiles.patch
+Patch1:		scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
+Patch2:		scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
+Patch3:		scap-security-guide-0.1.64-stig_aide-PR_9282.patch
+Patch4:		scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
+Patch5:		scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
+Patch6:		scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
+Patch7:		scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
+Patch8:		scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
+Patch9:		scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
+Patch10:		scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
+Patch11:		scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
+Patch12:		scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
+Patch13:		scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
+Patch14:		scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
+Patch15:		scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
+Patch16:		scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
+
 BuildRequires:	libxslt
 BuildRequires:	expat
 BuildRequires:	openscap-scanner >= 1.2.5
@ -146,20 +139,34 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %endif

 %changelog
-* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-1
- Update to the latest upstream release (RHBZ#2116347)
- Update RHEL8 STIG profile to V1R7 (RHBZ#2116408)
- Select grub2_disable_recovery in OSPP Profile (RHBZ#2117308)
- Use authselect minimal profile in OSPP Profile (RHBZ#2117306)
- Improve rules for CIS level1 partition options (RHBZ#2117510)
+* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
+- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
+
+* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
+- Fix Ansible partition conditional (RHBZ#2032403)
+
+* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
+- aligning with the latest STIG update (RHBZ#2112937)
+- OSPP: use Authselect minimal profile (RHBZ#2117192)
+- OSPP: change rules for protecting of boot (RHBZ#2116440)
+- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
+- fix handling of Defaults clause in sudoers (RHBZ#2083109)
+- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
+- fix handling of Rsyslog include directives (RHBZ#2075384)
+
+* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
+- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
+
+* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
+- Rebase to a new upstream release (RHBZ#2070564)

 * Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
- Fix validation of OVAL 5.10 content (RHBZ#2082556)
- Fix Ansible sysctl remediation (RHBZ#2082556)
+- Fix validation of OVAL 5.10 content (RHBZ#2079241)
+- Fix Ansible sysctl remediation (RHBZ#2079241)

 * Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2082556)
- Update RHEL8 STIG profile to V1R6 (RHBZ#2082556)
+- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
+- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)

 * Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
 - Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)