apply updates related to RHEL9 OSPP profile

Resolves: rhbz#1998583 Resolves: rhbz#2081688 Resolves: rhbz#2081728 Resolves: rhbz#2092799 Resolves: rhbz#2108569 Resolves: rhbz#2114979
2022-08-10 12:41:23 +02:00 · 2022-08-10 12:41:23 +02:00 · 34b3a0af53
commit 34b3a0af53
parent 14378e5ed6
7 changed files with 4465 additions and 1 deletions
--- a/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
+++ b/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
--- a/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
+++ b/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
@ -0,0 +1,90 @@
+From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 11:45:15 +0200
+Subject: [PATCH 1/4] fix ospp references
+
+---
+ linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
+index c151d3c4aa1..f9b46c51ddd 100644
+--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
+@@ -34,6 +34,7 @@ references:
+     disa: CCI-000213
+     hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)  # taken from require_singleuser_auth
+     nist: AC-3
+    ospp: FIA_UAU.1,FIA_AFL.1
+     srg: SRG-OS-000480-GPOS-00227
+ 
+ ocil: |-
+
+From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 11:45:42 +0200
+Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
+
+---
+ products/rhel9/profiles/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index b47630c62b0..dcc41970043 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -115,7 +115,7 @@ selections:
+     - coredump_disable_storage
+     - coredump_disable_backtraces
+     - service_systemd-coredump_disabled
+-    - var_authselect_profile=sssd
+    - var_authselect_profile=minimal
+     - enable_authselect
+     - use_pam_wheel_for_su
+ 
+
+From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 11:45:54 +0200
+Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
+
+---
+ products/rhel8/profiles/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
+index 39ad1797c7a..ebec8a3a6f9 100644
+--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
+@@ -220,7 +220,7 @@ selections:
+     - var_accounts_max_concurrent_login_sessions=10
+     - accounts_max_concurrent_login_sessions
+     - securetty_root_login_console_only
+-    - var_authselect_profile=sssd
+    - var_authselect_profile=minimal
+     - enable_authselect
+     - var_password_pam_unix_remember=5
+     - accounts_password_pam_unix_remember
+
+From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 13:55:05 +0200
+Subject: [PATCH 4/4] update profile stability test
+
+---
+ tests/data/profile_stability/rhel8/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 5d73a8c6fef..21e93e310d5 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -242,7 +242,7 @@ selections:
+ - var_slub_debug_options=P
+ - var_auditd_flush=incremental_async
+ - var_accounts_max_concurrent_login_sessions=10
+-- var_authselect_profile=sssd
+- var_authselect_profile=minimal
+ - var_password_pam_unix_remember=5
+ - var_selinux_state=enforcing
+ - var_selinux_policy_name=targeted
--- a/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
+++ b/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
@ -0,0 +1,302 @@
+From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 27 Jul 2022 13:49:05 +0200
+Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp
+
+---
+ products/rhel9/profiles/ospp.profile | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index dcc41970043..0902abf58db 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -110,10 +110,7 @@ selections:
+     - package_gnutls-utils_installed
+ 
+     ### Login
+-    - disable_users_coredumps
+     - sysctl_kernel_core_pattern
+-    - coredump_disable_storage
+-    - coredump_disable_backtraces
+     - service_systemd-coredump_disabled
+     - var_authselect_profile=minimal
+     - enable_authselect
+
+From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 3 Aug 2022 12:17:27 +0200
+Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL
+
+actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template.
+I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers.
+---
+ shared/templates/sysctl/oval.template | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
+index 1a7c4979bbe..e0c6f72f928 100644
+--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
+@@ -17,13 +17,8 @@
+ {{% endif %}}
+ {{%- endmacro -%}}
+ {{%- macro sysctl_match() -%}}
+-{{%- if SYSCTLVAL == "" -%}}
+-    <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
+-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+-{{%- else -%}}
+     <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+-{{%- endif -%}}
+ {{%- endmacro -%}}
+ {{%- if "P" in FLAGS -%}}
+ 
+
+From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 3 Aug 2022 13:00:45 +0200
+Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid
+
+---
+ .../sysctl_kernel_core_uses_pid/rule.yml      | 36 +++++++++++++++++++
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+new file mode 100644
+index 00000000000..7fa36fb940e
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Configure file name of core dumps'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
+
+rationale: |-
+    The default coredump filename is <pre>core</pre>. By setting
+    <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
+    <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
+    <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
+    <pre>.PID</pre> will be appended to the filename.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86003-1
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+
+ocil: |-
+    {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+
+platform: machine
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.core_uses_pid
+        datatype: int
+        sysctlval: '0'
+
+From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 09:08:37 +0200
+Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string
+
+---
+ .../rule.yml                                  | 49 +++++++++++++++++++
+ 2 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+new file mode 100644
+index 00000000000..089bb1481aa
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+@@ -0,0 +1,49 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Disable storing core dumps'
+
+description: |-
+    The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
+    name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
+    behaves differently based on another related option. If
+    <tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
+    <tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
+    created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
+    <tt>0</tt>, no coredump is saved.
+    {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
+
+rationale: |-
+    A core dump includes a memory image taken at the time the operating system
+    terminates an application. The memory image could contain sensitive data and is generally useful
+    only for developers trying to debug problems.
+
+severity: medium
+
+requires:
+    - sysctl_kernel_core_uses_pid
+
+conflicts:
+    - sysctl_kernel_core_pattern
+
+identifiers:
+    cce@rhel9: CCE-86005-6
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: |-
+    the returned line does not have a value of ''.
+
+ocil: |
+    {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
+
+platform: machine
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.core_pattern
+        sysctlval: "''"
+        datatype: string
+
+From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 10:40:47 +0200
+Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile
+
+---
+ products/rhel9/profiles/ospp.profile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 0902abf58db..b1b18261d48 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -110,7 +110,8 @@ selections:
+     - package_gnutls-utils_installed
+ 
+     ### Login
+-    - sysctl_kernel_core_pattern
+    - sysctl_kernel_core_pattern_empty_string
+    - sysctl_kernel_core_uses_pid
+     - service_systemd-coredump_disabled
+     - var_authselect_profile=minimal
+     - enable_authselect
+
+From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 3 Aug 2022 13:01:12 +0200
+Subject: [PATCH 6/8] describe beneficial dependency between
+ sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid
+
+---
+ .../sysctl_kernel_core_uses_pid/rule.yml            | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+index 7fa36fb940e..d6d2c468c10 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps'
+ description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
+ 
+ rationale: |-
+-    The default coredump filename is <pre>core</pre>. By setting
+-    <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
+-    <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
+-    <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
+-    <pre>.PID</pre> will be appended to the filename.
+    The default coredump filename is <tt>core</tt>. By setting
+    <tt>core_uses_pid</tt> to <tt>1</tt>, the coredump filename becomes
+    <tt>core.PID</tt>. If <tt>core_pattern</tt> does not include
+    <tt>%p</tt> (default does not) and <tt>core_uses_pid</tt> is set, then
+    <tt>.PID</tt> will be appended to the filename.
+    When combined with <tt>kernel.core_pattern = ""</tt> configuration, it
+    is ensured that no core dumps are generated and also no confusing error
+    messages are printed by a shell.
+ 
+ severity: medium
+ 
+
+From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 10:53:37 +0200
+Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with
+ sysctl_kernel_core_pattern_empty_string
+
+they are modifying the same configuration
+---
+ .../restrictions/sysctl_kernel_core_pattern/rule.yml           | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+index 771c4d40e0f..c27a9e7ecf3 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+@@ -13,6 +13,9 @@ rationale: |-
+ 
+ severity: medium
+ 
+conflicts:
+    - sysctl_kernel_core_pattern_empty_string
+
+ identifiers:
+     cce@rhcos4: CCE-82527-3
+     cce@rhel8: CCE-82215-5
+
+From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 9 Aug 2022 16:43:20 +0200
+Subject: [PATCH 8/8] fix ocils
+
+---
+ .../restrictions/sysctl_kernel_core_pattern/rule.yml         | 5 ++++-
+ .../restrictions/sysctl_kernel_core_uses_pid/rule.yml        | 4 ++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+index c27a9e7ecf3..1a540ce20b3 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+@@ -29,7 +29,10 @@ references:
+     stigid@ol8: OL08-00-010671
+     stigid@rhel8: RHEL-08-010671
+ 
+-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause:  |-
+    the returned line does not have a value of "|/bin/false", or a line is not
+    returned and the need for core dumps is not documented with the Information
+    System Security Officer (ISSO) as an operational requirement
+ 
+ ocil: |
+     {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+index d6d2c468c10..8f51f97c16c 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+@@ -24,10 +24,10 @@ identifiers:
+ references:
+     ospp: FMT_SMF_EXT.1
+ 
+-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause: 'the returned line does not have a value of 0'
+ 
+ ocil: |-
+-    {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+    {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}
+ 
+ platform: machine
+ 
--- a/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
+++ b/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
@ -0,0 +1,47 @@
+From 21124e8524967788d4c95d47dd41259a0c7f958c Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 20 Jul 2022 14:18:13 +0200
+Subject: [PATCH] change remediations to include the "=" sign
+
+---
+ .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
+ .../crypto/configure_openssl_crypto_policy/bash/shared.sh     | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+index c335a9e7fa2..852ca18cf79 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+@@ -20,7 +20,7 @@
+   lineinfile:
+     create: yes
+     insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
+-    line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
+    line: ".include = /etc/crypto-policies/back-ends/opensslcnf.config"
+     path: {{{ openssl_cnf_path }}}
+   when:
+     - test_crypto_policy_group.stdout is defined
+@@ -29,7 +29,7 @@
+ - name: "Add crypto_policy group and set include opensslcnf.config"
+   lineinfile:
+     create: yes
+-    line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
+    line: "[crypto_policy]\n.include = /etc/crypto-policies/back-ends/opensslcnf.config"
+     path: {{{ openssl_cnf_path }}}
+   when:
+     - test_crypto_policy_group.stdout is defined
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+index 21edb780a2f..79eb5cff189 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+@@ -2,8 +2,8 @@
+ 
+ OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
+ OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
+-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
+-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config'
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
+ 
+ {{% if 'sle' in product %}}
+   {{% set openssl_cnf_path="/etc/ssl/openssl.cnf" %}}
--- a/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
+++ b/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
@ -0,0 +1,29 @@
+From eef5cb155b9f820439ca32f993cebf1f68b29e80 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 28 Jul 2022 15:08:15 +0200
+Subject: [PATCH] Remove a confusing sentence
+
+In the rule description, there are 2 conflicting sentences, they
+both start by "By default ...", but they negate each other.
+In fact, the second of them is true, so the first one could be
+removed.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092799
+---
+ .../accounts-physical/require_singleuser_auth/rule.yml         | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+index 932d76c36d9..332712ea1dd 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+@@ -8,8 +8,7 @@ title: 'Require Authentication for Single User Mode'
+ description: |-
+     Single-user mode is intended as a system recovery
+     method, providing a single user root access to the system by
+-    providing a boot option at startup. By default, no authentication
+-    is performed if single-user mode is selected.
+    providing a boot option at startup.
+     <br /><br />
+     By default, single-user mode is protected by requiring a password and is set
+     in <tt>/usr/lib/systemd/system/rescue.service</tt>.
--- a/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
+++ b/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -6,13 +6,20 @@

 Name:		scap-security-guide
 Version:	0.1.63
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
 BuildArch:	noarch

+Patch0:		scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
+Patch1:		scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
+Patch2:		scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
+Patch3:		scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
+Patch4:		scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
+Patch5:		scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
+
 BuildRequires:	libxslt
 BuildRequires:	expat
 BuildRequires:	openscap-scanner >= 1.2.5
@ -98,6 +105,14 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif

 %changelog
+* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
+- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583)
+- OSPP: update rules related to coredumps (RHBZ#2081688)
+- OSPP: update rules related to BPF (RHBZ#2081728)
+- fix description of require_singleuser_mode (RHBZ#2092799)
+- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569)
+- OSPP: use minimal Authselect profile(RHBZ#2114979)
+
 * Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
 - Rebase to a new upstream release 0.1.63 (RHBZ#2070563)