import scap-security-guide-0.1.48-7.el8

2020-04-28 05:32:22 -04:00 · 2020-04-28 05:32:22 -04:00 · 41c5266b38
parent 0ac390339a
commit 41c5266b38
17 changed files with 4447 additions and 25 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.46.tar.bz2
+SOURCES/scap-security-guide-0.1.48.tar.bz2
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@ -1 +1 @@
-05a9c42472d6918e10d25df002ab6b3c3d379016 SOURCES/scap-security-guide-0.1.46.tar.bz2
+a8f9874a8f1df4c66e45daa6fa6c41d1ac8df934 SOURCES/scap-security-guide-0.1.48.tar.bz2
--- a/SOURCES/disable-not-in-good-shape-profiles.patch
+++ b/SOURCES/disable-not-in-good-shape-profiles.patch
@ -1,34 +1,37 @@
-From c6c4eae7d085adb1571e5c45edb4bd982c242f4d Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 17 Dec 2018 13:30:06 +0100
-Subject: [PATCH] Disable profiles that are not in good shape for RHEL8.
+From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 17 Jan 2020 19:01:22 +0100
+Subject: [PATCH] Disable profiles that are not in good shape for RHEL8

 They raise too many errors and fails.
+Also disable tables for profiles that are not built.
 ---
- rhel8/CMakeLists.txt            | 3 ++-
- rhel8/profiles/cjis.profile     | 2 +-
- rhel8/profiles/cui.profile      | 2 +-
- rhel8/profiles/hipaa.profile    | 2 +-
- rhel8/profiles/rht-ccp.profile  | 2 +-
- rhel8/profiles/standard.profile | 2 +-
- 6 files changed, 7 insertions(+), 6 deletions(-)
+ rhel8/CMakeLists.txt              | 2 --
+ rhel8/profiles/cjis.profile       | 2 +-
+ rhel8/profiles/cui.profile        | 2 +-
+ rhel8/profiles/hipaa.profile      | 2 +-
+ rhel8/profiles/rhelh-stig.profile | 2 +-
+ rhel8/profiles/rhelh-vpp.profile  | 2 +-
+ rhel8/profiles/rht-ccp.profile    | 2 +-
+ rhel8/profiles/standard.profile   | 2 +-
+ 9 files changed, 8 insertions(+), 10 deletions(-)

 diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
-index 99bccbed7..77f8ccaec 100644
+index 40f2b2b0f..492a8dae1 100644
 --- a/rhel8/CMakeLists.txt
 +++ b/rhel8/CMakeLists.txt
-@@ -14,7 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
+@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
 ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
 ssg_build_html_table_by_ref(${PRODUCT} "anssi")
 
 -ssg_build_html_nistrefs_table(${PRODUCT} "standard")
-+# Standard profile is disabled for RHEL8 as it is not in good shape
-+#ssg_build_html_nistrefs_table(${PRODUCT} "standard")
 ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
+ ssg_build_html_nistrefs_table(${PRODUCT} "stig")
 
 # Uncomment when anssi profiles are marked documentation_complete: true
+ #ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal")
 diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
-index a7f8c0b16..c460793be 100644
+index 05ea9cdd6..9c55ac5b1 100644
 --- a/rhel8/profiles/cjis.profile
 +++ b/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
@ -48,7 +51,7 @@ index eb62252a4..e8f369708 100644
 title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
 
 diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
-index feb98007c..0667f65ed 100644
+index 8d20f9019..d641b56fe 100644
 --- a/rhel8/profiles/hipaa.profile
 +++ b/rhel8/profiles/hipaa.profile
@@ -1,4 +1,4 @@
@ -57,8 +60,28 @@ index feb98007c..0667f65ed 100644
 
 title: 'Health Insurance Portability and Accountability Act (HIPAA)'
 
+diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
+index 1efca5f44..c3d0b0964 100644
+--- a/rhel8/profiles/rhelh-stig.profile
+++ b/rhel8/profiles/rhelh-stig.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
+documentation_complete: false
+ 
+ title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
+ 
+diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
+index 2baee6d66..8592d7aaf 100644
+--- a/rhel8/profiles/rhelh-vpp.profile
+++ b/rhel8/profiles/rhelh-vpp.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
+documentation_complete: false
+ 
+ title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
+ 
 diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
-index 023663b21..8b22bc711 100644
+index c84579592..164ec98c4 100644
 --- a/rhel8/profiles/rht-ccp.profile
 +++ b/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
@ -78,5 +101,5 @@ index a63ae2cf3..da669bb84 100644
 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
 
 -- 
-2.19.2
+2.21.1

--- a/SOURCES/scap-security-guide-0.1.49-add-cce-openssh-server.patch
+++ b/SOURCES/scap-security-guide-0.1.49-add-cce-openssh-server.patch
@ -0,0 +1,21 @@
+From 3c7332c8245fe3f356557619f59a9218a50e7dfa Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 11 Feb 2020 13:53:46 +0100
+Subject: [PATCH] Add CCE identifier for openssh-server installed
+
+---
+ .../guide/services/ssh/package_openssh-server_installed/rule.yml | 1 +
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+index ba013ec509..cecd6514fb 100644
+--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+@@ -17,6 +17,7 @@ severity: medium
+ 
+ identifiers:
+     cce@rhel7: 80215-7
+    cce@rhel8: 83303-8
+ 
+ references:
+     disa: 2418,2420,2421,2422
--- a/SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch
+++ b/SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch
@ -0,0 +1,150 @@
+From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Wed, 5 Feb 2020 10:23:44 +0100
+Subject: [PATCH 1/4] Add and fix few entries of SRG mapping.
+
+---
+ .../network-uncommon/kernel_module_dccp_disabled/rule.yml       | 1 +
+ .../permissions/partitions/mount_option_var_log_nodev/rule.yml  | 1 +
+ .../dconf_gnome_screensaver_lock_delay/rule.yml                 | 2 +-
+ .../dconf_gnome_screensaver_lock_enabled/rule.yml               | 2 +-
+ 4 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
+index 1b42b7233b..4dcbc458d1 100644
+--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
+@@ -37,6 +37,7 @@ references:
+     cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
+     iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
+     cis-csc: 11,14,3,9
+    srg: SRG-OS-000096-GPOS-00050
+ 
+ {{{ complete_ocil_entry_module_disable(module="dccp") }}}
+ 
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
+index 298f17d2d8..d1ec9f644e 100644
+--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
+@@ -28,6 +28,7 @@ identifiers:
+ references:
+     nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
+     nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
+    srg: SRG-OS-000368-GPOS-00154
+ 
+ platform: machine
+ 
+diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
+index b20323c1af..39aa044941 100644
+--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
+@@ -34,7 +34,7 @@ references:
+     nist-csf: PR.AC-7
+     ospp: FMT_MOF_EXT.1
+     pcidss: Req-8.1.8
+-    srg: OS-SRG-000029-GPOS-00010
+    srg: SRG-OS-000029-GPOS-00010
+     stigid@rhel7: "010110"
+     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
+     isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
+diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
+index 0380f0149f..7742b8d862 100644
+--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
+@@ -35,7 +35,7 @@ references:
+     nist-csf: PR.AC-7
+     ospp: FMT_MOF_EXT.1
+     pcidss: Req-8.1.8
+-    srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011
+    srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
+     stigid@rhel7: "010060"
+     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
+     isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
+
+From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 5 Feb 2020 10:33:54 +0100
+Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227
+
+The SRG is about configuring the system in accordance with security
+baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs.
+---
+ .../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml   | 1 +
+ .../integrity/crypto/openssl_use_strong_entropy/rule.yml         | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+index 4bfb72702b..62b2d01924 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+@@ -25,6 +25,7 @@ identifiers:
+ 
+ references:
+     ospp: FIA_AFL.1
+    srg: SRG-OS-000480-GPOS-00227
+ 
+ ocil: |-
+     To determine whether the SSH service is configured to use strong entropy seed,
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+index 8a958e93b0..47dc8953e4 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+@@ -25,6 +25,7 @@ identifiers:
+ 
+ references:
+     ospp: FIA_AFL.1
+    srg: SRG-OS-000480-GPOS-00227
+ 
+ ocil: |-
+     To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
+
+From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 5 Feb 2020 11:12:02 +0100
+Subject: [PATCH 3/4] Same SRG mapping as
+ package_subscription-manager_installed
+
+The package provides an interface for automation of package updates
+---
+ .../package_dnf-plugin-subscription-manager_installed/rule.yml   | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+index 6b0144fd54..8f081d9a3c 100644
+--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+@@ -20,6 +20,7 @@ identifiers:
+ 
+ references:
+     ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
+    srg: SRG-OS-000366-GPOS-00153
+ 
+ ocil_clause: 'the package is not installed'
+ 
+
+From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 5 Feb 2020 11:14:35 +0100
+Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item
+
+From rule's rationale:
+Binaries in pigz package are compiled without sufficient stack
+protection and its ADSLR is weak.
+---
+ .../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
+index 595b78e768..bb724d916d 100644
+--- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
+@@ -18,6 +18,9 @@ severity: low
+ identifiers:
+     cce@rhel8: 82397-1
+ 
+references:
+    srg: SRG-OS-000433-GPOS-00192
+
+ {{{ complete_ocil_entry_package(package="pigz") }}}
+ 
+ template:
--- a/SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch
+++ b/SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch
@ -0,0 +1,23 @@
+From 716cccfe5a253be61e2b2f46b972ae2153a09ad2 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 4 Feb 2020 17:38:45 +0100
+Subject: [PATCH] Add rules to configure rsyslog TLS
+
+---
+ rhel8/profiles/stig.profile | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index d85e18e9d0..821cc26914 100644
+--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
+@@ -33,3 +33,9 @@ selections:
+     - encrypt_partitions
+     - sysctl_net_ipv4_tcp_syncookies
+     - clean_components_post_updating
+
+    # Configure TLS for remote logging
+    - package_rsyslog_installed
+    - package_rsyslog-gnutls_installed
+    - rsyslog_remote_tls
+    - rsyslog_remote_tls_cacert
--- a/SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch
+++ b/SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch
@ -0,0 +1,184 @@
+From 3d061cb6cb61ef8dc7bccc873bf338041687842e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 3 Feb 2020 21:23:59 +0100
+Subject: [PATCH] Add Kickstart file for STIG profile
+
+Based on OSPP KS
+---
+ rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 167 ++++++++++++++++++++++++++
+ 1 file changed, 167 insertions(+)
+ create mode 100644 rhel8/kickstart/ssg-rhel8-stig-ks.cfg
+
+diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
+new file mode 100644
+index 0000000000..8c970dd6ff
+--- /dev/null
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
+@@ -0,0 +1,167 @@
+# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow	enable shadowed passwords by default
+# --passalgo		hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_stig
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
--- a/SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch
+++ b/SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch
@ -0,0 +1,36 @@
+From 3d8e47f0bd6fc1ddf8f33b788f52a23f348f24b7 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek
+ <vpolasek@redhat.com>
+Date: Mon, 3 Feb 2020 11:37:50 +0100
+Subject: remove rsyslog rules from ospp
+
+---
+ rhel8/profiles/ospp.profile | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index ef3ced501..fb653de9d 100644
+--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
+@@ -178,8 +178,6 @@ selections:
+     - package_audispd-plugins_installed
+     - package_scap-security-guide_installed
+     - package_audit_installed
+-    - package_rsyslog_installed
+-    - package_rsyslog-gnutls_installed
+     - package_gnutls-utils_installed
+     - package_nss-tools_installed
+ 
+@@ -391,8 +389,7 @@ selections:
+     - timer_dnf-automatic_enabled
+ 
+     # Configure TLS for remote logging
+-    - rsyslog_remote_tls
+-    - rsyslog_remote_tls_cacert
+    # temporarily dropped
+ 
+     # Prevent Kerberos use by system daemons
+     - kerberos_disable_no_keytab
+-- 
+2.25.0
+
--- a/SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch
+++ b/SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch
@ -0,0 +1,49 @@
+From ccd6b36cbb7ad3046fa09bdbf3aab84b1212d213 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 6 Feb 2020 11:29:31 +0100
+Subject: [PATCH] Map missing SRG rules
+
+---
+ .../guide/system/software/gnome/dconf_db_up_to_date/rule.yml   | 3 +++
+ .../system-tools/package_gnutls-utils_installed/rule.yml       | 1 +
+ .../software/system-tools/package_nss-tools_installed/rule.yml | 1 +
+ 3 files changed, 5 insertions(+)
+
+diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
+index 3017b789f8..3e0b4fa2d1 100644
+--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
+@@ -20,6 +20,9 @@ identifiers:
+     cce@rhel8: 81003-6
+     cce@rhel7: 81004-4
+ 
+references:
+    srg: SRG-OS-000480-GPOS-00227
+
+ ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles'
+ 
+ ocil: |-
+diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
+index ebb8ad95f0..1374900664 100644
+--- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
+@@ -21,6 +21,7 @@ identifiers:
+ 
+ references:
+     ospp: FMT_SMF_EXT.1
+    srg: SRG-OS-000480-GPOS-00227
+ 
+ ocil_clause: 'the package is not installed'
+ 
+diff --git a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
+index 32c9c32893..5d0d679a1a 100644
+--- a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
+@@ -19,6 +19,7 @@ identifiers:
+ 
+ references:
+     ospp: FMT_SMF_EXT.1
+    srg: SRG-OS-000480-GPOS-00227
+ 
+ ocil_clause: 'the package is not installed'
+ 
--- a/SOURCES/scap-security-guide-0.1.49-max-path-len-skip-logs.patch
+++ b/SOURCES/scap-security-guide-0.1.49-max-path-len-skip-logs.patch
@ -0,0 +1,49 @@
+From 840fb94f9b371f6555536de2c32953c967c1122a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 21 Jan 2020 14:17:00 +0100
+Subject: [PATCH 1/2] Don't check for path len of logs directory
+
+The logs are not part of the tarball, nor used to build the content.
+---
+ tests/ensure_paths_are_short.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py
+index 5d4e27cb91..18d4c662ff 100755
+--- a/tests/ensure_paths_are_short.py
+++ b/tests/ensure_paths_are_short.py
+@@ -13,6 +13,10 @@ def main():
+     ssg_root = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
+     max_path = ""
+     for dir_, _, files in os.walk(ssg_root):
+        # Don't check for path len of log files
+        # They are not shipped nor used during build
+        if "tests/logs/" in dir_:
+            continue
+         for file_ in files:
+             path = os.path.relpath(os.path.join(dir_, file_), ssg_root)
+             if len(path) > len(max_path):
+
+From 8d29c78efc51cc2c2da0e436b3cd9a2edb5342bc Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 21 Jan 2020 15:05:17 +0100
+Subject: [PATCH 2/2] Skip only only tests/logs/ from project root
+
+---
+ tests/ensure_paths_are_short.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py
+index 18d4c662ff..b9e985fea0 100755
+--- a/tests/ensure_paths_are_short.py
+++ b/tests/ensure_paths_are_short.py
+@@ -15,7 +15,8 @@ def main():
+     for dir_, _, files in os.walk(ssg_root):
+         # Don't check for path len of log files
+         # They are not shipped nor used during build
+-        if "tests/logs/" in dir_:
+        current_relative_path = os.path.relpath(dir_, ssg_root)
+        if current_relative_path.startswith("tests/logs/"):
+             continue
+         for file_ in files:
+             path = os.path.relpath(os.path.join(dir_, file_), ssg_root)
--- a/SOURCES/scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch
+++ b/SOURCES/scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch
@ -0,0 +1,593 @@
+From e0f1e2096d0f33fa94e3f78a5038e929b0039c32 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Mon, 27 Jan 2020 11:51:53 +0100
+Subject: [PATCH 1/6] Add a rule for the openssl strong entropy wrapper.
+
+---
+ .../openssl_use_strong_entropy/rule.yml       | 65 +++++++++++++++++++
+ rhel8/profiles/ospp.profile                   |  1 +
+ shared/references/cce-redhat-avail.txt        |  1 -
+ 3 files changed, 66 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+new file mode 100644
+index 0000000000..e9ea8ed338
+--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+@@ -0,0 +1,65 @@
+documentation_complete: true
+
+# TODO: The plan is not to need this for RHEL>=8.4
+prodtype: rhel8
+
+title: 'OpenSSL uses strong entropy source'
+
+description: |-
+    To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
+    save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+    <pre>
+    # provide a default -rand /dev/random option to openssl commands that
+    # support it
+
+    # written inefficiently for maximum shell compatibility
+    openssl()
+    (
+      openssl_bin=/usr/bin/openssl
+
+      case "$*" in
+        # if user specified -rand, honor it
+        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+      esac
+
+      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+      for i in `$openssl_bin list -commands`; do
+        if $openssl_bin list -options "$i" | grep -q '^rand '; then
+          cmds=" $i $cmds"
+        fi
+      done
+
+      case "$cmds" in
+        *\ "$1"\ *)
+          cmd="$1"; shift
+          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+      esac
+
+      exec $openssl_bin "$@"
+    )
+    </pre>
+
+rationale: |-
+    The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
+    The referenced script is sourced to every login shell, and it transparently adds an option
+    that enforces strong entropy to every <tt>openssl</tt> invocation,
+    which makes <tt>openssl</tt> more secure by default.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82721-2
+
+references:
+    ospp: FIA_AFL.1
+
+ocil: |-
+    To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
+    make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
+    that are included in the rule's description.
+
+ocil_clause: |-
+    there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
+
+warnings:
+    - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 63aea526b7..ef3ced5010 100644
+--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
+@@ -59,6 +59,7 @@ selections:
+     - sshd_enable_warning_banner
+     - sshd_rekey_limit
+     - sshd_use_strong_rng
+    - openssl_use_strong_entropy
+ 
+     # Time Server
+     - chronyd_client_only
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 4cb08794f4..1733872dfa 100644
+--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
+@@ -248,6 +248,5 @@
+ CCE-82719-6
+ CCE-82720-4
+-CCE-82721-2
+ CCE-82722-0
+ CCE-82723-8
+ CCE-82724-6
+
+From bbd0f8b1234858a4abeece07d7d188bb07d3d077 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 27 Jan 2020 19:35:06 +0100
+Subject: [PATCH 2/6] create checks, remediations,
+
+---
+ .../ansible/shared.yml                        | 12 +++++++
+ .../openssl_use_strong_entropy/bash/shared.sh |  5 +++
+ .../oval/shared.xml                           | 34 +++++++++++++++++++
+ .../openssl_use_strong_entropy/rule.yml       | 29 +---------------
+ shared/macros.jinja                           | 34 ++++++++++++++++++-
+ 5 files changed, 85 insertions(+), 29 deletions(-)
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+new file mode 100644
+index 0000000000..3ce26d6525
+--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "copy a file with shell snippet to configure openssl strong entropy"
+  copy:
+    dest: /etc/profile.d/cc-config.sh
+    content: |+
+        {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
+        
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
+new file mode 100644
+index 0000000000..db5c331ce7
+--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
+@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 8
+
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+{{{ openssl_strong_entropy_config_file() }}}
+EOM
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
+new file mode 100644
+index 0000000000..b441b7ae6e
+--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
+@@ -0,0 +1,34 @@
+<def-group>
+  <definition class="compliance" id="openssl_use_strong_entropy" version="1">
+    <metadata>
+      <title>Configure Openssl to use strong entropy</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 8</platform>
+        <platform>multi_platform_fedora</platform>
+      </affected>
+      <description>OpenSSL should be configured to generate random data with strong entropy.</description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="test_openssl_strong_entropy"
+      comment="Check that the OpenSSL is configured to generate random data with strong entropy." />
+    </criteria>
+  </definition>
+
+  <ind:filehash58_test id="test_openssl_strong_entropy"
+  comment="Test if openssl is configured to generate random data with strong entropy" version="1"
+  check="all" check_existence="all_exist">
+    <ind:object object_ref="object_openssl_strong_entropy"/>
+    <ind:state state_ref="state_openssl_strong_entropy"/>
+  </ind:filehash58_test>
+
+  <ind:filehash58_object id="object_openssl_strong_entropy" version="1">
+    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+    <ind:hash_type>SHA-256</ind:hash_type>
+  </ind:filehash58_object>
+
+  <ind:filehash58_state id="state_openssl_strong_entropy" version="1">
+    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+    <ind:hash_type>SHA-256</ind:hash_type>
+    <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
+  </ind:filehash58_state>
+</def-group>
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+index e9ea8ed338..3b01da01af 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+@@ -9,34 +9,7 @@ description: |-
+     To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
+     save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+     <pre>
+-    # provide a default -rand /dev/random option to openssl commands that
+-    # support it
+-
+-    # written inefficiently for maximum shell compatibility
+-    openssl()
+-    (
+-      openssl_bin=/usr/bin/openssl
+-
+-      case "$*" in
+-        # if user specified -rand, honor it
+-        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+-      esac
+-
+-      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+-      for i in `$openssl_bin list -commands`; do
+-        if $openssl_bin list -options "$i" | grep -q '^rand '; then
+-          cmds=" $i $cmds"
+-        fi
+-      done
+-
+-      case "$cmds" in
+-        *\ "$1"\ *)
+-          cmd="$1"; shift
+-          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+-      esac
+-
+-      exec $openssl_bin "$@"
+-    )
+    {{{ openssl_strong_entropy_config_file() | indent(4) }}}
+     </pre>
+ 
+ rationale: |-
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 77f8eb31c7..8a25acc937 100644
+--- a/shared/macros.jinja
+++ b/shared/macros.jinja
+@@ -618,10 +618,42 @@ ocil_clause: "the correct value is not returned"
+ 
+ 
+ {{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}}
+-        When selecting this rule in a profile, 
+        When selecting this rule in a profile,
+         {{%- if why %}}
+             make sure that rule with ID <code>{{{ rule_id }}}</code> is selected as well: {{{ why }}}
+         {{%- else %}}
+             rule <code>{{{ rule_id }}}</code> has to be selected as well.
+         {{%- endif %}}
+ {{% endmacro %}}
+
+{{% macro openssl_strong_entropy_config_file() -%}}
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+  openssl_bin=/usr/bin/openssl
+
+  case "$*" in
+    # if user specified -rand, honor it
+    *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+  esac
+
+  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+  for i in `$openssl_bin list -commands`; do
+    if $openssl_bin list -options "$i" | grep -q '^rand '; then
+      cmds=" $i $cmds"
+    fi
+  done
+
+  case "$cmds" in
+    *\ "$1"\ *)
+      cmd="$1"; shift
+      exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+  esac
+
+  exec $openssl_bin "$@"
+)
+
+{{%- endmacro %}}
+
+From efaa2c9cbbe09af6b319f487ec05f646290a05a1 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 28 Jan 2020 13:42:40 +0100
+Subject: [PATCH 3/6] add tests
+
+---
+ .../tests/correct.pass.sh                     | 34 +++++++++++++++++++
+ .../tests/file_missing.fail.sh                |  5 +++
+ .../tests/file_modified.fail.sh               |  5 +++
+ 3 files changed, 44 insertions(+)
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
+new file mode 100644
+index 0000000000..0bffab3c81
+--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
+@@ -0,0 +1,34 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+  openssl_bin=/usr/bin/openssl
+
+  case "$*" in
+    # if user specified -rand, honor it
+    *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+  esac
+
+  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+  for i in `$openssl_bin list -commands`; do
+    if $openssl_bin list -options "$i" | grep -q '^rand '; then
+      cmds=" $i $cmds"
+    fi
+  done
+
+  case "$cmds" in
+    *\ "$1"\ *)
+      cmd="$1"; shift
+      exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+  esac
+
+  exec $openssl_bin "$@"
+)
+EOM
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
+new file mode 100644
+index 0000000000..c1d526902c
+--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
+@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+rm -f /etc/profile.d/cc-config.sh
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
+new file mode 100644
+index 0000000000..313d14a37f
+--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
+@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo "wrong data" > /etc/profile.d/cc-config.sh
+
+From 223194744d54d0400ab1d2981761166580a4f017 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 29 Jan 2020 11:12:46 +0100
+Subject: [PATCH 4/6] remove blank=true from  jinja macro as rhel6 and rhel7 do
+ not support it
+
+---
+ .../crypto/openssl_use_strong_entropy/ansible/shared.yml        | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+index 3ce26d6525..bdc530f9f5 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+@@ -8,5 +8,5 @@
+   copy:
+     dest: /etc/profile.d/cc-config.sh
+     content: |+
+-        {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
+        {{{ openssl_strong_entropy_config_file()|indent(8) }}}
+         
+
+From bd41dcc77b326ed4bc352fe15d083ca6b144855f Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 30 Jan 2020 14:25:31 +0100
+Subject: [PATCH 5/6] reword rationale, change file name
+
+from cc-config.sh to openssl-rand.sh
+change title of oval
+---
+ .../openssl_use_strong_entropy/ansible/shared.yml  |  2 +-
+ .../openssl_use_strong_entropy/bash/shared.sh      |  2 +-
+ .../openssl_use_strong_entropy/oval/shared.xml     | 11 ++++-------
+ .../crypto/openssl_use_strong_entropy/rule.yml     | 14 +++++---------
+ .../tests/correct.pass.sh                          |  2 +-
+ .../tests/file_missing.fail.sh                     |  2 +-
+ .../tests/file_modified.fail.sh                    |  2 +-
+ 7 files changed, 14 insertions(+), 21 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+index bdc530f9f5..6ee232892d 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+@@ -6,7 +6,7 @@
+ 
+ - name: "copy a file with shell snippet to configure openssl strong entropy"
+   copy:
+-    dest: /etc/profile.d/cc-config.sh
+    dest: /etc/profile.d/openssl-rand.sh
+     content: |+
+         {{{ openssl_strong_entropy_config_file()|indent(8) }}}
+         
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
+index db5c331ce7..d8c9935005 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
+@@ -1,5 +1,5 @@
+ # platform = Red Hat Enterprise Linux 8
+ 
+-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
+ {{{ openssl_strong_entropy_config_file() }}}
+ EOM
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
+index b441b7ae6e..847754f36d 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
+@@ -1,11 +1,8 @@
+ <def-group>
+   <definition class="compliance" id="openssl_use_strong_entropy" version="1">
+     <metadata>
+-      <title>Configure Openssl to use strong entropy</title>
+-      <affected family="unix">
+-        <platform>Red Hat Enterprise Linux 8</platform>
+-        <platform>multi_platform_fedora</platform>
+-      </affected>
+      <title>Configure OpenSSL to use strong entropy</title>
+      {{{- oval_affected(products) }}}
+       <description>OpenSSL should be configured to generate random data with strong entropy.</description>
+     </metadata>
+     <criteria>
+@@ -22,12 +19,12 @@
+   </ind:filehash58_test>
+ 
+   <ind:filehash58_object id="object_openssl_strong_entropy" version="1">
+-    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+    <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
+     <ind:hash_type>SHA-256</ind:hash_type>
+   </ind:filehash58_object>
+ 
+   <ind:filehash58_state id="state_openssl_strong_entropy" version="1">
+-    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+    <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
+     <ind:hash_type>SHA-256</ind:hash_type>
+     <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
+   </ind:filehash58_state>
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+index 3b01da01af..dd82336532 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+@@ -7,19 +7,15 @@ title: 'OpenSSL uses strong entropy source'
+ 
+ description: |-
+     To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
+-    save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+    save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
+     <pre>
+     {{{ openssl_strong_entropy_config_file() | indent(4) }}}
+     </pre>
+ 
+ rationale: |-
+-    The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
+-    The referenced script is sourced to every login shell, and it transparently adds an option
+-    that enforces strong entropy to every <tt>openssl</tt> invocation,
+-    which makes <tt>openssl</tt> more secure by default.
+    This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
+ 
+ severity: medium
+-
+ identifiers:
+     cce@rhel8: 82721-2
+ 
+@@ -27,12 +23,12 @@ references:
+     ospp: FIA_AFL.1
+ 
+ ocil: |-
+-    To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
+-    make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
+    To determine whether the <tt>openssl</tt> wrapper is configured correctly,
+    make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
+     that are included in the rule's description.
+ 
+ ocil_clause: |-
+-    there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
+    there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description
+ 
+ warnings:
+     - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
+index 0bffab3c81..d7f3ce8c87 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
+@@ -2,7 +2,7 @@
+ # platform = Red Hat Enterprise Linux 8
+ # profiles = xccdf_org.ssgproject.content_profile_ospp
+ 
+-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
+ # provide a default -rand /dev/random option to openssl commands that
+ # support it
+ 
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
+index c1d526902c..64a580da91 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
+@@ -2,4 +2,4 @@
+ # platform = Red Hat Enterprise Linux 8
+ # profiles = xccdf_org.ssgproject.content_profile_ospp
+ 
+-rm -f /etc/profile.d/cc-config.sh
+rm -f /etc/profile.d/openssl-rand.sh
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
+index 313d14a37f..2c812e874b 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
+@@ -2,4 +2,4 @@
+ # platform = Red Hat Enterprise Linux 8
+ # profiles = xccdf_org.ssgproject.content_profile_ospp
+ 
+-echo "wrong data" > /etc/profile.d/cc-config.sh
+echo "wrong data" > /etc/profile.d/openssl-rand.sh
+
+From 679bd9cd08f962b3a88197817c199bd90a47f8d7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Fri, 31 Jan 2020 16:34:48 +0100
+Subject: [PATCH 6/6] Rule and remediation wording improvements.
+
+---
+ .../openssl_use_strong_entropy/ansible/shared.yml |  3 +--
+ .../crypto/openssl_use_strong_entropy/rule.yml    | 15 ++++++++++-----
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+index 6ee232892d..25afb8e27f 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+@@ -4,9 +4,8 @@
+ # complexity = low
+ # disruption = low
+ 
+-- name: "copy a file with shell snippet to configure openssl strong entropy"
+- name: "Put a file with shell wrapper to configure OpenSSL to always use strong entropy"
+   copy:
+     dest: /etc/profile.d/openssl-rand.sh
+     content: |+
+         {{{ openssl_strong_entropy_config_file()|indent(8) }}}
+-        
+diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+index dd82336532..8a958e93b0 100644
+--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+@@ -6,14 +6,18 @@ prodtype: rhel8
+ title: 'OpenSSL uses strong entropy source'
+ 
+ description: |-
+-    To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
+-    save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
+    By default, OpenSSL doesn't always use a SP800-90A compliant random number generator.
+    A way to configure OpenSSL to always use a strong source is to setup a wrapper that
+    defines a shell function that shadows the actual <tt>openssl</tt> binary,
+    and that ensures that the <tt>-rand /dev/random</tt> option is added to every <tt>openssl</tt> invocation.
+
+    To do so, place the following shell snippet exactly as-is to <tt>/etc/profile.d/openssl-rand.sh</tt>:
+     <pre>
+     {{{ openssl_strong_entropy_config_file() | indent(4) }}}
+     </pre>
+ 
+ rationale: |-
+-    This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
+    This rule ensures that <tt>openssl</tt> invocations always uses SP800-90A compliant random number generator as a default behavior.
+ 
+ severity: medium
+ identifiers:
+@@ -23,8 +27,9 @@ references:
+     ospp: FIA_AFL.1
+ 
+ ocil: |-
+-    To determine whether the <tt>openssl</tt> wrapper is configured correctly,
+-    make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
+    To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
+    uses a SP800-90A compliant entropy source,
+    make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contents exactly match those
+     that are included in the rule's description.
+ 
+ ocil_clause: |-
--- a/SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch
+++ b/SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch
--- a/SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch
+++ b/SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch
@ -0,0 +1,855 @@
+From e826795667e319a336ccbfe0919c044766801cb8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Fri, 17 Jan 2020 10:49:36 +0100
+Subject: [PATCH 1/7] Added lineinfile shell assignment support to our macros.
+
+---
+ shared/macros-ansible.jinja | 20 +++++++++++++++++++
+ shared/macros-bash.jinja    | 26 +++++++++++++++++++++++++
+ shared/macros-oval.jinja    | 39 ++++++++++++++++++++++++++++++++-----
+ 3 files changed, 80 insertions(+), 5 deletions(-)
+
+diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
+index 3e4a441225..c42a5156ce 100644
+--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
+@@ -141,6 +141,26 @@
+ {{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="^[#\s]*Match") }}}
+ {{%- endmacro %}}
+ 
+{{#
+  High level macro to set a value in a shell-related file that contains var assignments. This
+  takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
+  in the configuration file, and the value to set it to. We specify a case
+  sensitive comparison in the prefix since this is used to deduplicate since
+  We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
+#}}
+{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
+{{% if no_quotes -%}}
+{{%- else -%}}
+{{%- set quotes = "\"'" -%}}
+  {{% if "$" in value %}}
+  {{% set value = '"%s"' % value %}}
+  {{% else %}}
+  {{% set value = "'%s'" % value %}}
+  {{% endif %}}
+{{%- endif -%}}
+{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
+{{%- endmacro %}}
+
+ {{#
+   High level macro to set a command in tmux configuration file /etc/tmux.conf.
+   Parameters:
+diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
+index 43200bdd8a..6c0bb2facc 100644
+--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
+@@ -1,5 +1,31 @@
+ {{# ##### High level macros ##### #}}
+ 
+{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
+{{% if no_quotes -%}}
+  {{% if "$" in value %}}
+  {{% set value = '%s' % value.replace("$", "\\$") %}}
+  {{% endif %}}
+{{%- else -%}}
+  {{% if "$" in value %}}
+  {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
+  {{% else %}}
+  {{% set value = "'%s'" % value %}}
+  {{% endif %}}
+{{%- endif -%}}
+{{{ set_config_file(
+        path=path,
+        parameter=parameter,
+        value=value,
+        create=true,
+        insert_after="",
+        insert_before="^Match",
+        insensitive=false,
+        separator="=",
+        separator_regex="=",
+        prefix_regex="^\s*")
+    }}}
+{{%- endmacro -%}}
+
+ {{%- macro bash_sshd_config_set(parameter, value) -%}}
+ {{{ set_config_file(
+         path="/etc/ssh/sshd_config",
+diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
+index 2049a24d6e..696cf36db0 100644
+--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
+@@ -17,8 +17,9 @@
+     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+     - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+     - section (String): If set, the parameter will be checked only within the given section defined by [section].
+    - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
+ #}}
+-{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='') -%}}
+{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
+ <def-group>
+   <definition class="compliance" id="{{{ rule_id }}}" version="1">
+     <metadata>
+@@ -60,7 +61,7 @@
+   </definition>
+   {{{ oval_line_in_file_test(path, parameter) }}}
+   {{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, false, multi_value) }}}
+-  {{{ oval_line_in_file_state(value, multi_value) }}}
+  {{{ oval_line_in_file_state(value, multi_value, quotes) }}}
+   {{%- if missing_parameter_pass %}}
+   {{{ oval_line_in_file_test(path, parameter, missing_parameter_pass) }}}
+   {{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, missing_parameter_pass, multi_value) }}}
+@@ -173,12 +174,21 @@
+   This macro can take two parameters:
+     - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
+     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+    - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
+      For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
+ #}}
+-{{%- macro oval_line_in_file_state(value='', multi_value='') -%}}
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}}
+{{%- set regex = value -%}}
+{{%- if quotes != "" %}}
+{{%- if "\\1" in value > 0 %}}
+{{{ raise("The regex for matching '%s' already references capturing groups, which doesn't go well with quoting that adds a capturing group to the beginning." % value) }}}
+{{%- endif %}}
+{{%- set regex =  "((?:%s)?)%s\\1" % ("|".join(quotes), regex) -%}}
+{{%- endif %}}
+ {{%- if multi_value %}}
+-{{%- set regex = "^.*\\b"+value+"\\b.*$" -%}}
+{{%- set regex = "^.*\\b"+regex+"\\b.*$" -%}}
+ {{%- else %}}
+-{{%- set regex = "^"+value+"$" -%}}
+{{%- set regex = "^"+regex+"$" -%}}
+ {{%- endif %}}
+   <ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
+     <ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
+@@ -232,6 +242,25 @@
+ {{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
+ {{%- endmacro %}}
+ 
+{{#
+  High level macro to check if a particular shell variable is set.
+  This macro can take five parameters:
+    - path (String): Path to the file.
+    - parameter (String): The shell variable name.
+    - value (String): The variable value WITHOUT QUOTES.
+    - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+    - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+#}}
+{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
+{{% if no_quotes -%}}
+{{%- set quotes = "" -%}}
+{{%- else -%}}
+{{%- set quotes = "\"'" -%}}
+{{%- endif -%}}
+{{{ oval_check_config_file(path, prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, quotes=quotes) }}}
+{{%- endmacro %}}
+
+ {{#
+   High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set.
+   This function can take five parameters:
+
+From a7281779e424a0b481e1b08ca01d2ebd1af2e834 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Fri, 17 Jan 2020 10:50:16 +0100
+Subject: [PATCH 2/7] Added tests for shell lineinfile.
+
+---
+ tests/test_macros_oval.py                     | 142 ++++++++++++++++++
+ .../unit/bash/test_set_config_file.bats.jinja |  56 +++++++
+ 2 files changed, 198 insertions(+)
+
+diff --git a/tests/test_macros_oval.py b/tests/test_macros_oval.py
+index 65a88ba7b4..8acae8548b 100755
+--- a/tests/test_macros_oval.py
+++ b/tests/test_macros_oval.py
+@@ -896,6 +896,148 @@ def main():
+         "[vehicle]\nspeed =\n100",
+         "false"
+     )
+    tester.test(
+        "SHELL commented out",
+        r"""{{{ oval_check_shell_file(
+            path='CONFIG_FILE',
+            parameter='SHELL',
+            value='/bin/bash',
+            missing_parameter_pass=false,
+            application='',
+            multi_value=false,
+            missing_config_file_fail=false,
+        ) }}}""",
+        "# SHELL=/bin/bash\n",
+        "false"
+    )
+    tester.test(
+        "SHELL correct",
+        r"""{{{ oval_check_shell_file(
+            path='CONFIG_FILE',
+            parameter='SHELL',
+            value='/bin/bash',
+            missing_parameter_pass=false,
+            application='',
+            multi_value=false,
+            missing_config_file_fail=false,
+        ) }}}""",
+        " SHELL=/bin/bash\n",
+        "true"
+    )
+    tester.test(
+        "SHELL single-quoted",
+        r"""{{{ oval_check_shell_file(
+            path='CONFIG_FILE',
+            parameter='SHELL',
+            value='/bin"/bash',
+            missing_parameter_pass=false,
+            application='',
+            multi_value=false,
+            missing_config_file_fail=false,
+        ) }}}""",
+        " SHELL='/bin\"/bash'\n",
+        "true"
+    )
+    tester.test(
+        "SHELL double-quoted",
+        r"""{{{ oval_check_shell_file(
+            path='CONFIG_FILE',
+            parameter='SHELL',
+            value='  /bin/bash',
+            missing_parameter_pass=false,
+            application='',
+            multi_value=false,
+            missing_config_file_fail=false,
+        ) }}}""",
+        """ SHELL="  /bin/bash"\n""",
+        "true"
+    )
+    tester.test(
+        "SHELL unwanted double-quoted",
+        r"""{{{ oval_check_shell_file(
+            path='CONFIG_FILE',
+            parameter='SHELL',
+            value='  /bin/bash',
+            no_quotes=true,
+            missing_parameter_pass=false,
+            application='',
+            multi_value=false,
+            missing_config_file_fail=false,
+        ) }}}""",
+        """ SHELL="  /bin/bash"\n""",
+        "false"
+    )
+    tester.test(
+        "SHELL unwanted single-quoted",
+        r"""{{{ oval_check_shell_file(
+            path='CONFIG_FILE',
+            parameter='SHELL',
+            value='/bin"/bash',
+            no_quotes=true,
+            missing_parameter_pass=false,
+            application='',
+            multi_value=false,
+            missing_config_file_fail=false,
+        ) }}}""",
+        " SHELL='/bin\"/bash'\n",
+        "false"
+    )
+    tester.test(
+        "SHELL double-quoted spaced",
+        r"""{{{ oval_check_shell_file(
+            path='CONFIG_FILE',
+            parameter='SHELL',
+            value='/bin/bash',
+            missing_parameter_pass=false,
+            application='',
+            multi_value=false,
+            missing_config_file_fail=false,
+        ) }}}""",
+        """ SHELL= "/bin/bash"\n""",
+        "false"
+    )
+    tester.test(
+        "SHELL bad_var_case",
+        r"""{{{ oval_check_shell_file(
+            path='CONFIG_FILE',
+            parameter='SHELL',
+            value='/bin/bash',
+            missing_parameter_pass=false,
+            application='',
+            multi_value=false,
+            missing_config_file_fail=false,
+        ) }}}""",
+        """ Shell="/bin/bash"\n""",
+        "false"
+    )
+    tester.test(
+        "SHELL bad_value_case",
+        r"""{{{ oval_check_shell_file(
+            path='CONFIG_FILE',
+            parameter='SHELL',
+            value='/bin/bash',
+            missing_parameter_pass=false,
+            application='',
+            multi_value=false,
+            missing_config_file_fail=false,
+        ) }}}""",
+        """ SHELL="/bin/Bash"\n""",
+        "false"
+    )
+    tester.test(
+        "SHELL badly quoted",
+        r"""{{{ oval_check_shell_file(
+            path='CONFIG_FILE',
+            parameter='SHELL',
+            value='/bin/bash',
+            missing_parameter_pass=false,
+            application='',
+            multi_value=false,
+            missing_config_file_fail=false,
+        ) }}}""",
+        """ SHELL="/bin/bash'\n""",
+        "false"
+    )
+ 
+     tester.finish()
+ 
+diff --git a/tests/unit/bash/test_set_config_file.bats.jinja b/tests/unit/bash/test_set_config_file.bats.jinja
+index 3dc2c721d4..4126d0440e 100644
+--- a/tests/unit/bash/test_set_config_file.bats.jinja
+++ b/tests/unit/bash/test_set_config_file.bats.jinja
+@@ -126,3 +126,59 @@ function call_set_config_file {
+ 
+     rm "$tmp_file"
+ }
+
+@test "Basic Bash remediation" {
+    tmp_file="$(mktemp)"
+    printf "%s\n" "something=foo" > "$tmp_file"
+    expected_output="something='va lue'\n"
+
+    {{{ bash_shell_file_set("$tmp_file", "something", "va lue") | indent(4) }}}
+
+    run diff -U2 "$tmp_file" <(printf "$expected_output")
+    echo "$output"
+    [ "$status" -eq 0 ]
+
+    rm "$tmp_file"
+}
+
+@test "Variable remediation - preserve dollar and use double quotes" {
+    tmp_file="$(mktemp)"
+    printf "%s\n" "something=bar" > "$tmp_file"
+    expected_output='something="$value"'"\n"
+
+    {{{ bash_shell_file_set("$tmp_file", "something", '$value') | indent(4) }}}
+
+    run diff -U2 "$tmp_file" <(printf "$expected_output")
+    echo "$output"
+    [ "$status" -eq 0 ]
+
+    rm "$tmp_file"
+}
+
+@test "Basic Bash remediation - don't quote" {
+    tmp_file="$(mktemp)"
+    printf "%s\n" "something=foo" > "$tmp_file"
+    expected_output="something=va lue\n"
+
+    {{{ bash_shell_file_set("$tmp_file", "something", "va lue", no_quotes=true) | indent(4) }}}
+
+    run diff -U2 "$tmp_file" <(printf "$expected_output")
+    echo "$output"
+    [ "$status" -eq 0 ]
+
+    rm "$tmp_file"
+}
+
+@test "Variable remediation - don't quote" {
+    tmp_file="$(mktemp)"
+    printf "%s\n" "something=bar" > "$tmp_file"
+    expected_output='something=$value'"\n"
+
+    {{{ bash_shell_file_set("$tmp_file", "something", '$value', no_quotes=true) | indent(4) }}}
+
+    run diff -U2 "$tmp_file" <(printf "$expected_output")
+    echo "$output"
+    [ "$status" -eq 0 ]
+
+    rm "$tmp_file"
+}
+
+From 347e7ab345a35fc3045a886d883d8efe7d9820b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Fri, 17 Jan 2020 10:51:02 +0100
+Subject: [PATCH 3/7] Added the shell lineinfile template.
+
+---
+ docs/manual/developer_guide.adoc              | 21 +++++++++++++++++
+ .../template_ANSIBLE_shell_lineinfile         | 21 +++++++++++++++++
+ .../templates/template_BASH_shell_lineinfile  |  6 +++++
+ .../templates/template_OVAL_shell_lineinfile  | 10 ++++++++
+ ssg/templates.py                              | 23 +++++++++++++++++++
+ 5 files changed, 81 insertions(+)
+ create mode 100644 shared/templates/template_ANSIBLE_shell_lineinfile
+ create mode 100644 shared/templates/template_BASH_shell_lineinfile
+ create mode 100644 shared/templates/template_OVAL_shell_lineinfile
+
+diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
+index aa0a7491c3..b5d22213b7 100644
+--- a/docs/manual/developer_guide.adoc
+++ b/docs/manual/developer_guide.adoc
+@@ -1591,6 +1591,27 @@ service_enabled::
+ ** *daemonname* - name of the daemon. This argument is optional. If *daemonname* is not specified it means the name of the daemon is the same as the name of service.
+ * Languages: Ansible, Bash, OVAL, Puppet
+ 
+shell_lineinfile::
+* Checks shell variable assignments in files.
+Remediations will paste assignments with single shell quotes unless there is the dollar sign in the value string, in which case double quotes are administered.
+The OVAL checks for a match with either of no quotes, single quoted string, or double quoted string.
+* Parameters:
+** *path* - What file to check.
+** *parameter* - name of the shell variable, eg. `SHELL`.
+** *value* - value of the SSH configuration option specified by *parameter*, eg. `"/bin/bash"`. Don't pass extra shell quoting - that will be handled on the lower level.
+** *no_quotes* - If set to `"true"`, the assigned value has to be without quotes during the check and remediation doesn't quote assignments either.
+** *missing_parameter_pass* - If set to `"true"` the OVAL check will pass if the parameter is not present in the target file.
+* Languages: Ansible, Bash, OVAL
+* Example:
+A template invocation specifying that parameter `HISTSIZE` should be set to value `500` in `/etc/profile` will produce a check that passes if any of the following lines are present in `/etc/profile`:
+** `HISTSIZE=500`
+** `HISTSIZE="500"`
+** `HISTSIZE='500'`
++
+The remediation would insert one of the quoted forms if the line was not present.
++
+If the `no_quotes` would be set in the template, only the first form would be checked for, and the unquoted assignment would be inserted to the file by the remediation if not present.
+
+ sshd_lineinfile::
+ * Checks SSH server configuration items in `/etc/ssh/sshd_config`.
+ * Parameters:
+diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
+new file mode 100644
+index 0000000000..7d0a3ebcbd
+--- /dev/null
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
+@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
+{{%- if NO_QUOTES -%}}
+	{{% set msg = "Setting unquoted " ~ msg %}}
+{{%- else -%}}
+	{{% set msg = "Setting shell-quoted " ~ msg %}}
+{{%- endif -%}}
+{{{
+    ansible_shell_set(
+        msg=msg,
+        path=PATH,
+        parameter=PARAMETER,
+        value=VALUE,
+	no_quotes=NO_QUOTES
+    )
+}}}
+
+diff --git a/shared/templates/template_BASH_shell_lineinfile b/shared/templates/template_BASH_shell_lineinfile
+new file mode 100644
+index 0000000000..6bf869d62b
+--- /dev/null
+++ b/shared/templates/template_BASH_shell_lineinfile
+@@ -0,0 +1,6 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ bash_shell_file_set(path=PATH, parameter=PARAMETER, value=VALUE, no_quotes=NO_QUOTES) }}}
+diff --git a/shared/templates/template_OVAL_shell_lineinfile b/shared/templates/template_OVAL_shell_lineinfile
+new file mode 100644
+index 0000000000..fd05b6b568
+--- /dev/null
+++ b/shared/templates/template_OVAL_shell_lineinfile
+@@ -0,0 +1,10 @@
+{{{
+oval_check_shell_file(
+	path=PATH,
+	parameter=PARAMETER,
+	value=VALUE,
+	no_quotes=NO_QUOTES,
+	missing_parameter_pass=MISSING_PARAMETER_PASS
+)
+}}}
+
+diff --git a/ssg/templates.py b/ssg/templates.py
+index f4f56c94e6..c2c82e6c29 100644
+--- a/ssg/templates.py
+++ b/ssg/templates.py
+@@ -290,6 +290,29 @@ def sshd_lineinfile(data, lang):
+     return data
+ 
+ 
+@template(["ansible", "bash", "oval"])
+def shell_lineinfile(data, lang):
+    value = data["value"]
+    if value[0] in ("'", '"') and value[0] == value[1]:
+        msg = (
+            "Value >>{value}<< of shell variable '{varname}' "
+            "has been supplied with quotes, please fix the content - "
+            "shell quoting is handled by the check/remediation code."
+            .format(value=value, varname=data["parameter"]))
+        raise Exception(msg)
+    missing_parameter_pass = data.get("missing_parameter_pass", "false")
+    if missing_parameter_pass == "true":
+        missing_parameter_pass = True
+    elif missing_parameter_pass == "false":
+        missing_parameter_pass = False
+    data["missing_parameter_pass"] = missing_parameter_pass
+    no_quotes = False
+    if data["no_quotes"] == "true":
+        no_quotes = True
+    data["no_quotes"] = no_quotes
+    return data
+
+
+ @template(["ansible", "bash", "oval"])
+ def timer_enabled(data, lang):
+     if "packagename" not in data:
+
+From ac5d1a8ad511e828e652ce1ca58b06c18f8c083b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Tue, 21 Jan 2020 14:13:01 +0100
+Subject: [PATCH 4/7] Fixed the templated string evaluation.
+
+---
+ ssg/templates.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssg/templates.py b/ssg/templates.py
+index c2c82e6c29..873f543f41 100644
+--- a/ssg/templates.py
+++ b/ssg/templates.py
+@@ -293,7 +293,7 @@ def sshd_lineinfile(data, lang):
+ @template(["ansible", "bash", "oval"])
+ def shell_lineinfile(data, lang):
+     value = data["value"]
+-    if value[0] in ("'", '"') and value[0] == value[1]:
+    if value[0] in ("'", '"') and value[0] == value[-1]:
+         msg = (
+             "Value >>{value}<< of shell variable '{varname}' "
+             "has been supplied with quotes, please fix the content - "
+
+From 8589574707c63eb3ac4c56674326b70dacfd2ee4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Tue, 21 Jan 2020 14:46:39 +0100
+Subject: [PATCH 5/7] Fixed jinja macros
+
+- Fixed macro descriptions.
+- Fixed Ansible insert_after.
+---
+ shared/macros-ansible.jinja | 18 ++++++++----------
+ shared/macros-bash.jinja    |  2 +-
+ shared/macros-oval.jinja    |  7 +++----
+ 3 files changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
+index c42a5156ce..81e18e2d5c 100644
+--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
+@@ -143,22 +143,20 @@
+ 
+ {{#
+   High level macro to set a value in a shell-related file that contains var assignments. This
+-  takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
+-  in the configuration file, and the value to set it to. We specify a case
+-  sensitive comparison in the prefix since this is used to deduplicate since
+  takes these values:
+  - msg (the name for the Ansible task),
+  - path to the file,
+  - parameter to set in the configuration file, and
+  - value to set it to.
+   We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
+ #}}
+ {{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
+ {{% if no_quotes -%}}
+ {{%- else -%}}
+-{{%- set quotes = "\"'" -%}}
+-  {{% if "$" in value %}}
+-  {{% set value = '"%s"' % value %}}
+-  {{% else %}}
+-  {{% set value = "'%s'" % value %}}
+-  {{% endif %}}
+{{# Use the double quotes in all cases, as the underlying macro single-quotes the assignment line. #}}
+{{% set value = '"%s"' % value %}}
+ {{%- endif -%}}
+-{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
+{{{ ansible_set_config_file(msg, path, parameter, separator="=", separator_regex="=", value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^# " ~ parameter) }}}
+ {{%- endmacro %}}
+ 
+ {{#
+diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
+index 6c0bb2facc..dc7fd25588 100644
+--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
+@@ -18,7 +18,7 @@
+         value=value,
+         create=true,
+         insert_after="",
+-        insert_before="^Match",
+        insert_before="^#\s*" ~ parameter,
+         insensitive=false,
+         separator="=",
+         separator_regex="=",
+diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
+index 696cf36db0..cfa9de9d2d 100644
+--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
+@@ -233,7 +233,7 @@
+     - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
+     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+-    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
+ 
+   We specify a case insensitive comparison in the prefix because
+   sshd_config has case-insensitive parameters (but case-sensitive values).
+@@ -250,7 +250,7 @@
+     - value (String): The variable value WITHOUT QUOTES.
+     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+-    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
+ #}}
+ {{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
+ {{% if no_quotes -%}}
+@@ -268,8 +268,7 @@
+     - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
+     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+-    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+-
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
+ #}}
+ {{%- macro oval_auditd_config(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
+ {{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
+
+From af0e3ba8ef2d5b53dcffed4432ec0415a81ab2bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Wed, 22 Jan 2020 11:37:39 +0100
+Subject: [PATCH 6/7] Shell lineinfile macros and templates style fixes.
+
+---
+ shared/macros-ansible.jinja                        |  2 +-
+ shared/macros-oval.jinja                           | 10 ++++++++--
+ shared/templates/template_ANSIBLE_shell_lineinfile |  4 ++--
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
+index 81e18e2d5c..f752e7a2be 100644
+--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
+@@ -25,7 +25,7 @@
+     {{%- elif insert_before %}}
+     insertbefore: '{{{ insert_before }}}'
+     {{%- endif %}}
+-    {{% else %}}
+    {{%- else %}}
+     state: '{{{ state }}}'
+     {{%- endif %}}
+     {{%- if validate %}}
+diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
+index cfa9de9d2d..5f391efdcb 100644
+--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
+@@ -13,13 +13,16 @@
+     - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
+     - separator_regex (String): Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
+     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+-    - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
+    - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
+     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+     - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+     - section (String): If set, the parameter will be checked only within the given section defined by [section].
+     - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
+ #}}
+ {{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
+{{%- if application == '' -%}}
+	{{%- set application = "The respective application or service" -%}}
+{{%- endif -%}}
+ <def-group>
+   <definition class="compliance" id="{{{ rule_id }}}" version="1">
+     <metadata>
+@@ -248,6 +251,9 @@
+     - path (String): Path to the file.
+     - parameter (String): The shell variable name.
+     - value (String): The variable value WITHOUT QUOTES.
+    - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
+    - no_quotes (boolean): If set, the check will require that the RHS of the assignment is the literal value, without quotes.
+        If no_quotes is false, then one level of single or double quotes won't be regarded as part of the value by the check.
+     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+     - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
+@@ -342,7 +348,7 @@
+     - parameter (String): The parameter to be checked in the configuration file.
+     - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
+     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+-    - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
+    - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
+     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+     - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+ #}}
+diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
+index 7d0a3ebcbd..3e6c5619ea 100644
+--- a/shared/templates/template_ANSIBLE_shell_lineinfile
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
+@@ -3,7 +3,7 @@
+ # strategy = restrict
+ # complexity = low
+ # disruption = low
+-{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'" -%}}
+ {{%- if NO_QUOTES -%}}
+ 	{{% set msg = "Setting unquoted " ~ msg %}}
+ {{%- else -%}}
+@@ -15,7 +15,7 @@
+         path=PATH,
+         parameter=PARAMETER,
+         value=VALUE,
+-	no_quotes=NO_QUOTES
+        no_quotes=NO_QUOTES
+     )
+ }}}
+ 
+
+From a7779d2fae1086838daa1ded483decd499e8749f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Tue, 21 Jan 2020 16:43:23 +0100
+Subject: [PATCH 7/7] Add a shell_lineinfile template exemplary rule.
+
+---
+ .../ssh_server/sshd_use_strong_rng/rule.yml   | 47 +++++++++++++++++++
+ .../tests/bad_config.fail.sh                  |  3 ++
+ .../tests/good_config.pass.sh                 |  3 ++
+ .../tests/no_config.fail.sh                   |  3 ++
+ .../sshd_use_strong_rng/tests/quoted.fail.sh  |  3 ++
+ rhel8/profiles/ospp.profile                   |  1 +
+ shared/references/cce-redhat-avail.txt        |  1 -
+ 7 files changed, 60 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+new file mode 100644
+index 0000000000..4bfb72702b
+--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+@@ -0,0 +1,47 @@
+documentation_complete: true
+
+# TODO: The plan is not to need this for RHEL>=8.4
+# TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more
+prodtype: rhel8
+
+title: 'SSH server uses strong entropy to seed'
+
+description: |-
+    To set up SSH server to use entropy from a high-quality source, edit the <tt>/etc/sysconfig/sshd</tt> file.
+    The <tt>SSH_USE_STRONG_RNG</tt> configuration value determines how many bytes of entropy to use, so
+    make sure that the file contains line
+    <pre>SSH_USE_STRONG_RNG=32</pre>
+
+rationale: |-
+    SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default.
+    Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors
+    in encryption algorithms, and high-quality entropy elliminates the possibility that the output of
+    the random number generator used by SSH would be known to potential attackers.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82462-3
+
+references:
+    ospp: FIA_AFL.1
+
+ocil: |-
+    To determine whether the SSH service is configured to use strong entropy seed,
+    run <pre>$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd</pre>
+    If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned,
+    then the option is set correctly.
+
+ocil_clause: |-
+    The SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd
+
+warnings:
+    - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available."
+
+template:
+    name: shell_lineinfile
+    vars:
+        path: '/etc/sysconfig/sshd'
+        parameter: 'SSH_USE_STRONG_RNG'
+        value: '32'
+        no_quotes: 'true'
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
+new file mode 100644
+index 0000000000..f4f8c22f64
+--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
+@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+echo 'SSH_USE_STRONG_RNG=1' > /etc/sysconfig/sshd
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
+new file mode 100644
+index 0000000000..70f53ac22b
+--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
+@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+echo 'SSH_USE_STRONG_RNG=32' > /etc/sysconfig/sshd
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
+new file mode 100644
+index 0000000000..1e5f0b2998
+--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
+@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+rm -f /etc/sysconfig/sshd
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
+new file mode 100644
+index 0000000000..a10d24a73b
+--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
+@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+echo 'SSH_USE_STRONG_RNG="32"' > /etc/sysconfig/sshd
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index f97527a914..63aea526b7 100644
+--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
+@@ -58,6 +58,7 @@ selections:
+     - sshd_set_keepalive
+     - sshd_enable_warning_banner
+     - sshd_rekey_limit
+    - sshd_use_strong_rng
+ 
+     # Time Server
+     - chronyd_client_only
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index b665fa1cea..1ff291c7df 100644
+--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
+@@ -1,4 +1,3 @@
+-CCE-82462-3
+ CCE-82463-1
+ CCE-82464-9
+ CCE-82465-6
--- a/SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch
+++ b/SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch
@ -0,0 +1,22 @@
+From fc99f5b30e1f6e98eac2382949418532fe0a2230 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Mon, 3 Feb 2020 10:55:42 +0100
+Subject: [PATCH] Update ISACA COBIT URI.
+
+---
+ shared/transforms/shared_constants.xslt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shared/transforms/shared_constants.xslt b/shared/transforms/shared_constants.xslt
+index e88922d965..0aed1f6337 100644
+--- a/shared/transforms/shared_constants.xslt
+++ b/shared/transforms/shared_constants.xslt
+@@ -28,7 +28,7 @@
+ <xsl:variable name="nistcsfuri">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</xsl:variable>
+ <xsl:variable name="isa-62443-2013uri">https://www.isa.org/templates/one-column.aspx?pageid=111294&amp;productId=116785</xsl:variable>
+ <xsl:variable name="isa-62443-2009uri">https://www.isa.org/templates/one-column.aspx?pageid=111294&amp;productId=116731</xsl:variable>
+-<xsl:variable name="cobit5uri">http://www.isaca.org/COBIT/Pages/default.aspx</xsl:variable>
+<xsl:variable name="cobit5uri">https://www.isaca.org/resources/cobit</xsl:variable>
+ <xsl:variable name="cis-cscuri">https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf</xsl:variable>
+ <xsl:variable name="osppuri">https://www.niap-ccevs.org/Profile/PP.cfm</xsl:variable>
+ <xsl:variable name="pcidssuri">https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf</xsl:variable>
--- a/SOURCES/scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch
+++ b/SOURCES/scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch
@ -0,0 +1,124 @@
+From 95ae3d5ca08f511ef40503f758dfb02feca29252 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 21 Jan 2020 13:42:35 +0100
+Subject: [PATCH 1/2] Update configure_crypto_policy test scenarios
+
+Update test scenarios for OSPP profile, it selects 'FIPS:OSPP' crypto policy,
+not 'FIPS'.
+---
+ .../tests/dropin_file_and_symlink_exist.fail.sh               | 4 ++--
+ .../tests/file_exists_but_no_file_in_local_d.fail.sh          | 2 +-
+ .../configure_crypto_policy/tests/missing_nss_config.fail.sh  | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
+index 693cdb03a9..2de1cf4a3b 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
+@@ -1,11 +1,11 @@
+ #!/bin/bash
+ # platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+-# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+ 
+ # using example of opensshserver
+ DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
+ 
+-update-crypto-policies --set FIPS
+update-crypto-policies --set "FIPS:OSPP"
+ 
+ echo "" > "$DROPIN_FILE"
+ echo "CRYPTO_POLICY=" >> "$DROPIN_FILE"
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
+index 5935a38eac..428b76879a 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
+@@ -5,7 +5,7 @@
+ #using example of openssh server
+ CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
+ 
+-update-crypto-policies --set "FIPS"
+update-crypto-policies --set "FIPS:OSPP"
+ 
+ rm -f /etc/crypto-policies/local.d/opensshserver-*.config
+ rm -f "$CRYPTO_POLICY_FILE"
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
+index b165006a8d..97bc4b499c 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
+@@ -2,6 +2,6 @@
+ # platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+ # profiles = xccdf_org.ssgproject.content_profile_ospp
+ 
+-update-crypto-policies --set "FIPS"
+update-crypto-policies --set "FIPS:OSPP"
+ 
+ rm -f "/etc/crypto-policies/back-ends/nss.config"
+
+From dbbd7ecc294ba86544fb96d5a1b06feba9458a28 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 21 Jan 2020 14:07:50 +0100
+Subject: [PATCH 2/2] Remove configure_crypto_policy test scenarios
+
+---
+ .../tests/dropin_file_and_symlink_exist.fail.sh     | 11 -----------
+ .../file_exists_but_no_file_in_local_d.fail.sh      | 13 -------------
+ .../tests/override_policy.pass.sh                   | 11 -----------
+ 3 files changed, 35 deletions(-)
+ delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
+ delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
+ delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
+deleted file mode 100644
+index 2de1cf4a3b..0000000000
+--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
+++ /dev/null
+@@ -1,11 +0,0 @@
+-#!/bin/bash
+-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+-# profiles = xccdf_org.ssgproject.content_profile_ospp
+-
+-# using example of opensshserver
+-DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
+-
+-update-crypto-policies --set "FIPS:OSPP"
+-
+-echo "" > "$DROPIN_FILE"
+-echo "CRYPTO_POLICY=" >> "$DROPIN_FILE"
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
+deleted file mode 100644
+index 428b76879a..0000000000
+--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
+++ /dev/null
+@@ -1,13 +0,0 @@
+-#!/bin/bash
+-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+-# profiles = xccdf_org.ssgproject.content_profile_ospp
+-
+-#using example of openssh server
+-CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
+-
+-update-crypto-policies --set "FIPS:OSPP"
+-
+-rm -f /etc/crypto-policies/local.d/opensshserver-*.config
+-rm -f "$CRYPTO_POLICY_FILE"
+-
+-echo "pretend that we overide the crrypto policy but no related file is in /etc/crypto-policies/local.d, smart, right?" > "$CRYPTO_POLICY_FILE"
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
+deleted file mode 100644
+index ce37abd7ff..0000000000
+--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
+++ /dev/null
+@@ -1,11 +0,0 @@
+-#!/bin/bash
+-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+-# profiles = xccdf_org.ssgproject.content_profile_ospp
+-
+-#using openssh server as example
+-CRYPTO_POLICY_OVERRIDE_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
+-
+-echo "" > "$CRYPTO_POLICY_OVERRIDE_FILE"
+-echo "CRYPTO_POLICY=" >> "$CRYPTO_POLICY_OVERRIDE_FILE"
+-
+-update-crypto-policies --set FIPS:OSPP
--- a/SOURCES/scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch
+++ b/SOURCES/scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch
@ -0,0 +1,273 @@
+From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 10 Feb 2020 16:16:17 +0100
+Subject: [PATCH 1/4] create new rules, add missing reference to older rule
+
+---
+ .../rule.yml                                  | 26 +++++++++++++++
+ .../package_openssh-server_installed/rule.yml |  1 +
+ .../rule.yml                                  | 32 +++++++++++++++++++
+ .../rule.yml                                  | 29 +++++++++++++++++
+ 5 files changed, 88 insertions(+), 3 deletions(-)
+ create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+ create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+
+diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+new file mode 100644
+index 0000000000..9b3c55f23b
+--- /dev/null
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install OpenSSH client software'
+
+description: |-
+    {{{ describe_package_install(package="openssh-clients") }}}
+
+rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82722-0
+
+references:
+    srg: SRG-OS-000480-GPOS-00227
+    ospp: FIA_UAU.5,FTP_ITC_EXT.1
+
+{{{ complete_ocil_entry_package(package='openssh-clients') }}}
+
+template:
+    name: package_installed
+    vars:
+        pkgname: openssh-clients
+diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+index c18e604a5c..ba013ec509 100644
+--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+@@ -28,6 +28,7 @@ references:
+     cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06
+     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+     cis-csc: 13,14
+    ospp: FIA_UAU.5,FTP_ITC_EXT.1
+ 
+ ocil_clause: 'the package is not installed'
+ 
+diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+new file mode 100644
+index 0000000000..6025f0cd33
+--- /dev/null
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install policycoreutils-python-utils package'
+
+description: |-
+    {{{ describe_package_install(package="policycoreutils-python-utils") }}}
+
+rationale: |-
+    Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
+    with enhanced security functionality designed to add mandatory access controls to Linux.
+    The Security-enhanced Linux kernel contains new architectural components originally
+    developed to improve security of the Flask operating system. These architectural components
+    provide general support for the enforcement of many kinds of mandatory access control
+    policies, including those based on the concepts of Type Enforcement, Role-based Access
+    Control, and Multi-level Security. 
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82724-6
+
+references:
+    srg: SRG-OS-000480-GPOS-00227 
+
+{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}}
+
+template:
+    name: package_installed
+    vars:
+        pkgname: policycoreutils-python-utils
+diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+new file mode 100644
+index 0000000000..c418518e7a
+--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+@@ -0,0 +1,29 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install crypto-policies package'
+
+description: |-
+    {{{ describe_package_install(package="crypto-policies") }}}
+
+rationale: |-
+    The <tt>crypto-policies</tt> package provides configuration and tools to
+    apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
+    
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82723-8
+
+references:
+    ospp: FCS_COP*
+    srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+
+{{{ complete_ocil_entry_package(package='crypto-policies') }}}
+
+template:
+    name: package_installed
+    vars:
+        pkgname: crypto-policies
+From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 10 Feb 2020 16:18:03 +0100
+Subject: [PATCH 2/4] modify ospp profile
+
+---
+ rhel8/profiles/ospp.profile | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 4d5a9edd8e..c672066050 100644
+--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
+@@ -169,17 +169,17 @@ selections:
+     - package_dnf-plugin-subscription-manager_installed
+     - package_firewalld_installed
+     - package_iptables_installed
+-    - package_libcap-ng-utils_installed
+     - package_openscap-scanner_installed
+     - package_policycoreutils_installed
+     - package_rng-tools_installed
+     - package_sudo_installed
+     - package_usbguard_installed
+-    - package_audispd-plugins_installed
+     - package_scap-security-guide_installed
+     - package_audit_installed
+-    - package_gnutls-utils_installed
+-    - package_nss-tools_installed
+    - package_crypto-policies_installed
+    - package_openssh-server_installed
+    - package_openssh-clients_installed
+    - package_policycoreutils-python-utils_installed
+ 
+     ### Remove Prohibited Packages
+     - package_sendmail_removed
+@@ -316,7 +316,7 @@ selections:
+     ## Configure the System to Offload Audit Records to a Log
+     ##  Server
+     ## AU-4(1) / FAU_GEN.1.1.c
+-    - auditd_audispd_syslog_plugin_activated
+    # temporarily dropped
+ 
+     ## Set Logon Warning Banner
+     ## AC-8(a) / FMT_MOF_EXT.1
+
+From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 10 Feb 2020 16:18:52 +0100
+Subject: [PATCH 3/4] add rules to rhel8 stig profile
+
+---
+ rhel8/profiles/stig.profile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index 821cc26914..7eb1869a3c 100644
+--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
+@@ -33,6 +33,9 @@ selections:
+     - encrypt_partitions
+     - sysctl_net_ipv4_tcp_syncookies
+     - clean_components_post_updating
+    - package_audispd-plugins_installed
+    - package_libcap-ng-utils_installed
+    - auditd_audispd_syslog_plugin_activated
+ 
+     # Configure TLS for remote logging
+     - package_rsyslog_installed
+
+From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 10 Feb 2020 17:42:43 +0100
+Subject: [PATCH 4/4] rephrase some rationales, fix SFR
+
+---
+ .../ssh/package_openssh-clients_installed/rule.yml       | 4 +++-
+ .../rule.yml                                             | 9 ++-------
+ .../crypto/package_crypto-policies_installed/rule.yml    | 8 ++++----
+ 3 files changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+index 9b3c55f23b..f5b29d32e8 100644
+--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+@@ -7,7 +7,9 @@ title: 'Install OpenSSH client software'
+ description: |-
+     {{{ describe_package_install(package="openssh-clients") }}}
+ 
+-rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
+rationale: |-
+    This package includes utilities to make encrypted connections and transfer
+    files securely to SSH servers. 
+ 
+ severity: medium
+ 
+diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+index 6025f0cd33..7ae7461077 100644
+--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+@@ -8,13 +8,8 @@ description: |-
+     {{{ describe_package_install(package="policycoreutils-python-utils") }}}
+ 
+ rationale: |-
+-    Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
+-    with enhanced security functionality designed to add mandatory access controls to Linux.
+-    The Security-enhanced Linux kernel contains new architectural components originally
+-    developed to improve security of the Flask operating system. These architectural components
+-    provide general support for the enforcement of many kinds of mandatory access control
+-    policies, including those based on the concepts of Type Enforcement, Role-based Access
+-    Control, and Multi-level Security. 
+    This package is required to operate and manage an SELinux environment and its policies.
+    It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.
+ 
+ severity: medium
+ 
+diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+index c418518e7a..bb07f9d617 100644
+--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+@@ -8,9 +8,9 @@ description: |-
+     {{{ describe_package_install(package="crypto-policies") }}}
+ 
+ rationale: |-
+-    The <tt>crypto-policies</tt> package provides configuration and tools to
+-    apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
+-    
+    Centralized cryptographic policies simplify applying secure ciphers across an operating system and
+    the applications that run on that operating system. Use of weak or untested encryption algorithms
+    undermines the purposes of utilizing encryption to protect data.
+ 
+ severity: medium
+ 
+@@ -18,7 +18,7 @@ identifiers:
+     cce@rhel8: 82723-8
+ 
+ references:
+-    ospp: FCS_COP*
+    ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4)
+     srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+ 
+ {{{ complete_ocil_entry_package(package='crypto-policies') }}}
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -1,13 +1,30 @@
 Name:		scap-security-guide
-Version:	0.1.46
-Release:	1%{?dist}
+Version:	0.1.48
+Release:	7%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 Group:		Applications/System
 License:	BSD
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
-# Patch enables only OSPP and PCI-DSS profiles in RHEL8 datastream
+# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
 Patch0:		disable-not-in-good-shape-profiles.patch
+Patch1:		scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch
+Patch2:		scap-security-guide-0.1.49-max-path-len-skip-logs.patch
+Patch3:		scap-security-guide-0.1.49-drop-rsyslog-rules.patch
+Patch4:		scap-security-guide-0.1.49-update-cobit-uri.patch
+Patch5:		scap-security-guide-0.1.49-ssh-use-strong-rng.patch
+Patch6:		scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch
+Patch7:		scap-security-guide-0.1.49-add-stig-kickstart.patch
+Patch8:		scap-security-guide-0.1.49-add-rsyslog-to-stig.patch
+Patch9:		scap-security-guide-0.1.49-add-few-srg-mappings.patch
+# Patch10 was generated from squashed commit to prevent 'cannot find file to patch' situations
+# from https://github.com/ComplianceAsCode/content/pull/5110
+# HEAD 210ee56aab3f831c96810ca42189642274bd735f
+Patch10:	scap-security-guide-0.1.49-split-audit-rules.patch
+Patch11:	scap-security-guide-0.1.49-fix-remaining-srgs.patch
+# Patch 12 and 13 had changes to file cce-redhat-avail.txt stripped out, to ease application of patch
+Patch12:	scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch
+Patch13:	scap-security-guide-0.1.49-add-cce-openssh-server.patch
 BuildArch:	noarch

 # To get python3 inside the buildroot require its path explicitly in BuildRequires
@ -42,6 +59,19 @@ present in %{name} package.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
 mkdir build

 %build
@ -76,6 +106,45 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html

 %changelog
+* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
+- Update baseline package list of OSPP profile
+
+* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
+- Rebuilt with correct spec file
+
+* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
+- Add SRG references to STIG rules (RHBZ#1755447)
+
+* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
+- Drop rsyslog rules from OSPP profile
+- Update COBIT URI
+- Add rules for strong source of RNG entropy
+- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
+- STIG profile: added rsyslog rules and updated SRG mappings
+- Split audit rules according to audit component (RHBZ#1791312)
+
+* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
+- Update crypto-policy test scenarios
+- Update max-path-len test to skip tests/logs directory
+
+* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
+- Fix list of tables that are generated for RHEL8
+
+* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
+- Update to latest upstream SCAP-Security-Guide-0.1.48 release
+
+* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
+- Improved the e8 profile (RHBZ#1755194)
+
+* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
+- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
+
+* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
+- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
+
+* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
+- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
+
 * Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
 - Update to latest upstream SCAP-Security-Guide-0.1.46 release
 - Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
@ -339,7 +408,7 @@ cd build
 * Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
 - Add .gitignore for Fedora output directory
 - Set up Fedora release name and CPE based on build system properties
- Use correct file paths in scap-security-guide(8) manual page 
+- Use correct file paths in scap-security-guide(8) manual page
  (RH BZ#1018905, c#10)
 - Apply further changes motivated by scap-security-guide Fedora RPM review
  request (RH BZ#1018905, c#8):