diff --git a/.gitignore b/.gitignore index 749072e..b7909cd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.79.tar.bz2 +SOURCES/scap-security-guide-0.1.80.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 72c7492..cd8d9fd 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -91163dda2ac5ca31984d3488bcea8eda7fce1de8 SOURCES/scap-security-guide-0.1.79.tar.bz2 +8edd4588f733ffbf56a11f925e26e46f0badfe61 SOURCES/scap-security-guide-0.1.80.tar.bz2 diff --git a/SOURCES/1001-add-almalinux-to-ansible-product-whitelist.patch b/SOURCES/1001-add-almalinux-to-ansible-product-whitelist.patch new file mode 100644 index 0000000..6b70e74 --- /dev/null +++ b/SOURCES/1001-add-almalinux-to-ansible-product-whitelist.patch @@ -0,0 +1,26 @@ +From 2011f053dac69527a78ad8dff692cea8a53dce9c Mon Sep 17 00:00:00 2001 +From: Andrew Lukoshko +Date: Mon, 14 Jul 2025 13:26:40 +0000 +Subject: [PATCH] Add almalinux8,9,10 to ansible's PRODUCT_WHITELIST + +--- + utils/ansible_playbook_to_role.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py +index 3eede4fcb..a7c03e1e7 100755 +--- a/utils/ansible_playbook_to_role.py ++++ b/utils/ansible_playbook_to_role.py +@@ -65,6 +65,9 @@ PRODUCT_ALLOWLIST = set([ + "rhel8", + "rhel9", + "rhel10", ++ "almalinux8", ++ "almalinux9", ++ "almalinux10", + ]) + + PROFILE_DENYLIST = set([ +-- +2.43.7 + diff --git a/SOURCES/add-almalinux9-support.sh b/SOURCES/add-almalinux9-support.sh new file mode 100644 index 0000000..8a5d02d --- /dev/null +++ b/SOURCES/add-almalinux9-support.sh @@ -0,0 +1,121 @@ +#!/bin/bash +# Add AlmaLinux 9 support to scap-security-guide +# This script is intended to run from the unpacked source root during %prep + +set -euo pipefail + +# 1. Change GRUB EFI dir to /boot/efi/EFI/almalinux everywhere +find ./shared ./linux_os ./tests -type f -exec sed -i 's|EFI/redhat|EFI/almalinux|g' {} \; + +# 2. Use ensure_almalinux_gpgkey_installed where applicable in controls +find ./controls -maxdepth 1 -type f -exec sed -i 's|ensure_redhat_gpgkey_installed|ensure_almalinux_gpgkey_installed|g' {} \; + +# 3. Add AlmaLinux support to linux_os, tests, and shared +find ./linux_os -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i \ + -e '/prodtype:/s/rhel9/rhel9,almalinux9/g' \ + -e '/# platform =/{ /multi_platform_almalinux/! s/multi_platform_rhel/multi_platform_rhel,multi_platform_almalinux/g }' \ + -e '/# platform =/s/Red Hat Enterprise Linux 9/Red Hat Enterprise Linux 9,AlmaLinux OS 9/g' {} \; + +find ./tests -type f -exec sed -i \ + -e '/prodtype:/s/rhel9/rhel9,almalinux9/g' \ + -e '/# platform =/{ /multi_platform_almalinux/! s/multi_platform_rhel/multi_platform_rhel,multi_platform_almalinux/g }' \ + -e '/# platform =/s/Red Hat Enterprise Linux 9/Red Hat Enterprise Linux 9,AlmaLinux OS 9/g' {} \; + +find ./shared -type f -exec sed -i \ + -e '/prodtype:/s/rhel9/rhel9,almalinux9/g' \ + -e '/# platform =/{ /multi_platform_almalinux/! s/multi_platform_rhel/multi_platform_rhel,multi_platform_almalinux/g }' \ + -e '/# platform =/s/Red Hat Enterprise Linux 9/Red Hat Enterprise Linux 9,AlmaLinux OS 9/g' \ + -e 's|Red Hat Enterprise Linux 9|Red Hat Enterprise Linux 9\nAlmaLinux OS 9|g' \ + -e 's|multi_platform_rhel|multi_platform_rhel\nmulti_platform_almalinux|g' {} \; + +# 4. Improve Ansible support in conditionals +find ./linux_os -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i \ + -e '/if product in/ s/"rhel9"/"rhel9", "almalinux9"/g' {} \; + +# 5. Add disa references symlinks for AlmaLinux +for xml in $(find shared/references/ -type f -name 'disa-stig-rhel*.xml'); do + target="$(echo "$xml" | sed 's/rhel/almalinux/g')" + if [ ! -e "$target" ]; then + ln -s "$(basename "$xml")" "$target" + fi +done + +# 6. Add AlmaLinux 9 product (copy from rhel9 and rebrand) +rm -fr products/almalinux9 +cp -r products/rhel9 products/almalinux9 + +if [ -d products/almalinux9/kickstart ]; then + for cfg in $(find products/almalinux9/kickstart/ -type f); do + mv "$cfg" "$(echo "$cfg" | sed 's/rhel9/almalinux9/g')" + done + sed -i 's/Red Hat Enterprise Linux 9.*/AlmaLinux OS 9/g' products/almalinux9/kickstart/* +fi + +if [ -d products/almalinux9/transforms ]; then + sed -i \ + -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \ + -e 's/RHEL */AL/g' \ + -e 's/rhel/almalinux/g' \ + -e 's/red_hat_linux/almalinuxos_linux/g' \ + products/almalinux9/transforms/* +fi + +if [ -d products/almalinux9/overlays ]; then + sed -i \ + -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \ + -e 's/Red Hat Network or a Satellite Server/Foreman/g' \ + -e 's/Red Hat/AlmaLinux/g' \ + -e 's/RHEL9/AlmaLinux OS 9/g' \ + -e 's/RHEL/AlmaLinux OS/g' \ + products/almalinux9/overlays/* +fi + +if [ -d products/almalinux9/controls ]; then + for ctl in $(find products/almalinux9/controls/ -type f -name '*rhel9*'); do + mv "$ctl" "$(echo "$ctl" | sed 's/rhel9/almalinux9/g')" + done + find products/almalinux9/controls -type f -exec sed -i \ + -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \ + -e 's/RHEL9/ALMALINUX9/g' \ + -e 's/RHEL-9/ALMALINUX-9/g' \ + -e '/^id:/s/rhel9/almalinux9/g' \ + -e '/^product:/s/rhel9/almalinux9/g' \ + -e 's/ensure_redhat_gpgkey_installed/ensure_almalinux_gpgkey_installed/g' {} \; +fi + +sed -i \ + -e 's/rhel9/almalinux9/' \ + -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \ + -e 's/RHEL-9/ALMALINUX-9/g' \ + -e 's#https://access.redhat.com/security/team/key#https://almalinux.org/security/#' \ + -e 's/^pkg_release:.*/pkg_release: "61e69f29"/g' \ + -e 's/^pkg_version:.*/pkg_version: "b86b3716"/g' \ + -e '/^aux_pkg_release:/d' \ + -e '/^aux_pkg_version:/d' \ + -e 's/release_key_fingerprint:.*/release_key_fingerprint: "BF18AC2876178908D6E71267D36CB86CB86B3716"/g' \ + -e '/^release_key_fingerprint:/a oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-9.xml.bz2"' \ + -e '/^auxiliary_key_fingerprint:/d' \ + -e '/^pqc_key_fingerprint:/d' \ + -e '/^pqc_pkg_release:/d' \ + -e '/^pqc_pkg_version:/d' \ + -e 's/redhat:enterprise_linux/almalinux:almalinux/g' \ + -e 's/red_hat_linux/almalinuxos_linux/g' \ + -e '/^centos_/d' \ + products/almalinux9/product.yml + +sed -i 's/rhel/almalinux/g' products/almalinux9/CMakeLists.txt + +sed -i -z \ + -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \ + -e 's/red_hat_linux/almalinuxos_linux/g' \ + -e 's/Red Hat Enterprise\n Linux/\n AlmaLinux OS/g' \ + -e 's/released ....-..-../released 2024-06-24/g' \ + -e 's/RHEL/AlmaLinux OS/g' \ + products/almalinux9/profiles/* + +sed -i \ + -e 's/ensure_redhat_gpgkey_installed/ensure_almalinux_gpgkey_installed/g' \ + -e 's/rhel9:/almalinux9:/g' \ + -e "s/'\!ensure_almalinux_gpgkey_installed'/ensure_almalinux_gpgkey_installed/g" \ + -e '/"!ensure_almalinux_gpgkey_installed"/d' \ + products/almalinux9/profiles/* diff --git a/SOURCES/scap-security-guide-add-almalinux9-product.patch b/SOURCES/scap-security-guide-add-almalinux9-product.patch deleted file mode 100644 index f7a8c02..0000000 --- a/SOURCES/scap-security-guide-add-almalinux9-product.patch +++ /dev/null @@ -1,23284 +0,0 @@ -diff --git a/controls/anssi.yml b/controls/anssi.yml -index 43258e5de..705a8284d 100644 ---- a/controls/anssi.yml -+++ b/controls/anssi.yml -@@ -1254,7 +1254,7 @@ controls: - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - ensure_oracle_gpgkey_installed - - ensure_almalinux_gpgkey_installed - -diff --git a/controls/cis_almalinux9.yml b/controls/cis_almalinux9.yml -index 0b8a8ecaf..963d5df62 100644 ---- a/controls/cis_almalinux9.yml -+++ b/controls/cis_almalinux9.yml -@@ -363,7 +363,7 @@ controls: - - l1_workstation - status: manual - related_rules: -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - - id: 1.2.1.2 - title: Ensure gpgcheck is globally activated (Automated) -diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml -index 6e9f1a526..f2fb754fa 100644 ---- a/controls/cis_rhel10.yml -+++ b/controls/cis_rhel10.yml -@@ -368,7 +368,7 @@ controls: - - l1_workstation - status: manual - related_rules: -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - - id: 1.2.1.2 - title: Ensure gpgcheck is configured (Automated) -diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml -index a5b889cd5..5c9c9af89 100644 ---- a/controls/cis_rhel8.yml -+++ b/controls/cis_rhel8.yml -@@ -356,7 +356,7 @@ controls: - - l1_workstation - status: manual - related_rules: -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - - id: 1.2.2 - title: Ensure gpgcheck is globally activated (Automated) -diff --git a/controls/e8.yml b/controls/e8.yml -index eecf857ad..4000844eb 100644 ---- a/controls/e8.yml -+++ b/controls/e8.yml -@@ -24,7 +24,7 @@ controls: - - service_avahi-daemon_disabled - - package_squid_removed - - service_squid_disabled -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_globally_activated -diff --git a/controls/hipaa.yml b/controls/hipaa.yml -index 0f5470740..f0b1b567a 100644 ---- a/controls/hipaa.yml -+++ b/controls/hipaa.yml -@@ -170,7 +170,7 @@ controls: - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_repo_metadata -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - ensure_suse_gpgkey_installed - - ensure_almalinux_gpgkey_installed - status: automated -@@ -1388,7 +1388,7 @@ controls: - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_repo_metadata -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - ensure_suse_gpgkey_installed - - ensure_almalinux_gpgkey_installed - status: automated -@@ -1419,7 +1419,7 @@ controls: - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_repo_metadata -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - ensure_suse_gpgkey_installed - - ensure_almalinux_gpgkey_installed - status: automated -@@ -1439,7 +1439,7 @@ controls: - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_repo_metadata -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - ensure_suse_gpgkey_installed - - ensure_almalinux_gpgkey_installed - status: automated -@@ -1720,7 +1720,7 @@ controls: - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_repo_metadata -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - ensure_suse_gpgkey_installed - - ensure_almalinux_gpgkey_installed - status: automated -diff --git a/controls/ism_o.yml b/controls/ism_o.yml -index f697010f5..c3f5e7bd9 100644 ---- a/controls/ism_o.yml -+++ b/controls/ism_o.yml -@@ -603,7 +603,7 @@ controls: - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - dnf-automatic_security_updates_only - status: automated - -diff --git a/controls/ospp.yml b/controls/ospp.yml -index d3f59d9a2..5c5bbc813 100644 ---- a/controls/ospp.yml -+++ b/controls/ospp.yml -@@ -447,7 +447,7 @@ controls: - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - status: automated - - - id: FPT_TUD_EXT.2 -@@ -461,7 +461,7 @@ controls: - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - ensure_gpgcheck_never_disabled -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - status: automated - - - id: FPT_TST_EXT.1 -diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml -index 087341f71..3243d6f5a 100644 ---- a/controls/pcidss_4.yml -+++ b/controls/pcidss_4.yml -@@ -1555,7 +1555,7 @@ controls: - - base - status: automated - rules: -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - - ensure_suse_gpgkey_installed - - ensure_almalinux_gpgkey_installed - - ensure_gpgcheck_globally_activated -diff --git a/controls/stig_rhel8.yml b/controls/stig_rhel8.yml -index 6bd332f68..41f580913 100644 ---- a/controls/stig_rhel8.yml -+++ b/controls/stig_rhel8.yml -@@ -3172,7 +3172,7 @@ controls: - - medium - title: RHEL 8 must ensure cryptographic verification of vendor software packages. - rules: -- - ensure_redhat_gpgkey_installed -+ - ensure_almalinux_gpgkey_installed - status: automated - - - id: RHEL-08-010358 -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh -index 536e45f3a..6fc5182e2 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - {{{ setup_auditctl_environment() }}} -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh -index e1aedcc12..041b3a99a 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - {{{ setup_auditctl_environment() }}} -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh -index 19e56d957..62dc263da 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - {{{ setup_auditctl_environment() }}} -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh -index 03066622a..00b22dffc 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - {{{ setup_auditctl_environment() }}} -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh -index 5997a0f4b..f8b934477 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - {{{ setup_auditctl_environment() }}} -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh -index 6614a0151..2d8a70c4d 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - {{{ setup_auditctl_environment() }}} -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_cis.pass.sh -index ca6cb501c..6e94b709f 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_cis.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_cis.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - path="/var/run/faillock" -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission_cis.pass.sh -index 4cf3be21b..634990a72 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission_cis.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission_cis.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - path="/var/run/faillock" -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key_cis.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key_cis.pass.sh -index a943dcd2f..5a5c849c4 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key_cis.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key_cis.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - path="/var/run/faillock" -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules_cis.fail.sh -index a3feca25d..eb3da476b 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules_cis.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules_cis.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - path="/var/run/faillock" -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_cis.fail.sh -index 4cee4cfb3..09d901e81 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_cis.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_cis.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - path="/var/run/faillock" -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key_cis.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key_cis.fail.sh -index b15a095da..44c6a0115 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key_cis.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key_cis.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - # variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock - - path="/var/run/faillock" -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh -index 48bf48bd2..0c9d7c81e 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh -@@ -1,5 +1,5 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - {{{ setup_auditctl_environment() }}} -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh -index 5d91bba64..5d53ea73c 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - {{{ setup_auditctl_environment() }}} - -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh -index 92186611b..ee66ac9dc 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - {{{ setup_auditctl_environment() }}} - -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh -index 7e041ef90..1d5b3127b 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - {{{ setup_auditctl_environment() }}} - -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh -index a6592b8e1..9962409ea 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - {{{ setup_auditctl_environment() }}} - -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh -index d5c338857..af5946007 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh -@@ -1,5 +1,5 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - # augenrules is default for rhel7 -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh -index 0a16a0c50..8a4e1608a 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # packages = audit - # remediation = none --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /tmp/privileged.rules - -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_extra_rules_configured.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_extra_rules_configured.pass.sh -index adbf71ccf..cac9509dd 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_extra_rules_configured.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_extra_rules_configured.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules - echo "-a always,exit -F path=/usr/bin/notrelevant -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh -index 2f01315e0..0fcf5d593 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules - sed -i '/newgrp/d' /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh -index 2c3c6124c..0e5ad3011 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh -@@ -1,5 +1,5 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh -index ee2c9ce79..cabf11a5b 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh -@@ -1,5 +1,5 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh -index 43e72845c..b16ac83f1 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules - # change key of rules for binaries in /usr/sbin -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_ignore_dracut_tmp.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_ignore_dracut_tmp.pass.sh -index 6ef31d987..2da0682e0 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_ignore_dracut_tmp.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_ignore_dracut_tmp.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 - - ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules - -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_multiple_partitions.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_multiple_partitions.fail.sh -index a45b84843..f4e964bc1 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_multiple_partitions.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_multiple_partitions.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - . $SHARED/partition.sh - -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh -index 1f42f8652..e2dbd9bd9 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules - sed -i -E 's/^(.*path=[[:graph:]]+) -F perm=x(.*$)/\1\2/' /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh -index e58060ff7..556cd112a 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules - echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh -index 8f3c02693..0d251f46b 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/priv.rules - echo "-a always,exit -F path=/usr/bin/notrelevant -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/priv.rules -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh -index 2dba37605..c9684121a 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh -@@ -1,5 +1,5 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8,multi_platform_ubuntu - - ./generate_privileged_commands_rule.sh {{{ uid_min }}} own_key /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml -index f0ea21841..6f744d05b 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_sle,multi_platform_slmicro -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_slmicro - # reboot = false - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh -index f4fff8181..6c379ca01 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_debian -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_debian - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/insmod", "x", "modules") }}} -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/kubernetes/shared.yml -index 26d02c24e..28daa9106 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml -index 889f83178..7896d4cb1 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml -index 8b2377d44..39c2bba69 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml -index 9c5b7d2eb..cae43ea29 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_ubuntu -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu - # reboot = false - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh -index dd0efe72d..c3e8fc990 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_ubuntu,multi_platform_debian -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu,multi_platform_debian - - # First perform the remediation of the syscall rule - # Retrieve hardware architecture of the underlying system -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml -index 323a798b1..46fad7416 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml -index 336beb2b7..26c47e462 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml -index 49c97e395..51f48c0f9 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml -index ec76157d4..0f9e9f7cc 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml -index 3f43030e9..85e9a47c8 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml -index 8a58bbc38..1a73014dc 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh -index 09d4e8ff5..6a8e8bdab 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - - groupadd group_test - -diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh -index 1343cfbf2..3241e6cdc 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel,multi_platform_sle,multi_platform_fedora -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_fedora - - if grep -iwq "log_file" /etc/audit/auditd.conf; then - FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') -diff --git a/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value_non-root_group.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value_non-root_group.fail.sh -index d7c821524..f7fd9a307 100644 ---- a/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value_non-root_group.fail.sh -+++ b/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value_non-root_group.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = multi_platform_rhel,multi_platform_sle,multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_rhel,multi_platform_almalinux - - if grep -iwq "log_file" /etc/audit/auditd.conf; then - FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated.pass.sh -index 0a5e51c3f..a6b1538fc 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated.pass.sh -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora -+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora - - . $SHARED/auditd_utils.sh - prepare_auditd_test_enviroment -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated_not_there.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated_not_there.fail.sh -index 028fbc3f9..3bd65184f 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated_not_there.fail.sh -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_activated_not_there.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora -+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora - # remediation = bash - - . $SHARED/auditd_utils.sh -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_not_activated.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_not_activated.fail.sh -index 91b198fad..fd937e57d 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_not_activated.fail.sh -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/tests/audit_syslog_plugin_not_activated.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = audit --# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora -+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora - # remediation = bash - - . $SHARED/auditd_utils.sh -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml -index 55f407e01..b9084af21 100644 ---- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/auditing/policy_rules/audit_access_failed/rule.yml -index 8ce3a4141..4e02b8282 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_access_failed/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_access_failed/rule.yml -@@ -28,7 +28,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_access_failed_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_access_failed_aarch64/kubernetes/shared.yml -index f29a4afc6..26ac0688c 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_access_failed_aarch64/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_access_failed_aarch64/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml -index 412c67f15..ec1467404 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_access_success/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_access_success/kubernetes/shared.yml -index 413293083..3f8c50a39 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_access_success/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_access_success/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/auditing/policy_rules/audit_access_success/rule.yml -index 31dacde7e..0ba58ad84 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_access_success/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_access_success/rule.yml -@@ -27,7 +27,7 @@ severity: medium - - # on RHEL9 there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_access_success_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_access_success_aarch64/kubernetes/shared.yml -index 1d08bae3a..3e2300448 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_access_success_aarch64/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_access_success_aarch64/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml -index 372b7c27c..4e2ce77e9 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_basic_configuration/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_basic_configuration/kubernetes/shared.yml -index f62426900..bd3ddd10a 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_basic_configuration/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_basic_configuration/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/auditing/policy_rules/audit_create_failed/rule.yml -index dff42045c..e41212dc6 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_create_failed/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_create_failed/rule.yml -@@ -36,7 +36,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_create_failed_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_create_failed_aarch64/kubernetes/shared.yml -index c26dc39be..d32b854fd 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_create_failed_aarch64/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_create_failed_aarch64/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml -index 08c8dc855..e9277f263 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/auditing/policy_rules/audit_create_success/rule.yml -index 6dde3307f..d13c8046f 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_create_success/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_create_success/rule.yml -@@ -30,7 +30,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml -index dab3d0eaa..620596c44 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/auditing/policy_rules/audit_delete_failed/rule.yml -index f3d51b3fe..849e07c63 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_delete_failed/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_delete_failed/rule.yml -@@ -28,7 +28,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_failed_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_failed_aarch64/kubernetes/shared.yml -index 22d3990f0..ed4f8bce8 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_delete_failed_aarch64/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_delete_failed_aarch64/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml -index 2fb2c25aa..e182781c4 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml -index bff04fe4c..a56d7f18f 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - - {{% set file_contents = """## Successful file delete - -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete -diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/auditing/policy_rules/audit_delete_success/rule.yml -index 6f39f271c..ce89fdfe9 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_delete_success/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_delete_success/rule.yml -@@ -26,7 +26,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml -index 37b8b3676..d1be71273 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - - {{% set file_contents = """## Successful file delete - -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete -diff --git a/linux_os/guide/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml -index a46066d62..731636c7f 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - - {{% set file_contents = """## Successful file delete - -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete""" -%}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/kubernetes/shared.yml -index ff5e61676..f7012bed2 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_failed/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_failed/kubernetes/shared.yml -index 2d9279849..ec6477378 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_modify_failed/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_modify_failed/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/auditing/policy_rules/audit_modify_failed/rule.yml -index d7bd0b785..3cbbc87f1 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_modify_failed/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_modify_failed/rule.yml -@@ -36,7 +36,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_failed_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_failed_aarch64/kubernetes/shared.yml -index dae466002..527bc8489 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_modify_failed_aarch64/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_modify_failed_aarch64/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml -index f07ff3607..62de7826c 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_success/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_success/kubernetes/shared.yml -index c6f796967..7a6e545c4 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_modify_success/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_modify_success/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/auditing/policy_rules/audit_modify_success/rule.yml -index cc6712432..fc9c319ee 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_modify_success/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_modify_success/rule.yml -@@ -31,7 +31,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_success_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_success_aarch64/kubernetes/shared.yml -index 212ec4ba5..62e1ee6de 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_modify_success_aarch64/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_modify_success_aarch64/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml -index 92310b977..e76e314a6 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_module_load/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_module_load/kubernetes/shared.yml -index f8cd8b73d..090554c02 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_module_load/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_module_load/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/auditing/policy_rules/audit_module_load/rule.yml -index 4cf215813..8a6276261 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_module_load/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_module_load/rule.yml -@@ -27,7 +27,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml -index 231034a9c..460877cec 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_ospp_general/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_ospp_general/kubernetes/shared.yml -index 96ee57492..09bfe412b 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_ospp_general/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_ospp_general/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/auditing/policy_rules/audit_ospp_general/rule.yml -index f9f327973..9a8366d84 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_ospp_general/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_ospp_general/rule.yml -@@ -149,7 +149,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml -index ac946bfe0..7480f574f 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml b/linux_os/guide/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml -index 23940aca3..8775144da 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - spec: -diff --git a/linux_os/guide/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/auditing/policy_rules/audit_owner_change_failed/rule.yml -index d9fbc3779..0437fc30f 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_owner_change_failed/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_owner_change_failed/rule.yml -@@ -28,7 +28,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/auditing/policy_rules/audit_owner_change_success/rule.yml -index 25c32a08b..5b3ebd1c3 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_owner_change_success/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_owner_change_success/rule.yml -@@ -26,7 +26,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/auditing/policy_rules/audit_perm_change_failed/rule.yml -index 97b8a1583..fed5769af 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_perm_change_failed/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_perm_change_failed/rule.yml -@@ -28,7 +28,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/auditing/policy_rules/audit_perm_change_success/rule.yml -index c95c2a0f4..caab9a3ff 100644 ---- a/linux_os/guide/auditing/policy_rules/audit_perm_change_success/rule.yml -+++ b/linux_os/guide/auditing/policy_rules/audit_perm_change_success/rule.yml -@@ -26,7 +26,7 @@ severity: medium - - # on RHEL9+ there are rules which cover particular hardware architectures - # so do not apply this rule but apply the specific one instead --{{% if product in ["rhel9", "rhel10"] %}} -+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}} - platforms: - - not aarch64_arch and not ppc64le_arch - {{% endif %}} -diff --git a/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml b/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml -index 1e575a03c..45bfed419 100644 ---- a/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml -+++ b/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml -@@ -1,4 +1,4 @@ --{{% if product in [ "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15"] %}} -+{{% if product in [ "ol9", "ol10", "rhel8", "rhel9", "almalinux9", "rhel10", "sle12", "sle15"] %}} - {{% set package_name = "cronie" %}} - {{% else %}} - {{% set package_name = "cron" %}} -diff --git a/linux_os/guide/services/cron_and_at/service_cron_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_cron_enabled/rule.yml -index d54589c84..8124ad459 100644 ---- a/linux_os/guide/services/cron_and_at/service_cron_enabled/rule.yml -+++ b/linux_os/guide/services/cron_and_at/service_cron_enabled/rule.yml -@@ -1,4 +1,4 @@ --{{% if product in ["rhel8", "rhel9", "rhel10"] %}} -+{{% if product in ["rhel8", "rhel9", "almalinux9", "rhel10"] %}} - {{% set service_name = "crond" %}} - {{% else %}} - {{% set service_name = "cron" %}} -diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml -index 59218a0ea..daba64fed 100644 ---- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml -+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_debian -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_debian - # reboot = false - # strategy = configure - # complexity = low -diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh -index 43e16c187..b2af04b32 100644 ---- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh -+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_debian -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_debian - - {{{ bash_instantiate_variables("var_postfix_root_mail_alias") }}} - -diff --git a/linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_d_one_pool_missing.fail.sh b/linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_d_one_pool_missing.fail.sh -index 4963780f8..c3bc5b0de 100644 ---- a/linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_d_one_pool_missing.fail.sh -+++ b/linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_d_one_pool_missing.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = chrony --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - - {{{ bash_package_remove("ntp") }}} - -diff --git a/linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_d_one_server_missing.fail.sh b/linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_d_one_server_missing.fail.sh -index fdfe38968..92a468e1e 100644 ---- a/linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_d_one_server_missing.fail.sh -+++ b/linux_os/guide/services/ntp/chrony_set_nts/tests/chrony_d_one_server_missing.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # packages = chrony --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - - {{{ bash_package_remove("ntp") }}} - -diff --git a/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml -index c435df983..b80ffbf7b 100644 ---- a/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml -+++ b/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml -index c435df983..b80ffbf7b 100644 ---- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml -+++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml -index c435df983..b80ffbf7b 100644 ---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml -+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_pool_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_pool_misconfigured.fail.sh -index a7d291916..c1802d791 100644 ---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_pool_misconfigured.fail.sh -+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_pool_misconfigured.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # packages = chrony - # variables = var_time_service_set_maxpoll=16 --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - - {{{ bash_package_remove("ntp") }}} - -diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_server_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_server_misconfigured.fail.sh -index f6da9d51f..2eeff701b 100644 ---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_server_misconfigured.fail.sh -+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_d_one_server_misconfigured.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # packages = chrony - # variables = var_time_service_set_maxpoll=16 --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - - {{{ bash_package_remove("ntp") }}} - -diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml -index c435df983..b80ffbf7b 100644 ---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml -+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml -index c435df983..b80ffbf7b 100644 ---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml -+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos -+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos - # reboot = true - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml -index d41c69ef3..67f85b0d5 100644 ---- a/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml -+++ b/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml -@@ -50,7 +50,7 @@ template: - - platform: package[ntp] - --{{% if product in ["rhel8", "rhel9", "sle15"] %}} -+{{% if product in ["rhel8", "rhel9", "almalinux9", "sle15"] %}} - warnings: - - general: - The 
ntp
package is not available in {{{ full_name }}}. Please -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml -index c1e0d7193..fad409f48 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml -@@ -42,7 +42,7 @@ template: - vars: - pkgname: xinetd - --{{% if product in ["rhel9"] %}} -+{{% if product in ["rhel9", "almalinux9"] %}} - warnings: - - general: - The package is not available in {{{ full_name }}}. -diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -index 1878cf937..68d66c48c 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -@@ -39,7 +39,7 @@ template: - pkgname: ypbind - pkgname@debian12: ypbind-mt - --{{% if product in ["rhel9"] %}} -+{{% if product in ["rhel9", "almalinux9"] %}} - warnings: - - general: - The package is not available in {{{ full_name }}}. -diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -index ab37fab3c..611fe2360 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -@@ -46,7 +46,7 @@ template: - vars: - pkgname: ypserv - --{{% if product in ["rhel9"] %}} -+{{% if product in ["rhel9", "almalinux9"] %}} - warnings: - - general: - The package is not available in {{{ full_name }}}. -diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml -index 925223e63..7e7e54b98 100644 ---- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml -@@ -43,7 +43,7 @@ template: - vars: - pkgname: rsh-server - --{{% if product in ["rhel8", "rhel9"] %}} -+{{% if product in ["rhel8", "rhel9", "almalinux9"] %}} - warnings: - - general: - The package is not available in {{{ full_name }}}. -diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml -index 8b8cc3406..ccf391f50 100644 ---- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml -@@ -53,7 +53,7 @@ template: - pkgname@ubuntu2204: rsh-client - pkgname@ubuntu2404: rsh-client - --{{% if product in ["rhel8", "rhel9"] %}} -+{{% if product in ["rhel8", "rhel9", "almalinux9"] %}} - warnings: - - general: - The package is not available in {{{ full_name }}}. -diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml -index a820ba060..d1b6c8a17 100644 ---- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml -@@ -29,7 +29,7 @@ template: - vars: - pkgname: talk-server - --{{% if product in ["rhel8", "rhel9"] %}} -+{{% if product in ["rhel8", "rhel9", "almalinux9"] %}} - warnings: - - general: - The package is not available in {{{ full_name }}}. -diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml -index 3004f7fda..eaad2959c 100644 ---- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml -@@ -37,7 +37,7 @@ template: - vars: - pkgname: talk - --{{% if product in ["rhel8", "rhel9"] %}} -+{{% if product in ["rhel8", "rhel9", "almalinux9"] %}} - warnings: - - general: - The package is not available in {{{ full_name }}}. -diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml -index aabc4380f..516bd5d07 100644 ---- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml -+++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml -@@ -45,7 +45,7 @@ warnings: - Consequently, the rngd service can't be started in FIPS mode. - {{% endif %}} - --{{% if product in ["fedora", "ol9", "ol10", "rhel9", "rhel10"] %}} -+{{% if product in ["fedora", "ol9", "ol10", "rhel9", "almalinux9", "rhel10"] %}} - platform: not runtime_kernel_fips_enabled - warnings: - - general: |- -diff --git a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/ansible/shared.yml b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/ansible/shared.yml -index a10c4daa1..bfb3121f4 100644 ---- a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/ansible/shared.yml -+++ b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/ansible/shared.yml -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora - # reboot = false - # strategy = configure - # complexity = low -diff --git a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/bash/shared.sh b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/bash/shared.sh -index 9e1f01f53..d7d4c2651 100644 ---- a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/bash/shared.sh -+++ b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel -+# platform = multi_platform_rhel,multi_platform_almalinux - ###################################################################### - #By Luke "Brisk-OH" Brisk - #luke.brisk@boeing.com or luke.brisk@gmail.com -diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml -index 2ea6b4821..e9398b913 100644 ---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml -+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml -@@ -1,4 +1,4 @@ --# platform = debian 11,debian 10,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,multi_platform_rhel -+# platform = debian 11,debian 10,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux - # reboot = false - # strategy = configure - # complexity = low -diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh -index c54b259d0..78a682cc8 100644 ---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh -+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = debian 11,debian 10,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,multi_platform_rhel -+# platform = debian 11,debian 10,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux - - {{{ bash_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}} - -diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml -index ecc0d0386..c89a8a845 100644 ---- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml -+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/kubernetes/shared.yml -@@ -1,5 +1,5 @@ - --- --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos - apiVersion: machineconfiguration.openshift.io/v1 - kind: MachineConfig - metadata: -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ospp_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ospp_ok.pass.sh -index d2d6b5cdc..42894b47e 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ospp_ok.pass.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ospp_ok.pass.sh -@@ -1,5 +1,5 @@ - #!/bin/bash --# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 -+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9 - # profiles = xccdf_org.ssgproject.content_profile_ospp - - mkdir -p /etc/ssh/sshd_config.d -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ospp_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ospp_ok.pass.sh -index ae9b6ceb6..5159b5dff 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ospp_ok.pass.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ospp_ok.pass.sh -@@ -1,5 +1,5 @@ - #!/bin/bash --# platform = Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 10,multi_platform_fedora -+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9, Red Hat Enterprise Linux 10,multi_platform_fedora - # profiles = xccdf_org.ssgproject.content_profile_ospp - - mkdir -p /etc/ssh/sshd_config.d -diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml b/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml -index 91916fa1c..bb49ca7ea 100644 ---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml -+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml -@@ -9,7 +9,7 @@ - - {{% endif %}} -- {{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} -+ {{% if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} - - {{% endif %}} -@@ -50,7 +50,7 @@ - ^.*allow_missing_name.*$ - - {{% endif %}} -- {{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} -+ {{% if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} - -diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml -index aed45dc46..2bb781d84 100644 ---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml -+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml -@@ -10,7 +10,7 @@ description: |- - 
[pam]
-     pam_cert_auth = True
-
-- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}} -+ {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} - Add or update "pam_sss.so" line in auth section of "/etc/pam.d/system-auth" file to include - "try_cert_auth" or "require_cert_auth" option, like in the following example: - 
-diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh
-index 20d721658..2a4422daf 100644
---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,sssd
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- # remediation = none
- 
- SSSD_FILE="/etc/sssd/sssd.conf"
-diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh
-index ba800bcea..10d4d2975 100644
---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_disabled.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,sssd
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- SSSD_FILE="/etc/sssd/sssd.conf"
- echo "[pam]" > $SSSD_FILE
-diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh
-index afd575dd8..a76a1a423 100644
---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh
-+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,sssd
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- SSSD_FILE="/etc/sssd/sssd.conf"
- echo "[pam]" > $SSSD_FILE
-diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh
-index 05ecf8a8a..654864a62 100644
---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh
-+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,sssd
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- SSSD_FILE="/etc/sssd/conf.d/unused.conf"
- echo "[pam]" > $SSSD_FILE
-diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh
-index 9758d9bda..998600da6 100644
---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh
-+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_lower.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,sssd
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- SSSD_FILE="/etc/sssd/sssd.conf"
- echo "[pam]" > $SSSD_FILE
-diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh
-index eb58f3dcf..4e4cc0fa0 100644
---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,sssd
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- SSSD_FILE="/etc/sssd/sssd.conf"
- echo "[pam]" > $SSSD_FILE
-diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh
-index 262abd276..c6f2babd7 100644
---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,sssd
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- SSSD_FILE="/etc/sssd/conf.d/unused.conf"
- echo "[pam]" > $SSSD_FILE
-diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing.fail.sh
-index d3fc7375f..2c189f569 100644
---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,sssd
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- SSSD_FILE="/etc/sssd/sssd.conf"
- echo "[pam]" > $SSSD_FILE
-diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing_file.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing_file.fail.sh
-index 456f06484..e6fb4c857 100644
---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing_file.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_missing_file.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,sssd
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- SSSD_FILE="/etc/sssd/sssd.conf"
- rm -f $SSSD_FILE
-diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
-index 8acb5361f..ac1e04733 100644
---- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
-+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
-@@ -5,7 +5,7 @@ title: 'Configure SSSD to Expire Offline Credentials'
- 
- description: |-
-     SSSD should be configured to expire offline credentials after 1 day.
--    {{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}}
-+    {{% if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-     Check if SSSD allows cached authentications with the following command:
-     
-     $ sudo grep cache_credentials /etc/sssd/sssd.conf
-@@ -51,7 +51,7 @@ references:
- ocil_clause: 'it does not exist or is not configured properly'
- 
- ocil: |-
--    {{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}}
-+    {{% if product in ["ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}}
-     Check if SSSD allows cached authentications with the following command:
-     
-     $ sudo grep cache_credentials /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
-index 780c4d1a5..ccec13d45 100644
---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
-+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_rhel,multi_platform_sle
-+# platform = multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle
- 
- systemctl set-default multi-user.target
-diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
-index fd3c4a48d..c79a3a43f 100644
---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
-+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_rhel,multi_platform_sle
-+# platform = multi_platform_ol,multi_platform_fedora,multi_platform_rhv,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle
- 
- ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
-diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
-index 5ffb26956..f1af96866 100644
---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
-+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_fedora,multi_platform_rhel,multi_platform_rhv,multi_platform_sle
-+# platform = multi_platform_ol,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle
- 
- systemctl set-default graphical.target
-diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh
-index 99a85d26d..33cdca2f3 100644
---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh
-+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_fedora,multi_platform_rhel,multi_platform_rhv,multi_platform_sle
-+# platform = multi_platform_ol,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle
- 
- ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target
-diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/kubernetes/shared.yml
-index c2feb1fbc..116c6cde5 100644
---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/kubernetes/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- metadata:
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
-index 1dd9f4512..4c8892f4a 100644
---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # profiles = xccdf_org.ssgproject.content_profile_ncp
- # packages = dconf,gdm
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
-index 6ff96441a..6966391a2 100644
---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # profiles = xccdf_org.ssgproject.content_profile_stig
- # packages = dconf,gdm
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh
-index 9969fcc6f..ac6e95eda 100644
---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # profiles = xccdf_org.ssgproject.content_profile_stig
- # packages = dconf,gdm
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
-index c316d7c8f..e942b3ef2 100644
---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # profiles = xccdf_org.ssgproject.content_profile_stig
- # packages = dconf,gdm
- 
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
-index 7c7d4c073..51c6c97a8 100644
---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # profiles = xccdf_org.ssgproject.content_profile_stig
- # packages = dconf,gdm
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_correct_options.pass.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_correct_options.pass.sh
-index 2cd897b71..f6672029b 100644
---- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_correct_options.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_correct_options.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- if authselect list-features sssd | grep -q with-silent-lastlog; then
-     authselect select sssd --force
-diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_modified_pam.fail.sh
-index 60ede2a24..705f234b6 100644
---- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # remediation = none
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_silent_lastlog.fail.sh b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_silent_lastlog.fail.sh
-index 325d5860a..3bd614b5a 100644
---- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_silent_lastlog.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/authselect_silent_lastlog.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- if authselect list-features sssd | grep -q with-silent-lastlog; then
-     authselect select sssd --force
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/correct_value.pass.sh
-index e514c5aae..2e2be1afc 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/correct_value.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- authselect create-profile test_profile -b sssd
- authselect select "custom/test_profile" --force
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/no_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/no_value.fail.sh
-index 6cc976f24..fc1e0791c 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/no_value.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/tests/no_value.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- authselect create-profile test_profile -b sssd
- authselect select "custom/test_profile" --force
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/correct_value.pass.sh
-index e514c5aae..2e2be1afc 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/correct_value.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- authselect create-profile test_profile -b sssd
- authselect select "custom/test_profile" --force
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/no_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/no_value.fail.sh
-index 6cc976f24..fc1e0791c 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/no_value.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/tests/no_value.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- authselect create-profile test_profile -b sssd
- authselect select "custom/test_profile" --force
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh
-index d805aa018..5f7379c09 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh
-index e1eb0a970..c0e7f6540 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh
-index 98037b3e3..7ca623d6f 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh
-index f56bdbce2..f6f53923c 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh
-index bef6bbcea..60abc9d38 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=5
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh
-index 111ed3df6..c9fe11bb0 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=5
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh
-index cc133d939..c0a9e4b5b 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=5
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh
-index f8e697789..ff4ad0b16 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- if authselect list-features sssd | grep -q with-pwhistory; then
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh
-index 5565977e7..2a78d1e58 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- if authselect list-features sssd | grep -q with-pwhistory; then
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh
-index e5af75fdc..b30e83bc7 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # remediation = none
- 
- SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_control.fail.sh
-index 7af3472d6..1e65e7dbb 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_control.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_control.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- if authselect list-features sssd | grep -q with-pwhistory; then
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh
-index f16643985..3d8397924 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=3
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh
-index debcc53ca..49849baaa 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=3
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh
-index dd32200e4..0d1592798 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=5
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh
-index c4e304ec1..034f7839f 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=5
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh
-index 52e4f15c7..112c068ec 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=5
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh
-index 1296b6744..860edc03a 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- if authselect list-features sssd | grep -q with-pwhistory; then
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh
-index dfcaa146c..f18bdd223 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- if authselect list-features sssd | grep -q with-pwhistory; then
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh
-index 5f4aa8251..fc8f8a9b4 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # remediation = none
- 
- SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_control.fail.sh
-index 24883ef0c..d32d71132 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_control.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_control.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- if authselect list-features sssd | grep -q with-pwhistory; then
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh
-index 694398e7b..37ca0263c 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=3
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh
-index d9040a495..1536f7f3e 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=3
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/ansible/shared.yml
-index 8fb16daea..6ef0ceafe 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # reboot = false
- # strategy = configure
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/shared.sh
-index 1ef54f081..42270486d 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/shared.sh
-@@ -1,3 +1,3 @@
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- {{{ bash_ensure_pam_module_option("/etc/pam.d/system-auth", "password", "required", "pam_pwhistory.so", "use_authtok") }}}
- {{{ bash_ensure_pam_module_option("/etc/pam.d/password-auth", "password", "required", "pam_pwhistory.so", "use_authtok") }}}
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh
-index a0ee8ece7..276673756 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- {{{ bash_ensure_pam_module_option("/etc/pam.d/system-auth", "password", "required", "pam_pwhistory.so", "use_authtok") }}}
- {{{ bash_ensure_pam_module_option("/etc/pam.d/password-auth", "password", "required", "pam_pwhistory.so", "use_authtok") }}}
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_wrong.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_wrong.fail.sh
-index c184a3062..baf8384ca 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_wrong.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_wrong.fail.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- {{{ bash_ensure_pam_module_option("/etc/pam.d/system-auth", "password", "required", "pam_pwhistory.so", "remember") }}}
- {{{ bash_ensure_pam_module_option("/etc/pam.d/password-auth", "password", "required", "pam_pwhistory.so", "remember") }}}
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/ansible/shared.yml
-index c08e3b426..0cc45b355 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # reboot = false
- # strategy = configure
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh
-index 9742fb75c..d3154fa77 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh
-@@ -1,3 +1,3 @@
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- {{{ bash_ensure_pam_module_option("/etc/pam.d/system-auth", "password", "sufficient", "pam_unix.so", "use_authtok") }}}
- {{{ bash_ensure_pam_module_option("/etc/pam.d/password-auth", "password", "sufficient", "pam_unix.so", "use_authtok") }}}
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/rhel_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/rhel_correct.pass.sh
-index 52724ed73..276c3c6fc 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/rhel_correct.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/rhel_correct.pass.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- {{{ bash_ensure_pam_module_option("/etc/pam.d/system-auth", "password", "sufficient", "pam_unix.so", "use_authtok") }}}
- {{{ bash_ensure_pam_module_option("/etc/pam.d/password-auth", "password", "sufficient", "pam_unix.so", "use_authtok") }}}
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/rhel_wrong.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/rhel_wrong.fail.sh
-index c07b7d56a..fbee6a5e7 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/rhel_wrong.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/rhel_wrong.fail.sh
-@@ -1,3 +1,3 @@
- #!/bin/bash
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- sed -i 's/use_authtok/remember/' /etc/pam.d/system-auth /etc/pam.d/password-auth
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh
-index a18fa3d6c..5586d507f 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=5
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh
-index bc6d5ab7f..a4adc1800 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=5
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh
-index dd12efbc1..71756d641 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=5
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh
-index 8ca16e11a..c88cad464 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_remember=5
- 
- if authselect list-features sssd | grep -q with-pwhistory; then
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh
-index bc3c429f1..123108b13 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_remember=5
- 
- if authselect list-features sssd | grep -q with-pwhistory; then
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh
-index 02d30f17a..5fb950d93 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # remediation = none
- 
- SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh
-index 7f6215029..7ece7ec2e 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_remember=5
- 
- remember_cnt=5
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh
-index dc53f50b0..1913a6378 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_remember=5
- 
- remember_cnt=3
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh
-index e25a158f7..23b93ca89 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=3
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh
-index 253d50de1..c1e348428 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite
- 
- remember_cnt=3
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh
-index 2ba38d0ad..bdd471cdc 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/conflicting_settings_authselect.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh
-index bcfa1a721..2cb77dd13 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/expected_faillock_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/authselect_modified_pam.fail.sh
-index eef841ce5..021894a32 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/authselect_modified_pam.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # remediation = none
- 
- SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/conflicting_settings_authselect.fail.sh
-index aa36b3be2..d116e45b7 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/conflicting_settings_authselect.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/conflicting_settings_authselect.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- pam_files=("password-auth" "system-auth")
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_conflicting_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_conflicting_settings.fail.sh
-index 1d4f1f91f..acaf1f6f3 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_conflicting_settings.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_conflicting_settings.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora,Oracle Linux 8
-+# platform = multi_platform_fedora,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,Oracle Linux 8
- # remediation = none
- 
- authselect select sssd --force
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_faillock_conf.pass.sh
-index 8128a072f..c28980e01 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_faillock_conf.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_expected_faillock_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora,Oracle Linux 8
-+# platform = multi_platform_fedora,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,Oracle Linux 8
- 
- authselect select sssd --force
- authselect enable-feature with-faillock
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
-index ffdc55852..cf0858efd 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 9,Oracle Linux 8,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 9,Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux
- # remediation = none
- 
- authselect select sssd --force
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/conflicting_settings_authselect.fail.sh
-index 679e47bcc..48ecf5894 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/conflicting_settings_authselect.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/conflicting_settings_authselect.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_faillock_conf.pass.sh
-index 6bb763cf5..04951e53c 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_faillock_conf.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_faillock_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh
-index cd4c3ac61..5e84dd5ef 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh
-index 3953a7567..238686e4f 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh
-index 303cf124f..5808d914f 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_faillock_conf.fail.sh
-index 2f08a7d47..c30378c84 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_faillock_conf.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_faillock_conf.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh
-index 45724e5e1..a424078c6 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
-index 9ec4d6697..9f3b476f2 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
-index e9c09b713..d8a5cce80 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- {{{ bash_pam_faillock_enable() }}}
- {{{ bash_pam_faillock_parameter_value("local_users_only", "") }}}
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_disabled.fail.sh
-index 856bd56ea..c1697c330 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_disabled.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_disabled.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Oracle Linux 8
- 
- authselect select sssd --force
- authselect disable-feature with-faillock
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_expected_faillock_conf.pass.sh
-index 075791de6..611b4b568 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_expected_faillock_conf.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_expected_faillock_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Oracle Linux 8
- 
- authselect select sssd --force
- authselect enable-feature with-faillock
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
-index 978cccce6..4df1f8200 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Oracle Linux 8
- # remediation = none
- 
- authselect select sssd --force
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_not_required_pam_files.fail.sh
-index 053f91100..303230d97 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_not_required_pam_files.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/tests/pam_faillock_not_required_pam_files.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Oracle Linux 8
- # remediation = none
- 
- # This test scenario manually modify the pam_faillock.so entries in auth section from
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_faillock_conf.pass.sh
-index fdd0c4c06..3935c3eb3 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_faillock_conf.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/expected_faillock_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_password_auth.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_password_auth.fail.sh
-index f73c751f5..67f87b046 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_password_auth.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_password_auth.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_system_auth.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_system_auth.fail.sh
-index 514b2bb37..287b2bd47 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_system_auth.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/tests/missing_parameter_system_auth.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- source common.sh
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/tests/custom-package-removed.fail.sh b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/tests/custom-package-removed.fail.sh
-index e82ecb7f5..7386d3217 100644
---- a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/tests/custom-package-removed.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/tests/custom-package-removed.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- # Package libpwquality cannot be uninstalled normally
- # as it would cause removal of sudo package which is
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh
-index 81d2955d3..91f44dfc9 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- 
- authselect create-profile hardening -b sssd
- CUSTOM_PROFILE="custom/hardening"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh
-index 4bb7a4872..5040a42e4 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- 
- authselect create-profile hardening -b sssd
- CUSTOM_PROFILE="custom/hardening"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh
-index 32ce46407..76a1e7412 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- 
- authselect create-profile hardening -b sssd
- CUSTOM_PROFILE="custom/hardening"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh
-index 0f9b75cec..644396bc1 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # remediation = none
- 
- SYSTEM_AUTH_FILE="/etc/pam.d/password-auth"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_wrong_control.fail.sh
-index 61c28f2d6..721b5b349 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_wrong_control.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_wrong_control.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- 
- authselect create-profile hardening -b sssd
- CUSTOM_PROFILE="custom/hardening"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh
-index f68622be4..34c533ad4 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- 
- authselect create-profile hardening -b sssd
- CUSTOM_PROFILE="custom/hardening"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh
-index 0de6065a2..3117aba3e 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- 
- authselect create-profile hardening -b sssd
- CUSTOM_PROFILE="custom/hardening"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh
-index 03a4ef295..85bc0e565 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- 
- authselect create-profile hardening -b sssd
- CUSTOM_PROFILE="custom/hardening"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh
-index ae0ed105d..e81f931b7 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # remediation = none
- 
- SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_wrong_control.fail.sh
-index 60ebfdeba..0cfa2b06e 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_wrong_control.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_wrong_control.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- 
- authselect create-profile hardening -b sssd
- CUSTOM_PROFILE="custom/hardening"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh
-index a151577a5..2f21c2359 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # variables = var_password_pam_retry=3
- 
- source common.sh
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
-index 36ddc1d94..8ec3d927a 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # variables = var_password_pam_retry=3
- 
- source common.sh
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh
-index d65976fa1..65914eaef 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # variables = var_password_pam_retry=3
- 
- source common.sh
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh
-index 39f98ec3f..06837bd37 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # variables = var_password_pam_retry=3
- 
- source common.sh
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
-index d2a2dc2d0..026cc0501 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # variables = var_password_pam_retry=3
- 
- source common.sh
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh
-index 2bd6c06a5..97a5f3e66 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # variables = var_password_pam_retry=3
- 
- source common.sh
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh
-index 459ae7843..86e7dec6d 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # variables = var_password_pam_retry=3
- 
- source common.sh
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_correct_value.pass.sh
-index ee1213c2d..c2aca7ae1 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_correct_value.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_correct_value.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_incorrect_option.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_incorrect_option.fail.sh
-index 8d6be38f4..ce2bcce19 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_incorrect_option.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_incorrect_option.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_missing_option.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_missing_option.fail.sh
-index 13f217f02..efb422075 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_missing_option.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_missing_option.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_modified_pam.fail.sh
-index 5632949e2..fbfe8a0a4 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- # remediation = none
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_multiple_options.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_multiple_options.fail.sh
-index 7f6ff9a97..581c81c47 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_multiple_options.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_multiple_options.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_wrong_control.fail.sh
-index 10a02eb86..77029c277 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_wrong_control.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_wrong_control.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_correct_value.pass.sh
-index 264df72f1..725cd27ab 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_correct_value.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_correct_value.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_incorrect_option.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_incorrect_option.fail.sh
-index c5e65c44e..8d606b5ea 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_incorrect_option.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_incorrect_option.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_missing_option.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_missing_option.fail.sh
-index c61e9828d..652f95adb 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_missing_option.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_missing_option.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_modified_pam.fail.sh
-index 6499ed205..c94da4ca0 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- # remediation = none
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_multiple_options.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_multiple_options.fail.sh
-index 6b5b5767a..01fafdbb9 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_multiple_options.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_multiple_options.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_wrong_control.fail.sh
-index a1a9ec1ec..c273c78f4 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_wrong_control.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/authselect_wrong_control.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # variables = var_password_hashing_algorithm_pam=sha512
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml
-index 3045574e5..7ce6bb466 100644
---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml
-index 517c83c6e..041e9a29c 100644
---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- # reboot = true
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh
-index ed94337e6..318ed9da3 100644
---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
-+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ubuntu
- 
- systemctl disable --now ctrl-alt-del.target
- systemctl mask --now ctrl-alt-del.target
-diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh
-index 3e37419e8..029e44c9d 100644
---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
-+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ubuntu
- 
- systemctl unmask ctrl-alt-del.target
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
-index c0bbf0e00..2ef6928f5 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
-@@ -48,7 +48,7 @@ ocil: |-
-     To check if authentication is required for emergency mode, run the following command:
-     
$ grep sulogin /usr/lib/systemd/system/emergency.service

-     The output should be similar to the following, and the line must begin with
--    {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "slmicro5"] -%}}
-+    {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "slmicro5"] -%}}
-         ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
-         
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency

-     {{%- else -%}}
-@@ -76,7 +76,7 @@ fixtext: |-
-     Configure {{{ full_name }}} to require authentication for system emergency mode.
- 
-     Add or edit the following line in "/usr/lib/systemd/system/emergency.service":
--    {{% if product in ["fedora", "ol8", "ol9", "kylinserver10", "openeuler2203", "rhel8", "rhel9", "sle12", "sle15", "slmicro5"] -%}}
-+    {{% if product in ["fedora", "ol8", "ol9", "kylinserver10", "openeuler2203", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "slmicro5"] -%}}
-     ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
-     {{%- else -%}}
-     ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value.pass.sh
-index bce932b72..65189b3b9 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- 
- service_file="/usr/lib/systemd/system/emergency.service"
- sulogin="/usr/lib/systemd/systemd-sulogin-shell"
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value_dropin.pass.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value_dropin.pass.sh
-index 31c41fba2..c1729abbc 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value_dropin.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/correct_value_dropin.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
-+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_slmicro
- rm -f /etc/systemd/system/emergency.service
- mkdir -p /etc/systemd/system/emergency.service.d/
- cat << EOF > /etc/systemd/system/emergency.service.d/10-automatus.conf
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value_dropin.fail.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value_dropin.fail.sh
-index 8fb2960e0..57568d8cb 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value_dropin.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value_dropin.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
-+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_slmicro
- rm -f /etc/systemd/system/emergency.service
- mkdir -p /etc/systemd/system/emergency.service.d/
- cat << EOF > /etc/systemd/system/emergency.service.d/10-oscap.conf
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_dropin.pass.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_dropin.pass.sh
-index c15034231..01fbc0695 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_dropin.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_dropin.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux
- rm -rf /etc/systemd/system/rescue.service.d
- mkdir -p /etc/systemd/system/rescue.service.d
- cat << EOF > /etc/systemd/system/rescue.service.d/10-automatus.conf
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh
-index f735f3270..027fbbe3d 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol
- 
- service_file="/usr/lib/systemd/system/rescue.service"
- sulogin="/usr/lib/systemd/systemd-sulogin-shell"
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_dropin.fail.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_dropin.fail.sh
-index 01701eefb..a3b846c14 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_dropin.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_dropin.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux
- 
- rm -rf /etc/systemd/system/rescue.service.d
- mkdir -p /etc/systemd/system/rescue.service.d
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml
-index 75395cf61..1dcee69f3 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol
- # reboot = false
- # strategy = configure
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml
-index f47326940..42d591752 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol
- # reboot = false
- # strategy = configure
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/ansible/shared.yml
-index 6eb24c8ef..718f8cb2e 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/alternative_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/alternative_value.pass.sh
-index 0b31379f0..778d63d74 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/alternative_value.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/alternative_value.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- echo 'bind W lock-session' >> '/etc/tmux.conf'
- chmod 0644 "/etc/tmux.conf"
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/correct.pass.sh
-index e38203195..55a8aff57 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/correct.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/correct.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # packages = tmux
- 
- echo 'bind X lock-session' >> '/etc/tmux.conf'
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/file_empty.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/file_empty.fail.sh
-index 45458b6f2..87e6ded51 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/file_empty.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/file_empty.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # packages = tmux
- 
- echo > '/etc/tmux.conf'
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/line_commented.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/line_commented.fail.sh
-index 93ed8cbf4..bff755146 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/line_commented.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/line_commented.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # packages = tmux
- 
- echo '# bind X lock-session' >> '/etc/tmux.conf'
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/wrong_permissions.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/wrong_permissions.fail.sh
-index da006625e..8e02e36e8 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/wrong_permissions.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_keybinding/tests/wrong_permissions.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # packages = tmux
- 
- echo 'bind X lock-session' >> '/etc/tmux.conf'
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/kubernetes/shared.yml
-index 6b2d6cd5e..c20712c9f 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/kubernetes/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml
-index 2cbb501f6..27700c4b4 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_rhel
-+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_rhel,multi_platform_almalinux
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/commented.fail.sh
-index 8d59d36d3..526165afe 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/commented.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/commented.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_ubuntu,multi_platform_rhel
-+# platform = multi_platform_ubuntu,multi_platform_rhel,multi_platform_almalinux
- # packages = openssl-pkcs11,libpam-pkcs11
- 
- if [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml
-index ebcb5ac04..674369a42 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh
-index 7bdb759f6..dd157f1e3 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_debian
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_debian
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_argument_missing.fail.sh
-index ac786351d..105da781f 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_argument_missing.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_argument_missing.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_rounds=65536
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_correct_value.pass.sh
-index f65671afe..4e6949a82 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_correct_value.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_correct_value.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_rounds=65536
- 
- ROUNDS=65536
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_default_rounds.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_default_rounds.fail.sh
-index 0c026fce2..40ff8c5aa 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_default_rounds.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_default_rounds.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_rounds=5000
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_modified_pam.fail.sh
-index fefaf2f5a..8389f6b09 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # remediation = none
- # variables = var_password_pam_unix_rounds=65536
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_control.fail.sh
-index 6638d849a..28d9dffee 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_control.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_control.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_rounds=65536
- 
- ROUNDS=65536
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_value.fail.sh
-index 91da77a25..adfc415f3 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_value.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/tests/authselect_wrong_value.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_rounds=65536
- 
- ROUNDS=4000
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_argument_missing.fail.sh
-index 1a1cf9ad7..3f5725a4a 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_argument_missing.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_argument_missing.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_rounds=65536
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_correct_value.pass.sh
-index 1acecb5ba..6fd0a2db7 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_correct_value.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_correct_value.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_rounds=65536
- 
- ROUNDS=65536
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_default_rounds.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_default_rounds.fail.sh
-index 539b033f7..e1ca3468e 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_default_rounds.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_default_rounds.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_rounds=5000
- 
- authselect create-profile hardening -b sssd
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_modified_pam.fail.sh
-index 3f0dac513..10af6ae8c 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # remediation = none
- # variables = var_password_pam_unix_rounds=65536
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_control.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_control.fail.sh
-index 8a39a24a4..f32bacf9e 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_control.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_control.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_rounds=65536
- 
- ROUNDS=65536
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_value.fail.sh
-index dc454dff4..ee67c2bdf 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_value.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/tests/authselect_wrong_value.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = var_password_pam_unix_rounds=65536
- 
- ROUNDS=4000
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_modified_pam.fail.sh
-index db6c94724..57535bb74 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_modified_pam.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_modified_pam.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # remediation = none
- 
- SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_absent.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_absent.pass.sh
-index c05d6d2c2..5b132cfb6 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_absent.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_absent.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_present.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_present.fail.sh
-index c8ab00326..a6a41bb08 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_present.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/authselect_nullok_present.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/other_user_gid_0.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/other_user_gid_0.fail.sh
-index 5e2919e78..c22311899 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/other_user_gid_0.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/other_user_gid_0.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # remediation = none
- 
- useradd --gid 0 root2
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml
-index 8469f530b..83ecdd81a 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_fedora
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
-index ab0e591f1..605e5d2b0 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_debian,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_debian,multi_platform_fedora
- 
- {{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}}
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml
-index 8f87bf06e..6bed5ef5a 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml
-index 6d79f4e9d..b57b787a8 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh
-index 35df572f9..548a5aee6 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_debian
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_debian
- {{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}}
- 
- PAM_CONF=/etc/pam.d/su
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/ansible/shared.yml
-index 4d08bb696..febed69bb 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/ansible/shared.yml
-index 12a861bb1..d16d24b51 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/bash/shared.sh
-index ceac5e3ff..6b9ed3049 100644
---- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
-+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel,multi_platform_almalinux
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
-index 7f399477a..63690c599 100644
---- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
-+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
- # reboot = false
- # strategy = configure
- # complexity = low
-diff --git a/linux_os/guide/system/accounts/enable_authselect/tests/not_remediable.fail.sh b/linux_os/guide/system/accounts/enable_authselect/tests/not_remediable.fail.sh
-index 91f429a34..9503b90c2 100644
---- a/linux_os/guide/system/accounts/enable_authselect/tests/not_remediable.fail.sh
-+++ b/linux_os/guide/system/accounts/enable_authselect/tests/not_remediable.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_almalinux
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_almalinux
- # packages = authselect,pam
- # remediation = none
- 
-diff --git a/linux_os/guide/system/accounts/enable_authselect/tests/remediable.fail.sh b/linux_os/guide/system/accounts/enable_authselect/tests/remediable.fail.sh
-index 15a64d147..900993d72 100644
---- a/linux_os/guide/system/accounts/enable_authselect/tests/remediable.fail.sh
-+++ b/linux_os/guide/system/accounts/enable_authselect/tests/remediable.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_almalinux
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_almalinux
- # packages = authselect,pam
- 
- rm -f /etc/pam.d/{fingerprint-auth,password-auth,postlogin,smartcard-auth,system-auth}
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/wrong_value_entries.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/wrong_value_entries.fail.sh
-index 00942724d..9d7168c74 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/wrong_value_entries.fail.sh
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/wrong_value_entries.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # Based on shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
--# platform = Red Hat Enterprise Linux 9
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- # Breaks argument in kernel command line in /boot/loader/entries/*.conf
- 
-diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/tests/invalid_username.fail.sh b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/tests/invalid_username.fail.sh
-index 663a3282c..ffb3e4969 100644
---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/tests/invalid_username.fail.sh
-+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/tests/invalid_username.fail.sh
-@@ -1,7 +1,7 @@
- #!/bin/bash
- 
- # remediation = none
--# platform = Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 10,multi_platform_ubuntu,multi_platform_sle,multi_platform_fedora
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9, Red Hat Enterprise Linux 10,multi_platform_ubuntu,multi_platform_sle,multi_platform_fedora
- 
- . $SHARED/grub2.sh
- 
-diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh
-index 50cf1b78f..84a0e9194 100644
---- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh
-+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- # Make sure boot loader entries contain init_on_alloc=1
- for file in /boot/loader/entries/*.conf
-diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh
-index 7c0d91547..bff710e05 100644
---- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh
-+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- # Make sure boot loader entries contain init_on_alloc=1
- for file in /boot/loader/entries/*.conf
-diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh
-index 9d330c919..96a4dcc74 100644
---- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh
-+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- # Remove init_on_alloc=1 from all boot entries
- sed -Ei 's/(^options.*\s)init_on_alloc=1(.*?)$/\1\2/' /boot/loader/entries/*
-diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
-index b36aca3cf..4991691ef 100644
---- a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
-+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # reboot = true
- # strategy = configure
- # complexity = medium
-diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
-index 0d90d58db..32887fa37 100644
---- a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
-+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- # Correct BLS option using grubby, which is a thin wrapper around BLS operations
- grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
-diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml
-index 892523fc4..9fbba1ccb 100644
---- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml
-+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_rhcos
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhcos
- # reboot = true
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
-index 907b69cc3..b89c0221d 100644
---- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
-+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
-@@ -11,7 +11,7 @@
-       test_ref="test_logrotate_conf_no_other_keyword" />
-       
-         
--{{% if product in ["ol9", "rhcos4", "rhel9", "rhel10", "sle12", "sle15", "slmicro5"] %}}
-+{{% if product in ["ol9", "rhcos4", "rhel9", "almalinux9", "rhel10", "sle12", "sle15", "slmicro5"] %}}
-         
- {{% endif %}}
-       
-@@ -54,7 +54,7 @@
-     1
-   
- 
--  {{% if product in ["ol9", "rhcos4", "rhel9", "rhel10", "sle12", "sle15", "slmicro5"] %}}
-+  {{% if product in ["ol9", "rhcos4", "rhel9", "almalinux9", "rhel10", "sle12", "sle15", "slmicro5"] %}}
-   
-diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh
-index 18d73bb72..231c48285 100644
---- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh
-+++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # check-import = stdout
- 
- result=$XCCDF_RESULT_PASS
-diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh
-index b2a8e350c..e97d0f4a5 100644
---- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh
-+++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # check-import = stdout
- 
- result=$XCCDF_RESULT_PASS
-diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel8.fail.sh b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel8.fail.sh
-index cfb1cd690..a89ef4dcc 100644
---- a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel8.fail.sh
-+++ b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel8.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- 
- mkdir -p "/etc"
- filepath="/etc/os-release"
-diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.2.notapplicable.sh b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.2.notapplicable.sh
-index 52c2500cb..702369f66 100644
---- a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.2.notapplicable.sh
-+++ b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.2.notapplicable.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- 
- mkdir -p "/etc"
- filepath="/etc/os-release"
-diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.notapplicable.sh b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.notapplicable.sh
-index 207bfac32..f5e12fe63 100644
---- a/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.notapplicable.sh
-+++ b/linux_os/guide/system/network/network-iptables/package_iptables_installed/tests/rhel9.notapplicable.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- 
- mkdir -p "/etc"
- filepath="/etc/os-release"
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/kubernetes/shared.yml
-index 87306fedb..88e2884bc 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/kubernetes/shared.yml
-index 8792fc668..2c7c4b025 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/kubernetes/shared.yml
-index e222b1c88..85b92ce90 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/kubernetes/shared.yml
-index 4ed2c480c..f59b6d7c3 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/kubernetes/shared.yml
-index 845b013ed..063776b85 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/kubernetes/shared.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/kubernetes/shared.yml
-index e2951d845..0335df123 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh
-index fc649d74c..93dffbb34 100644
---- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh
-+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Red Hat Enterprise Linux 9
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- # Removes ipv6.disable argument from kernel command line in //boot/loader/entries/*.conf
- 
-diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh
-index 3c1cde1dc..baad7f86f 100644
---- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh
-+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Red Hat Enterprise Linux 9
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- # Break the ipv6.disable argument in kernel command line in /boot/loader/entries/*.conf
- 
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/kubernetes/shared.yml
-index 6bb6de134..1f0664a02 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/kubernetes/shared.yml
-index b3d72bb4a..b89b8a35a 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/kubernetes/shared.yml
-index 70e767cc4..fbe1a27a2 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/kubernetes/shared.yml
-index c64da37a3..08535e5a1 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/ol_value_2.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/ol_value_2.fail.sh
-index 12a388565..6f16f3487 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/ol_value_2.fail.sh
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/ol_value_2.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 9,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- # Clean sysctl config directories
- rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/kubernetes/shared.yml
-index 8b075d55e..0dd17a34b 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/kubernetes/shared.yml
-index 2bfbd9e46..8ea37100a 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/kubernetes/shared.yml
-index aa7d1562b..08668d03c 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/kubernetes/shared.yml
-index 3a60ab17c..728ddb817 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/kubernetes/shared.yml
-index b6e53de36..0b652c7cf 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/kubernetes/shared.yml
-index aeb67c4e0..f47a8ab67 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/kubernetes/shared.yml
-index 52d74441b..08c8c256d 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/kubernetes/shared.yml
-index 9e3a85af9..d4f4d31cb 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/kubernetes/shared.yml
-index 0c8dae788..a26df0c5a 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/kubernetes/shared.yml
-index ea1db12fe..5d8b19f68 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/kubernetes/shared.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/kubernetes/shared.yml
-index b54e3d12b..125464d7a 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/kubernetes/shared.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh b/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh
-index 89d344c4f..1a926adaa 100644
---- a/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh
-+++ b/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # check-import = stdout
- 
- tbl_output=$(nft list tables | grep inet)
-diff --git a/linux_os/guide/system/network/network_nmcli_permissions/tests/missing_compat_package.fail.sh b/linux_os/guide/system/network/network_nmcli_permissions/tests/missing_compat_package.fail.sh
-index 2dc3f4431..f1f353370 100644
---- a/linux_os/guide/system/network/network_nmcli_permissions/tests/missing_compat_package.fail.sh
-+++ b/linux_os/guide/system/network/network_nmcli_permissions/tests/missing_compat_package.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
- # packages = polkit
--# platform = Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 10
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9, Red Hat Enterprise Linux 10
- # This TS is a regression test for https://issues.redhat.com/browse/RHEL-87606
- dnf remove -y --noautoremove polkit-pkla-compat
-diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/sce/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/sce/shared.sh
-index 0eee598bf..c3aa51320 100644
---- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/sce/shared.sh
-+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
- # check-import = stdout
- 
- {{{ find_directories(find_parameters="\( -perm -0002 -a ! -perm -1000 \)", fail_message="Found directories with writable sticky bits") }}}
-diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/sce/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/sce/shared.sh
-index facc0ad8d..f19540f78 100644
---- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/sce/shared.sh
-+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
- # check-import = stdout
- 
- {{{ find_directories(find_parameters="-perm -0002 -uid +"~uid_min, fail_message="Found world-writable directories that are not owned by a system account") }}}
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/sce/shared.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/sce/shared.sh
-index a6fb2064a..4d8f7030f 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/sce/shared.sh
-+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
- # check-import = stdout
- 
- {{{ find_files(find_parameters="-perm -2000", fail_message="Found SGID executables that are unauthorized", skip_rpm_owned_files=True) }}}
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/sce/shared.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/sce/shared.sh
-index d7bb76269..08156544b 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/sce/shared.sh
-+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
- # check-import = stdout
- 
- {{{ find_files(find_parameters="-perm -4000", fail_message="Found SUID executables that are unauthorized", skip_rpm_owned_files=True) }}}
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/sce/shared.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/sce/shared.sh
-index bca90c8ba..4ed275284 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/sce/shared.sh
-+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel,Ubuntu 24.04
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Ubuntu 24.04
- # check-import = stdout
- 
- {{{ find_files(find_parameters="-perm -002", fail_message="Found world-writable files") }}}
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/tests/world_writable_tmp.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/tests/world_writable_tmp.fail.sh
-index c6b866ea6..392196483 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/tests/world_writable_tmp.fail.sh
-+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/tests/world_writable_tmp.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- 
- find / -xdev -type f -perm -002 -exec chmod o-w {} \;
- 
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/sce/shared.sh b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/sce/shared.sh
-index 02e5cd08e..104d1371a 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/sce/shared.sh
-+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel,Ubuntu 24.04
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Ubuntu 24.04
- # check-import = stdout
- 
- {{{ find_files(find_parameters="-nogroup", fail_message="Found ungroupowned files", exclude_directories="sysroot") }}}
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/unowned_file_tmp.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/unowned_file_tmp.fail.sh
-index 44f6c84dd..b37b68810 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/unowned_file_tmp.fail.sh
-+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/unowned_file_tmp.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # remediation = none
- 
- mount tmpfs /tmp -t tmpfs
-diff --git a/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/sce/shared.sh b/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/sce/shared.sh
-index 12f46c0b1..cf3e7428c 100644
---- a/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/sce/shared.sh
-+++ b/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel,Ubuntu 24.04
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Ubuntu 24.04
- # check-import = stdout
- 
- {{{ find_files(find_parameters="-nogroup", fail_message="Found ungroupowned files or directories", exclude_directories="sysroot") }}}
-diff --git a/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/tests/unowned_file_tmp.fail.sh b/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/tests/unowned_file_tmp.fail.sh
-index ef64cf6aa..2e5220217 100644
---- a/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/tests/unowned_file_tmp.fail.sh
-+++ b/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/tests/unowned_file_tmp.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # remediation = none
- 
- touch /tmp/test
-diff --git a/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/sce/shared.sh b/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/sce/shared.sh
-index 5c2dda5f9..68877027e 100644
---- a/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/sce/shared.sh
-+++ b/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # check-import = stdout
- 
- {{{ find_files(find_parameters="-nouser", fail_message="Found unowned files or directories") }}}
-diff --git a/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/tests/unowned_file_tmp.fail.sh b/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/tests/unowned_file_tmp.fail.sh
-index c1d6cd0fb..78faa5993 100644
---- a/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/tests/unowned_file_tmp.fail.sh
-+++ b/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/tests/unowned_file_tmp.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # remediation = none
- 
- touch /tmp/test
-diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/sce/shared.sh b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/sce/shared.sh
-index 982caa000..5fcb2cf41 100644
---- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/sce/shared.sh
-+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # check-import = stdout
- 
- {{{ find_files(find_parameters="-nouser", fail_message="Found unowned files") }}}
-diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/tests/unowned_file_tmp.fail.sh b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/tests/unowned_file_tmp.fail.sh
-index c1b6d3e79..8109c5d55 100644
---- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/tests/unowned_file_tmp.fail.sh
-+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/tests/unowned_file_tmp.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ubuntu
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # remediation = none
- 
- mount tmpfs /tmp -t tmpfs
-diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml
-index 29ec8f733..1e3d5130e 100644
---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml
-+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_slmicro,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_slmicro,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # reboot = false
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh
-index 83c283c8c..188870908 100644
---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh
-+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = multi_platform_slmicro,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_slmicro,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- # Create /etc/security/opasswd if needed
- # Owner group mode root.root 0600
-diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
-index 64c5cc680..8c4537502 100644
---- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
-+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu,multi_platform_ol
-+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ubuntu,multi_platform_ol
- 
- for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
- do
-diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
-index 651297f9e..7c4db56db 100644
---- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
-+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu,multi_platform_ol
-+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ubuntu,multi_platform_ol
- 
- groupadd group_test
- {{% if 'ol8' in product or 'rhel' in product %}}
-diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/kubernetes/shared.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/kubernetes/shared.yml
-index b0d594003..4a71eccda 100644
---- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/kubernetes/shared.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/kubernetes/shared.yml
-index 5ce0decba..b7a4243e4 100644
---- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/bash/shared.sh
-index 59e39270d..5c154d333 100644
---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/bash/shared.sh
-+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- # Delete particular /etc/fstab's row if /var/tmp is already configured to
- # represent a mount point (for some device or filesystem other than /tmp)
-diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/kubernetes/shared.yml
-index d94802273..554e34e00 100644
---- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/kubernetes/shared.yml
-index d94802273..554e34e00 100644
---- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/kubernetes/shared.yml
-index 41cbd1197..481afa583 100644
---- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/kubernetes/shared.yml
-index 415b0486d..02b1e991a 100644
---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/kubernetes/shared.yml
-index 7a4c107b2..22e209120 100644
---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/kubernetes/shared.yml
-index 88c683445..fa9b2020d 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
-index a15c44348..38d75d71a 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
-@@ -12,7 +12,7 @@ rationale: |-
- 
- severity: medium
- 
--{{% if product in ["rhel9", "rhel10"] %}}
-+{{% if product in ["rhel9", "almalinux9", "rhel10"] %}}
- conflicts:
-     - sysctl_kernel_core_pattern_empty_string
- {{% endif %}}
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/kubernetes/shared.yml
-index 36e025cc3..e97acde11 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/kubernetes/shared.yml
-index 505b3c12b..cdf18e6dd 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/kubernetes/shared.yml
-index 0541e59a7..50020c28c 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/kubernetes/shared.yml
-index 2e24d9211..7b706bb32 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
-index c9de45e02..30a9748a5 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10
- 
- # Clean sysctl config directories
- rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
-index 77ebd1e1d..315ea35f9 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10
- 
- # Clean sysctl config directories
- rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
-index 99fb0ec06..41e828cc6 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10
- 
- # Clean sysctl config directories
- rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
-index ec71c16c9..36bb1e6af 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10
- 
- # Clean sysctl config directories
- rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/kubernetes/shared.yml
-index ceafd4839..7006e2066 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/kubernetes/shared.yml
-index 7519b7740..af6c30abd 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhcos,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/kubernetes/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/kubernetes/shared.yml
-index fdd4fb83e..3274d5b36 100644
---- a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/kubernetes/shared.yml
-+++ b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- apiVersion: machineconfiguration.openshift.io/v1
- kind: MachineConfig
- spec:
-diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh b/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh
-index 9558acad7..52cc0a789 100644
---- a/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh
-+++ b/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- # Package libselinux cannot be uninstalled normally
- # as it would cause removal of sudo package which is
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/absent.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/absent.fail.sh
-index c7385d2c3..af8f3234a 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/absent.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/absent.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = bind
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- 
- BIND_CONF='/etc/named.conf'
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh
-index b00bbfe21..5816460d8 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- {{{ bash_package_remove("bind") }}}
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh
-index 4f9c749eb..9b3b78230 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh
-@@ -1,7 +1,7 @@
- #!/bin/bash
- # packages = bind
- # 
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # We don't remediate anything if the config file is missing completely.
- # remediation = none
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/ok.pass.sh
-index 34a32a73b..aaaa24a6a 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/ok.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/ok.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = bind
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- BIND_CONF='/etc/named.conf'
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/overrides.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/overrides.fail.sh
-index 290e5fb07..4a16731bd 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/overrides.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/overrides.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = bind
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- 
- BIND_CONF='/etc/named.conf'
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/kubernetes/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/kubernetes/shared.yml
-index dd096ab41..b180ed3b3 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/kubernetes/shared.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/kubernetes/shared.yml
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos
- # reboot = true
- # strategy = restrict
- # complexity = low
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/cis_l2.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/cis_l2.pass.sh
-index 7ba994e11..f9e6939f0 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/cis_l2.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/cis_l2.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_cis_workstation_l2
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_and_current_same_time.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_and_current_same_time.pass.sh
-index fc2a50a39..5216b9c9b 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_and_current_same_time.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_and_current_same_time.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # packages = crypto-policies-scripts
- 
- # IMPORTANT: This is a false negative scenario.
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_newer_than_current.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_newer_than_current.fail.sh
-index 4414dbb23..5d20befa2 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_newer_than_current.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/config_newer_than_current.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # packages = crypto-policies-scripts
- 
- update-crypto-policies --set "DEFAULT"
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
-index 713b3a918..9e85563e9 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # profiles = xccdf_org.ssgproject.content_profile_ospp
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy.fail.sh
-index d335cd229..29fba75a9 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy_file.fail.sh
-index 3c2d65e3c..27bee6e43 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy_file.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_policy_file.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_file.pass.sh
-index 2f734ca0c..b1d3a9e5c 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_file.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_file.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # profiles = xccdf_org.ssgproject.content_profile_ospp
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh
-index f4f88117f..831b56393 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # profiles = xccdf_org.ssgproject.content_profile_ospp
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh
-index a09f7bf9b..91d160f01 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_cis_server_l1,xccdf_org.ssgproject.content_profile_cis_workstation_l1
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh
-index a2107d146..6e036355c 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_e8
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_set.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_set.pass.sh
-index bb2cf5405..ad2c135cc 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_set.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_default_set.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- # profiles = xccdf_org.ssgproject.content_profile_standard
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh
-index 7dc906f73..f51b7ef62 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # profiles = xccdf_org.ssgproject.content_profile_ospp
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/wrong_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/wrong_policy.fail.sh
-index 169e6773c..ab47972de 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/wrong_policy.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/wrong_policy.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
- # packages = crypto-policies-scripts
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_correct_policy.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_correct_policy.pass.sh
-index 4834387dc..30bb91a51 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_correct_policy.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_correct_policy.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- rm -f /etc/krb5.conf.d/crypto-policies
- ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_missing_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_missing_policy.fail.sh
-index 97ccc0590..de8172ee7 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_missing_policy.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_missing_policy.fail.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- rm -f /etc/krb5.conf.d/crypto-policies
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_wrong_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_wrong_policy.fail.sh
-index 4eb5348f2..f354072e2 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_wrong_policy.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/tests/kerberos_wrong_policy.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- rm -f /etc/krb5.conf.d/crypto-policies
- ln -s /etc/crypto-policies/back-ends/openssh.config /etc/krb5.conf.d/crypto-policies
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh
-index 9379b5ff3..cc866215f 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh
-@@ -1,4 +1,4 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- {{{ bash_package_remove("libreswan") }}}
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh
-index 439da4978..7c03e806a 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = libreswan
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- 
- cp ipsec.conf /etc
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_is_there.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_is_there.pass.sh
-index fbc8f1001..0a9f05ba6 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_is_there.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_is_there.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = libreswan
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- 
- cp ipsec.conf /etc
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_not_there.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_not_there.fail.sh
-index 70f822342..845f073ed 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_not_there.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_not_there.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = libreswan
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- 
- cp ipsec.conf /etc
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/wrong_value.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/wrong_value.fail.sh
-index 2863c6102..d58382e0d 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/wrong_value.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/wrong_value.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = libreswan
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- 
- cp ipsec.conf /etc
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
-index ec317036c..f5cfd007c 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
-@@ -11,7 +11,7 @@
-   {{%- set openssl_cnf_dir="/etc/pki/tls" %}}
- {{% endif %}}
- 
--{{% if product in ["fedora", "ol9", "rhel9"] %}}
-+{{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}}
-     {{% set ansible_openssl_include_directive = ".include = /etc/crypto-policies/back-ends/opensslcnf.config" %}}
- {{% else %}}
-     {{% set ansible_openssl_include_directive = ".include /etc/crypto-policies/back-ends/opensslcnf.config" %}}
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
-index 4e77718c8..d73aa3a79 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
-@@ -2,7 +2,7 @@
- 
- OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
- OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
--{{% if product in ["fedora", "ol9", "rhel9"] %}}
-+{{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}}
- OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config'
- {{% else %}}
- OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
-index 9fea29831..36efce737 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
-@@ -9,7 +9,7 @@ title: 'Configure OpenSSL library to use System Crypto Policy'
-   {{%- set openssl_cnf_path="/etc/pki/tls/openssl.cnf" %}}
- {{%- endif %}}
- 
--{{% if product in ["fedora", "ol9", "rhel9"] %}}
-+{{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}}
-     {{% set include_directive = ".include = /etc/crypto-policies/back-ends/opensslcnf.config" %}}
- {{% else %}}
-     {{% set include_directive = ".include /etc/crypto-policies/back-ends/opensslcnf.config" %}}
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/include_with_equal_sign.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/include_with_equal_sign.pass.sh
-index 8ccb6cef9..06a39c498 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/include_with_equal_sign.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/include_with_equal_sign.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- . common.sh
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/nothing.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/nothing.fail.sh
-index edeca90f0..95099f865 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/nothing.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/nothing.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_sle
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_sle
- 
- . common.sh
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
-index 8c509ef32..bc555e4c7 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_sle
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_sle
- 
- . common.sh
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/section_not_include.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/section_not_include.fail.sh
-index 1c9342e23..16b5b1f92 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/section_not_include.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/section_not_include.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_sle
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_sle
- 
- . common.sh
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
-index 1b2ea8d80..17e2ee78e 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_sle
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_sle
- 
- . common.sh
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/absent.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/absent.pass.sh
-index 96ae6a064..098df76af 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/absent.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/absent.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- #
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- SSH_CONF="/etc/sysconfig/sshd"
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/case_insensitive_present.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/case_insensitive_present.fail.sh
-index 6ab33f749..90181fa53 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/case_insensitive_present.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/case_insensitive_present.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- #
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- SSH_CONF="/etc/sysconfig/sshd"
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/comment.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/comment.pass.sh
-index bcea9badc..b6a2c3b71 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/comment.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/comment.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- #
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- SSH_CONF="/etc/sysconfig/sshd"
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/no_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/no_config_file.pass.sh
-index ea6d23ee1..705d5891f 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/no_config_file.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/no_config_file.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- #
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- SSH_CONF="/etc/sysconfig/sshd"
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/overrides.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/overrides.fail.sh
-index a6e7c89da..edade27ed 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/overrides.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/tests/overrides.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- #
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- 
- SSH_CONF="/etc/sysconfig/sshd"
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh
-index 0b0d646f6..9874db425 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 9,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # variables = sshd_approved_ciphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
- 
- sshd_approved_ciphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh
-index 91ab7de0c..c4a5ec70b 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 9,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # variables = sshd_approved_ciphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
- # remediation = none
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh
-index a691117b4..e33f64479 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 9,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # variables = sshd_approved_macs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
- 
- sshd_approved_macs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh
-index 463c79ced..766179119 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 9,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # variables = sshd_approved_macs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
- # remediation = none
- 
-diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_missing.fail.sh b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_missing.fail.sh
-index d0a400adf..1f0cf1317 100644
---- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_missing.fail.sh
-+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_missing.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = crypto-policies-scripts
--# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_ol
-+# platform = multi_platform_rhel,multi_platform_almalinux,Red Hat Virtualization 4,multi_platform_ol
- {{% if 'rhel' in product %}}
- # remediation = none
- {{% endif %}}
-diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_present.pass.sh b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_present.pass.sh
-index b92e82236..138d2c997 100644
---- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_present.pass.sh
-+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/tests/fips_dracut_module_present.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = crypto-policies-scripts
--# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_ol
-+# platform = multi_platform_rhel,multi_platform_almalinux,Red Hat Virtualization 4,multi_platform_ol
- 
- fips-mode-setup --enable
- FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
-diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-index 4bfb5f6cc..5c7870089 100644
---- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-@@ -119,7 +119,7 @@
-   
--  {{% if product in ["ol9","rhel9","rhel10","fedora"] -%}}
-+  {{% if product in ["ol9","rhel9", "almalinux9","rhel10","fedora"] -%}}
-     ^FIPS(:(OSPP|STIG))?$
-   {{%- else %}}
-   {{# Legacy and more relaxed list of crypto policies that were historically considered
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/sce/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/sce/shared.sh
-index df1317b6b..b3c62cf8c 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/sce/shared.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
- # check-import = stdout
- 
- readarray -t FILES_WITH_INCORRECT_HASHES < <(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/sce/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/sce/shared.sh
-index 30e53fd4c..88bbc9f5a 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/sce/shared.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
- # check-import = stdout
- 
- readarray -t FILES_WITH_INCORRECT_OWNERSHIP < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/sce/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/sce/shared.sh
-index a2cee384f..5c01dd1d6 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/sce/shared.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/sce/shared.sh
-@@ -1,5 +1,5 @@
- #!/usr/bin/env bash
--# platform = multi_platform_fedora,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
- # check-import = stdout
- 
- readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-diff --git a/linux_os/guide/system/software/sudo/package_sudo_installed/tests/custom-package-removed.fail.sh b/linux_os/guide/system/software/sudo/package_sudo_installed/tests/custom-package-removed.fail.sh
-index f8b112e1a..33a266be6 100644
---- a/linux_os/guide/system/software/sudo/package_sudo_installed/tests/custom-package-removed.fail.sh
-+++ b/linux_os/guide/system/software/sudo/package_sudo_installed/tests/custom-package-removed.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- # Package libselinux cannot be uninstalled normally
- # as it would cause removal of sudo package which is
-diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
-index cc5603baa..e1f99a791 100644
---- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
-+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
-@@ -13,7 +13,7 @@ rationale: |-
-     or an on-premise server such as Subscription Asset Manager) and works with
-     content management tools such as {{{ package_manager }}}.
- 
--    {{% if product in ["rhel9"] %}}
-+    {{% if product in ["rhel9", "almalinux9"] %}}
-     The package provides, among other things, {{{ package_manager }}} plugins
-     to interact with repositories and subscriptions
-     from the Red Hat entitlement platform - the subscription-manager and
-diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/ansible/shared.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/ansible/shared.yml
-index e43ee7994..8b41b5d93 100644
---- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/ansible/shared.yml
-+++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle,Oracle Linux 8
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,Oracle Linux 8
- # reboot = false
- # strategy = unknown
- # complexity = low
-diff --git a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/ansible/shared.yml b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/ansible/shared.yml
-index 1c68a6ec3..fa8f50b84 100644
---- a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/ansible/shared.yml
-+++ b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle,Oracle Linux 8
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,Oracle Linux 8
- # reboot = false
- # strategy = unknown
- # complexity = low
-diff --git a/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/ansible/shared.yml b/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/ansible/shared.yml
-index 015c5b029..508241c9f 100644
---- a/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/ansible/shared.yml
-+++ b/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # reboot = false
- # strategy = enable
- # complexity = low
-diff --git a/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/bash/shared.sh b/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/bash/shared.sh
-index eb390cd1f..ac318fa9a 100644
---- a/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/bash/shared.sh
-+++ b/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- 
- function replace_all_gpgcheck {
-     sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*
-diff --git a/products/almalinux9/CMakeLists.txt b/products/almalinux9/CMakeLists.txt
-index 99799a709..ae4b60220 100644
---- a/products/almalinux9/CMakeLists.txt
-+++ b/products/almalinux9/CMakeLists.txt
-@@ -3,4 +3,24 @@ if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
-     message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
- endif()
- 
--ssg_build_product("almalinux9")
-+set(PRODUCT "almalinux9")
-+
-+ssg_build_product(${PRODUCT})
-+
-+ssg_build_html_cce_table(${PRODUCT})
-+
-+ssg_build_html_srgmap_tables(${PRODUCT})
-+
-+if(SSG_SRG_XLSX_EXPORT)
-+    ssg_build_xlsx_srg_export(${PRODUCT} "srg_gpos")
-+endif()
-+
-+ssg_build_html_stig_tables(${PRODUCT})
-+ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")
-+ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig_gui")
-+
-+#ssg_build_html_stig_tables(${PRODUCT} "ospp")
-+
-+if(SSG_CENTOS_DERIVATIVES_ENABLED)
-+    ssg_build_derivative_product(${PRODUCT} "centos" "cs9")
-+endif()
-diff --git a/products/almalinux9/controls/bsi_sys_1_1_rhel9.yml b/products/almalinux9/controls/bsi_sys_1_1_rhel9.yml
-new file mode 100644
-index 000000000..fda552979
---- /dev/null
-+++ b/products/almalinux9/controls/bsi_sys_1_1_rhel9.yml
-@@ -0,0 +1,678 @@
-+---
-+# In BSI Basic Protection are multiple Requirements in one control.
-+# i.e. there are multiple sentences, some including a RFC2119 keyword
-+# Since we must increase granularity to create a precise control,
-+# we number each sentence with a RFC2119 keyword as a section, grouping sentences, which are logically connected.
-+# we number inline in brackets, so the lookup is easy
-+# we reference these numbers in comments over each rule or group of rules
-+policy: 'BSI-SYS-1-1-RHEL9'
-+title: 'SYS.1.1 General Server (RHEL9)'
-+id: bsi_sys_1_1_rhel9
-+version: '1.0'
-+source: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
-+
-+levels:
-+    - id: basic
-+    - id: standard
-+      inherits_from:
-+          - basic
-+    - id: elevated
-+      inherits_from:
-+          - standard
-+
-+reference_type: bsi
-+product: rhel9
-+
-+controls:
-+    - id: SYS.1.1.A1
-+      title: Appropriate Installation
-+      levels:
-+          - basic
-+      description: |-
-+          (1) Servers MUST be operated in locations that may only be accessed by authorised persons.
-+          (2) Servers MUST therefore be set up and installed in data centres, computer rooms, or lockable server rooms (see the corresponding modules in the INF Infrastructure layer). (3) Servers MUST NOT be used as personal computers (4) IT systems used as workstations MUST NOT be used as servers.
-+      notes: |-
-+          This requirement must be implemented organizationally and cannot be checked technically
-+      status: manual
-+
-+    - id: SYS.1.1.A2
-+      title: User Authentication on Servers
-+      levels:
-+          - basic
-+      description: |-
-+          (1) Authentication methods adequate for the protection needs at hand MUST be used when users and services log into servers. (2) This SHOULD be taken into account for administrative access in particular. (3) Central, network-based authentication services SHOULD be used whenever possible.
-+      notes: |-
-+          Section 1,2: sshd configuration, NoPermitRootLogin,PAM
-+          Section 3: AD Integration, IdM?
-+      status: pending
-+
-+    - id: SYS.1.1.A3
-+      title: ELIMINATED
-+      levels:
-+          - basic
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A4
-+      title: ELIMINATED
-+      levels:
-+          - basic
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A5
-+      title: Protection of Interfaces
-+      levels:
-+          - basic
-+      description: |-
-+          (1) It MUST be ensured that only specified removable storage media and other devices can be
-+          connected to servers. All interfaces that are no longer needed must be disabled.
-+      notes: |-
-+          Section 1: If you dont utilize specific software to control the allowed devices for usb ports,
-+          you can ensure compliance by disabling the usb port completely.
-+          Interfaces is ambigious, it is focussed on usb etc. not on network.
-+      status: automated
-+      rules:
-+      # Section 1
-+      # USB
-+          - grub2_nousb_argument
-+          - bios_disable_usb_boot
-+          - kernel_module_usb-storage_disabled
-+      # Automount
-+          - service_autofs_disabled
-+      # Firewire
-+          - kernel_module_firewire-core_disabled
-+
-+    - id: SYS.1.1.A6
-+      title: Disabling Unnecessary Services
-+      levels:
-+          - basic
-+      description: |-
-+          (1) All unnecessary services and applications — particularly network services — MUST be
-+          disabled or uninstalled. (2) All unused functions in firmware MUST also be disabled.
-+          (3) On servers, the disk space allotted to both individual users and applications SHOULD be
-+          restricted appropriately.
-+          (4) The decisions taken in this regard SHOULD be documented in a way that makes it clear which
-+          configuration and software equipment was chosen for servers.
-+      notes: |-
-+          Section 1: We can conclude for servers, that wireless protocols are unnecessary
-+          Section 4: Documentation and organizational tasks.
-+      status: partial
-+      rules:
-+      # Section 1, 2
-+          - mask_nonessential_services
-+          - configure_firewalld_ports
-+          - kernel_module_bluetooth_disabled
-+          - kernel_module_cfg80211_disabled
-+          - kernel_module_iwlmvm_disabled
-+          - kernel_module_iwlwifi_disabled
-+          - kernel_module_mac80211_disabled
-+          - service_bluetooth_disabled
-+          - wireless_disable_in_bios
-+          - wireless_disable_interfaces
-+      # Section 3
-+          - partition_for_home
-+          - partition_for_opt
-+          - partition_for_var
-+          - partition_for_var_log
-+          - partition_for_usr
-+          - partition_for_tmp
-+          - partition_for_var_tmp
-+
-+    - id: SYS.1.1.A7
-+      title: ELIMINATED
-+      levels:
-+          - basic
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A8
-+      title: ELIMINATED
-+      levels:
-+          - basic
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A9
-+      title: Using Anti-Virus Programs on Servers
-+      levels:
-+          - basic
-+      description: |-
-+          (1) Whether virus protection programs can and should be used MUST be checked depending on the
-+          operating system installed, the services provided, and other existing protection mechanisms of
-+          the server in question. (2) Where available, concrete statements from the relevant operating
-+          system modules of the IT-Grundschutz Compendium on whether virus protection is necessary MUST
-+          be considered.
-+      notes: |-
-+          Section 1,2: Antivirus software on linux systems is more useful, if the servers provide any
-+          file or mailservices to endpoints.
-+      status: automated
-+      rules:
-+          - install_antivirus
-+          - install_endpoint_security_software
-+
-+    - id: SYS.1.1.A10
-+      title: Logging
-+      levels:
-+          - basic
-+      description: |-
-+          (1) In general, all security-relevant system events MUST be logged, including the following at
-+          minimum:
-+          • (2) System starts and reboots
-+          • (3) Successful and failed login attempts (operating system and application software)
-+          • (4) Failed authorisation checks
-+          • (5) Blocked data flows (violations of ACLs or firewall rules)
-+          • (6) Creation of or changes to users, groups, and authorisations
-+          • (7) Security-relevant error messages (e.g. hardware defects, exceeded capacity limits)
-+          • (8) Warnings from security systems (e.g. virus protection)
-+      notes: |-
-+          This whole requirement is more specifically implemented in the CIS hardening guide, which also
-+          defines permissions to protect against manipulations.
-+          Section 7 and 8 are not addressed explicitly with rules, as 8 is specific for the AV software
-+          and 7 is quite broad.
-+          # OPS.1.1.5: Logging Anforderung anschauen
-+          # AIDE
-+          Section 2: Only in system logs, not in specialized audit logs
-+          Section 5: Identify how firewalld logs and if we could use that
-+      status: automated
-+      rules:
-+      # ensure auditd is installed
-+          - package_audit_installed
-+          - package_audit-libs_installed
-+      # ensure auditd is enabled
-+          - service_auditd_enabled
-+      # Section 2 (start / reboot)
-+          - grub2_audit_argument
-+          - grub2_audit_backlog_limit_argument
-+          - var_audit_backlog_limit=8192
-+      # Section 3 (login)
-+          - audit_rules_session_events
-+          - audit_rules_login_events_faillock
-+          - audit_rules_login_events_lastlog
-+          - var_accounts_passwords_pam_faillock_dir=run
-+      # Section 4 (authorization)
-+          - audit_rules_sysadmin_actions
-+          - audit_rules_suid_auid_privilege_function
-+          - audit_sudo_log_events
-+          - audit_rules_privileged_commands
-+          - audit_rules_execution_chcon
-+          - audit_rules_execution_setfacl
-+      # Section 5 (dataflows / firewall)
-+          - audit_rules_dac_modification_chmod
-+          - audit_rules_dac_modification_chown
-+          - audit_rules_dac_modification_fchmod
-+          - audit_rules_dac_modification_fchmodat
-+          - audit_rules_dac_modification_fchown
-+          - audit_rules_dac_modification_fchownat
-+          - audit_rules_dac_modification_fremovexattr
-+          - audit_rules_dac_modification_fsetxattr
-+          - audit_rules_dac_modification_lchown
-+          - audit_rules_dac_modification_lremovexattr
-+          - audit_rules_dac_modification_lsetxattr
-+          - audit_rules_dac_modification_removexattr
-+          - audit_rules_dac_modification_setxattr
-+      # Section 6 (users and groups)
-+          - audit_rules_usergroup_modification_group
-+          - audit_rules_usergroup_modification_gshadow
-+          - audit_rules_usergroup_modification_opasswd
-+          - audit_rules_usergroup_modification_passwd
-+          - audit_rules_usergroup_modification_shadow
-+          - audit_rules_privileged_commands_usermod
-+
-+    - id: SYS.1.1.A11
-+      title: Defining a Security Policy for Servers
-+      levels:
-+          - standard
-+      description: |-
-+          (1) Based on the general security policy of the organisation in question, the requirements for
-+          servers SHOULD be specified in a separate security policy. (2) This policy SHOULD be known to
-+          all administrators and other persons involved in the procurement and operation of servers and
-+          be integral to their work. (3) The implementation of the policy's requirements SHOULD be
-+          checked at regular intervals. (4) The results SHOULD be appropriately documented.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+          If we interprete this towards hardening, the CIS Profile could be used
-+      status: manual
-+
-+    - id: SYS.1.1.A12
-+      title: Planning the Use of Servers
-+      levels:
-+          - standard
-+      description: |-
-+          Each server system SHOULD be suitably planned. In this process, the following points
-+          SHOULD be taken into account at minimum:
-+          • Selection of the hardware platform, operating system, and application software
-+          • Hardware capacity (performance, memory, bandwidth, etc)
-+          • Type and number of communication interfaces
-+          • Power consumption, thermal load, space requirements, and structural shape
-+          • Administrative access points (see SYS.1.1.A5 Protection of Administration Interfaces)
-+          • User access
-+          • Logging (see SYS.1.1.A10 Logging).
-+          • Updates for operating systems and applications
-+          • Integration into system and network management, backups, and protection systems
-+          (virus protection, IDS, etc)
-+          All decisions taken in the planning phase SHOULD be documented in such a way that they can
-+          be understood at any future point in time.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+          Some parts could be technically checked, i.e. if repositories are configureg, if AV is
-+          installed and therelike.
-+      status: manual
-+
-+    - id: SYS.1.1.A13
-+      title: Procurement of Servers
-+      levels:
-+          - standard
-+      description: |-
-+          Prior to procuring one or more servers, a requirements list SHOULD be drawn up that can be
-+          used to evaluate the products available on the market.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+      status: manual
-+
-+    - id: SYS.1.1.A14
-+      title: ELIMINATED
-+      levels:
-+          - standard
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A15
-+      title: Stable and Uninterruptible Power Supply [Building Services]
-+      levels:
-+          - standard
-+      description: |-
-+          (1) Every server SHOULD be connected to an uninterruptible power supply (UPS).
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+      status: manual
-+
-+    - id: SYS.1.1.A16
-+      title: Secure Basic Configuration of Servers
-+      levels:
-+          - standard
-+      description: |-
-+          (1) The basic settings of servers SHOULD be checked and, where necessary, adapted to the
-+          specifications of the security policy at hand. (2) Clients SHOULD only be connected to the
-+          Internet after the installation and configuration have been completed.
-+      notes: |-
-+          One could argue, that this is done with this profile. Or could utilize the CIS Benchmark again,
-+          if CIS is the security policy
-+      status: inherently met
-+    # rules:
-+
-+    - id: SYS.1.1.A17
-+      title: ELIMINATED
-+      levels:
-+          - standard
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A18
-+      title: ELIMINATED
-+      levels:
-+          - standard
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A19
-+      title: Configuring Local Packet Filters
-+      levels:
-+          - standard
-+      description: |-
-+          (1) Based on a set of rules, existing local packet filters SHOULD be designed to limit
-+          incoming and outgoing communications to the necessary communication partners, communication
-+          protocols, ports, and interfaces. (2) The identity of remote systems and the integrity of
-+          corresponding connections SHOULD be protected cryptographically.
-+      notes: |-
-+          Section 1: This can be addressed by utilizing firewalld or therelike
-+          Section 2: this must be configured on the application layer
-+          # deactivate WebConsole to circumvent TLS
-+      status: partial
-+      rules:
-+      # Section 1
-+          - service_firewalld_enabled
-+          - package_firewalld_installed
-+          - unnecessary_firewalld_services_ports_disabled
-+          - set_firewalld_appropriate_zone
-+
-+    - id: SYS.1.1.A20
-+      title: ELIMINATED
-+      levels:
-+          - standard
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A21
-+      title: Operational Documentation for Servers
-+      levels:
-+          - standard
-+      description: |-
-+          (1) Operational tasks that are carried out on a server SHOULD be clearly documented in terms
-+          of what has been done, when, and by whom. (2) In particular, the documentation SHOULD make
-+          configuration changes transparent. (3) Security-relevant responsibilities, such as who is
-+          authorised to install new hard disks, SHOULD be documented. (4) Everything that can be
-+          documented automatically SHOULD be documented automatically. (5) The documentation SHOULD be
-+          protected against unauthorised access and loss.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+      status: manual
-+
-+    - id: SYS.1.1.A22
-+      title: Integration into Contingency Planning
-+      levels:
-+          - standard
-+      description: |-
-+          (1) Servers SHOULD be taken into account in business continuity management processes.
-+          (2) To this end, the contingency requirements for the system in question SHOULD be determined
-+          and appropriate contingency procedures implemented—for example, by drawing up recovery plans
-+          or securely storing passwords and cryptographic keys.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+      status: manual
-+
-+    - id: SYS.1.1.A23
-+      title: Monitoring Systems and Servers
-+      levels:
-+          - standard
-+      description: |-
-+          (1) Server systems SHOULD be integrated into an appropriate system monitoring concept.
-+          (2) The status and functionality of these systems and the services operated on them SHOULD be
-+          continuously monitored. (3) Error conditions and defined thresholds that are exceeded SHOULD
-+          be reported to the operating personnel.
-+      notes: |-
-+          Monitoring is a very specific and organization dependend task. therefore we do not
-+          check this automatically
-+      status: manual
-+    # rules:
-+    # there does not seem to be a rule for that
-+
-+    - id: SYS.1.1.A24
-+      title: Security Checks for Servers
-+      levels:
-+          - standard
-+      description: |-
-+          (1) Servers SHOULD be subjected to regular security tests to check their compliance with the
-+          applicable security requirements and identify possible vulnerabilities. (2) In particular,
-+          these security tests SHOULD be performed on servers with external interfaces. (3) To prevent
-+          indirect attacks via infected systems in an organisation’s own network, internal server
-+          systems SHOULD also be checked accordingly at defined intervals. (4) Whether the security
-+          checks can be realised automatically—by means of suitable scripts, for example—SHOULD be
-+          examined.
-+      notes: |-
-+          This is met due to the usage of this compliance profile.
-+      status: inherently met
-+
-+    - id: SYS.1.1.A25
-+      title: Controlled Decommissioning of a Server
-+      levels:
-+          - standard
-+      description: |-
-+          (1) When decommissioning a server, it SHOULD be ensured that no important data that might
-+          still be present on the storage media is lost and no sensitive data remains.
-+          (2) There SHOULD be an overview of the data stored in each location on the server.
-+          (3) Furthermore, it SHOULD be ensured that services offered by the server will be taken over
-+          by another server when necessary.
-+          (4) A checklist SHOULD be created that is to be completed when decommissioning a server.
-+          (5) This checklist SHOULD at least include aspects related to backing up data, migrating
-+          services, and subsequently deleting all data in a secure manner.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+      status: manual
-+
-+    - id: SYS.1.1.A35
-+      title: Drawing Up and Maintaining an Operating Manual
-+      levels:
-+          - standard
-+      description: |-
-+          (1) An operating manual SHOULD be drawn up. (2) It SHOULD document all the rules, requirements,
-+          and settings that are necessary in operating servers. (3) There SHOULD be a specific operating
-+          manual for every type of server. (4) Each operating manual SHOULD be updated at regular
-+          intervals. (5) Operating manuals SHOULD be protected against unauthorised access. (6) Operating
-+          manuals SHOULD be available in emergencies.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+      status: manual
-+
-+    - id: SYS.1.1.A37
-+      title: Encapsulation of Security-Critical Applications and Operating System Components
-+      levels:
-+          - standard
-+      description: |-
-+          (1) In order to prevent an attacker from accessing the operating system or other applications and
-+          prevent access from the operating system to files that are particularly sensitive, applications
-+          and operating system components (such as authentication or certificate verification) SHOULD
-+          be specially encapsulated according to their protection needs or isolated from other
-+          applications and operating system components. (2) Particular attention SHOULD be paid to
-+          security-critical applications that work with data from insecure sources (e.g. web browsers and
-+          office communication applications)
-+      notes: |-
-+          Section 1-2: This can be done by utilizing SELinux for enhanced protection and/or container
-+          technology (Microsegmentation)
-+      status: automated
-+      rules:
-+          - package_libselinux_installed
-+          - grub2_enable_selinux
-+          - selinux_not_disabled
-+          - var_selinux_policy_name=targeted
-+          - selinux_policytype
-+          - var_selinux_state=enforcing
-+          - selinux_state
-+          - selinux_confinement_of_daemons
-+
-+    - id: SYS.1.1.A26
-+      title: ELIMINATED
-+      levels:
-+          - elevated
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A27
-+      title: Host-Based Attack Detection
-+      levels:
-+          - elevated
-+      description: |-
-+          (1) Host-based attack detection systems (also referred to as host-based intrusion detection
-+          systems, IDS, or intrusion prevention systems, IPS) SHOULD be used to monitor system
-+          behaviour for abnormalities and misuse. (2) The IDS/IPS mechanisms used SHOULD be
-+          appropriately selected, configured, and thoroughly tested. (3) If an attack has been detected,
-+          the operating personnel SHOULD be alerted in an appropriate manner.
-+          (4) Using operating system mechanisms or suitable additional products, changes made to system
-+          files and configuration settings SHOULD be checked, restricted, and reported.
-+      notes: |-
-+          Section 1: Can only be checked manually.
-+          Section 2,3: this is an organizational requirement
-+          Section 4: AIDE could be leveraged as a system mechanism
-+      status: partial
-+      rules:
-+      # Section 1
-+          - install_hids
-+      # Section 4
-+          - package_aide_installed
-+          - aide_scan_notification
-+          - aide_periodic_cron_checking
-+      # currently not in rhel9, might cause errors
-+      # - aide_periodic_checking_systemd_timer
-+      # currently not in rhel9, causes massive error with filesystem walk
-+      # - aide_disable_silentreports
-+          - aide_build_database
-+
-+          - rpm_verify_hashes
-+          - rpm_verify_ownership
-+
-+      related_rules:
-+      # while rpm_verify_permissions is a part of how to detect changes, it conflicts
-+      # with permission hardening rules like the cron_permissions rules and therelike.
-+      # it is more important to harden the permissions to prevent change, than it is to
-+      # ensure that the permissions are the same as in the rpm database.
-+          - rpm_verify_permissions
-+
-+    - id: SYS.1.1.A28
-+      title: Increasing Availability Through Redundancy
-+      levels:
-+          - elevated
-+      description: |-
-+          (1) Server systems with high availability requirements SHOULD be protected adequately against
-+          failures. (2) At minimum, suitable redundancies SHOULD be available and maintenance contracts
-+          concluded with the respective suppliers. (3) Whether high-availability architectures with
-+          automatic failover (across various sites, if necessary) are required in the case of very high
-+          requirements SHOULD be checked.
-+      notes: |-
-+          this is an organizational requirement
-+      status: manual
-+
-+    - id: SYS.1.1.A29
-+      title: ELIMINATED
-+      levels:
-+          - elevated
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A30
-+      title: One Service per Server
-+      levels:
-+          - elevated
-+      description: |-
-+          (1) Depending on the threat landscape at hand and the protection needs of services, only one
-+          service SHOULD be operated on each server.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+      status: manual
-+
-+    - id: SYS.1.1.A31
-+      title: Using Execution Control
-+      levels:
-+          - elevated
-+      description: |-
-+          (1) Execution control SHOULD be used to ensure that only explicitly authorised programs and
-+          scripts can be executed. (2) The rules SHOULD be set as restrictively as possible. (3) If explicit
-+          specification of paths and hashes is not possible, certificate-based or path rules SHOULD be
-+          used as an alternative.
-+      notes: |-
-+          While not directly leveraging a allowlist of executable programs, SELinux and fapolicyd help to
-+          address this issue. They deny execution or fileaccess based on a list of allowed permissions.
-+      status: automated
-+      rules:
-+      # selinux
-+          - package_libselinux_installed
-+          - grub2_enable_selinux
-+          - selinux_not_disabled
-+          - var_selinux_policy_name=targeted
-+          - selinux_policytype
-+          - var_selinux_state=enforcing
-+          - selinux_state
-+          - selinux_confinement_of_daemons
-+      # fapolicyd
-+          - fapolicy_default_deny
-+          - package_fapolicyd_installed
-+          - service_fapolicyd_enabled
-+
-+    - id: SYS.1.1.A32
-+      title: ELIMINATED
-+      levels:
-+          - elevated
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.1.A33
-+      title: Active Administration of Root Certificates
-+      levels:
-+          - elevated
-+      description: |-
-+          (1) As part of the procurement and installation of a server, the root certificates that are
-+          required to operate the server SHOULD be documented. (2) Only the previously documented root
-+          certificates required for operation SHOULD be present on the server. (3) Regular checks SHOULD
-+          be performed as to whether existing root certificates still comply with the respective
-+          organisation’s requirements. (4) All certificate stores on the IT system at hand SHOULD be
-+          included in these checks.
-+      notes: |-
-+          Section 1: organizational control
-+          Section 2-4: can be addressed by a manual rule in OpenSCAP
-+          This can be in conflict with rpm_checks as changing the ca-trust-store triggers these checks.
-+      status: manual
-+      rules:
-+      # Section 1-4
-+          - only_allow_specific_certs
-+
-+    - id: SYS.1.1.A34
-+      title: Hard Disk Encryption
-+      levels:
-+          - elevated
-+      description: |-
-+          (1) In case of increased protection needs, a server's storage media should be encrypted using a
-+          product or procedure that is considered secure. (2) This SHOULD also apply to virtual machines
-+          containing production data. (3) Trusted Platform Module (TPM) SHOULD NOT be the only form
-+          of key protection used. (4) Recovery passwords SHOULD be stored in an appropriate and secure
-+          location. (5) In case of very high requirements (e.g. regarding confidentiality), full volume or full
-+          disk encryption SHOULD be used.
-+      notes: |-
-+          Section 1-3: Specification of what is needed
-+          Section 4: organizational control
-+          Section 5: can be addressed on a partition label with existing checks
-+          # Keylime?
-+          # nbde?
-+          # https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening
-+      status: partial
-+      rules:
-+      # Section 3
-+          - grub2_rng_core_default_quality_argument
-+      # Section 1,5
-+          - encrypt_partitions
-+
-+    - id: SYS.1.1.A36
-+      title: Protecting the Boot Process
-+      levels:
-+          - elevated
-+      description: |-
-+          (1) A server's boot loader and operating system kernel SHOULD be checked by self-controlled key
-+          material that is signed upon system start in a trusted chain (secure boot). (2) Unnecessary key
-+          material SHOULD be removed.
-+      notes: |-
-+          At the moment there is no automatic check to check if secure boot is active.
-+          It can be done manually by using mokutil --sb-state
-+      status: manual
-+      rules: []
-+
-+    - id: SYS.1.1.A38
-+      title: Hardening of the Host System by Means of a Read-Only File System
-+      levels:
-+          - elevated
-+      description: |-
-+          The integrity of the host system should be ensured by a read-only file system (an immutable OS).
-+      notes: |-
-+          RHEL does not meet this requirement. RHEL in ImageMode (bootc) might be the solution
-+          for that.
-+      status: does not meet
-diff --git a/products/almalinux9/controls/bsi_sys_1_3_rhel9.yml b/products/almalinux9/controls/bsi_sys_1_3_rhel9.yml
-new file mode 100644
-index 000000000..8bc8b128d
---- /dev/null
-+++ b/products/almalinux9/controls/bsi_sys_1_3_rhel9.yml
-@@ -0,0 +1,421 @@
-+---
-+# In BSI Basic Protection are multiple Requirements in one control.
-+# i.e. there are multiple sentences, some including a RFC2119 keyword
-+# Since we must increase granularity to create a precise control,
-+# we number each sentence with a RFC2119 keyword as a section, grouping sentences, which are logically connected.
-+# we number inline in brackets, so the lookup is easy
-+# we reference these numbers in comments over each rule or group of rules
-+policy: 'BSI-SYS-1-3-RHEL9'
-+title: 'SYS.1.3 Linux Server (RHEL9)'
-+id: bsi_sys_1_3_rhel9
-+version: '1.0'
-+source: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
-+
-+levels:
-+    - id: basic
-+    - id: standard
-+      inherits_from:
-+          - basic
-+    - id: elevated
-+      inherits_from:
-+          - standard
-+
-+reference_type: bsi
-+product: rhel9
-+
-+controls:
-+    - id: SYS.1.3.A1
-+      title: ELIMINATED
-+      levels:
-+          - basic
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.3.A2
-+      title: Careful Allocation of IDs
-+      levels:
-+          - basic
-+      description: |-
-+          (1) Each login name, each user ID (UID) and each group ID (GID) MUST ONLY be used once.
-+          (2) Every user MUST be a member of at least one group. (3) Every GID mentioned in the /etc/passwd
-+          file MUST be defined in the /etc/group file. (4) Every group SHOULD only contain the users that
-+          are absolutely necessary. (5) In networked systems, care MUST also be taken to ensure that user
-+          and group names (UIDs and GIDs) are assigned consistently in the system network if there is a
-+          possibility that the same UIDs or GIDs could be assigned to different user or group names on
-+          the systems during cross-system access.
-+      notes: |-
-+          Section 2: System accounts do not always have a group
-+          Section 4 is a manual control
-+          Section 5 this cant be checked on a per system base, and therefore is an organizational control
-+      status: partial
-+      rules:
-+      # Section 1
-+          - account_unique_id
-+          - account_unique_name
-+          - group_unique_id
-+          - group_unique_name
-+      # Section 2
-+      # this could be automated
-+      # Section 3
-+          - gid_passwd_group_same
-+
-+    - id: SYS.1.3.A3
-+      title: No Automatic Integration of Removable Drives
-+      levels:
-+          - basic
-+      description: |-
-+          (1) Removable media such as USB pen drives or CDs/DVDs MUST NOT be integrated automatically.
-+      notes: |-
-+          https://access.redhat.com/solutions/18978
-+      status: automated
-+      rules:
-+      # USB
-+          - grub2_nousb_argument
-+          - bios_disable_usb_boot
-+          - kernel_module_usb-storage_disabled
-+      # Automount
-+          - service_autofs_disabled
-+
-+    - id: SYS.1.3.A4
-+      title: Protection from Exploitation of Vulnerabilities in Applications
-+      levels:
-+          - basic
-+      description: |-
-+          (1) ASLR and DEP/NX MUST be activated in the kernel and used by applications to make it harder
-+          to exploit vulnerabilities in applications. (2) Security functions of the kernel and of the standard
-+          libraries (such as heap and stack protection) MUST NOT be disabled.
-+      notes: |-
-+          This should be the default on all modern platforms
-+          Section 2: organizational requirement towards the admin
-+      status: automated
-+      rules:
-+          - bios_enable_execution_restrictions
-+          - package_libselinux_installed
-+          - grub2_enable_selinux
-+          - selinux_not_disabled
-+
-+    - id: SYS.1.3.A5
-+      title: Secure Installation of Software Packages
-+      levels:
-+          - basic
-+      description: |-
-+          (1) If software to be installed is to be compiled from source code, it MUST ONLY be unpacked,
-+          configured, and compiled using an unprivileged user account. (2) The software to be installed
-+          MUST NOT then be installed in the root file system of the server in question in an
-+          uncontrolled manner.
-+
-+          (3) If the software is compiled from the source text, the selected parameters SHOULD be
-+          documented appropriately. (4) Based on this documentation, it SHOULD be possible to compile
-+          the software in a transparent and reproducible manner at any time. (5) All further installation
-+          steps SHOULD also be documented.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+      status: manual
-+
-+    - id: SYS.1.3.A6
-+      title: Managing Users and Groups
-+      levels:
-+          - standard
-+      description: |-
-+          (1) The corresponding management tools SHOULD be used for managing users and groups. (2) The
-+          configuration files /etc/passwd, /etc/shadow, /etc/group, and /etc/sudoers SHOULD NOT be
-+          edited directly.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+          We could add auditing rules for these files, which shows edits, but do not prevent the users
-+          in the toolings they use for editing.
-+      status: partial
-+      rules:
-+          - audit_rules_usergroup_modification_passwd
-+          - audit_rules_usergroup_modification_shadow
-+          - audit_rules_usergroup_modification_group
-+          - audit_rules_usergroup_modification_gshadow
-+          - audit_rules_usergroup_modification_opasswd
-+
-+    - id: SYS.1.3.A7
-+      title: ELIMINATED
-+      levels:
-+          - standard
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.3.A8
-+      title: Encrypted Access via Secure Shell
-+      levels:
-+          - standard
-+      description: |-
-+          (1) Only Secure Shell (SSH) SHOULD be used to create an encrypted and authenticated interactive
-+          connection between two IT systems. (2) All other protocols whose functions are covered by
-+          Secure Shell SHOULD be disabled completely. (3) For authentication, users SHOULD primarily
-+          use certificates instead of passwords.
-+      notes: |-
-+          Section 1: this should be the default
-+          Section 2: this should be the default
-+          Section 3: The requirement says PRIMARILY use certificate, not disallow PasswordAuthentication
-+          completely
-+      status: automated
-+      rules:
-+      # Section 1
-+          - service_sshd_enabled
-+          - sshd_allow_only_protocol2
-+          - firewalld_sshd_port_enabled
-+      # Section 2
-+          - package_telnet-server_removed
-+          - package_telnet_removed
-+      # Section 3
-+          - sshd_disable_empty_passwords
-+          - sshd_disable_root_password_login
-+          - sshd_enable_pubkey_auth
-+
-+    - id: SYS.1.3.A9
-+      title: ELIMINATED
-+      levels:
-+          - standard
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.3.A10
-+      title: Preventing Further Intrusion When Vulnerabilities Are Exploited
-+      levels:
-+          - standard
-+      description: |-
-+          (1) Services and applications SHOULD be protected with individual security architecture (e.g.
-+          with AppArmor or SELinux). (2) In addition, chroot environments and LXC or Docker containers
-+          SHOULD be taken into account here. (3) It SHOULD be ensured that the standard profiles and
-+          rules provided are activated.
-+      notes: |-
-+          Section 2: we could add podman specific tasks, but it would be hard to evaluate if they are
-+          used properly
-+      status: partial
-+      rules:
-+      # Section 1
-+      # SELinux
-+          - package_libselinux_installed
-+          - grub2_enable_selinux
-+          - selinux_not_disabled
-+      # Section 3
-+          - var_selinux_policy_name=targeted
-+          - selinux_policytype
-+          - var_selinux_state=enforcing
-+          - selinux_state
-+          - selinux_confinement_of_daemons
-+
-+    - id: SYS.1.3.A11
-+      title: ELIMINATED
-+      levels:
-+          - standard
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.3.A12
-+      title: ELIMINATED
-+      levels:
-+          - standard
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.3.A13
-+      title: ELIMINATED
-+      levels:
-+          - elevated
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.3.A14
-+      title: Preventing Unauthorised Collection of System and User Information
-+      levels:
-+          - standard
-+      description: |-
-+          (1) Information output for users regarding the operating system and access to protocol and
-+          configuration files SHOULD be limited to the required minimum. (2) Moreover, confidential
-+          information SHOULD NOT be provided as parameters when commands are issued.
-+      notes: |-
-+          Section 2: This requirement must be implemented organizationally.
-+      status: partial
-+      rules:
-+      # Section 1
-+          - file_groupowner_grub2_cfg
-+          - file_owner_grub2_cfg
-+          - file_permissions_grub2_cfg
-+
-+          - file_groupowner_user_cfg
-+          - file_owner_user_cfg
-+          - file_permissions_user_cfg
-+
-+          - file_groupowner_efi_grub2_cfg
-+          - file_owner_efi_grub2_cfg
-+          - file_permissions_efi_grub2_cfg
-+
-+          - file_groupowner_efi_user_cfg
-+          - file_owner_efi_user_cfg
-+          - file_permissions_efi_user_cfg
-+
-+          - file_groupowner_etc_motd
-+          - file_owner_etc_motd
-+          - file_permissions_etc_motd
-+
-+          - file_groupowner_etc_issue
-+          - file_owner_etc_issue
-+          - file_permissions_etc_issue
-+
-+          - file_groupowner_etc_issue_net
-+          - file_owner_etc_issue_net
-+          - file_permissions_etc_issue_net
-+
-+          - file_groupowner_crontab
-+          - file_owner_crontab
-+          - file_permissions_crontab
-+
-+          - file_groupowner_cron_hourly
-+          - file_owner_cron_hourly
-+          - file_permissions_cron_hourly
-+
-+          - file_groupowner_cron_daily
-+          - file_owner_cron_daily
-+          - file_permissions_cron_daily
-+
-+          - file_groupowner_cron_weekly
-+          - file_owner_cron_weekly
-+          - file_permissions_cron_weekly
-+
-+          - file_groupowner_cron_monthly
-+          - file_owner_cron_monthly
-+          - file_permissions_cron_monthly
-+
-+          - file_groupowner_cron_d
-+          - file_owner_cron_d
-+          - file_permissions_cron_d
-+
-+          - file_groupowner_cron_allow
-+          - file_owner_cron_allow
-+          - file_permissions_cron_allow
-+
-+          - file_groupowner_at_allow
-+          - file_owner_at_allow
-+          - file_permissions_at_allow
-+
-+          - file_groupowner_sshd_config
-+          - file_owner_sshd_config
-+          - file_permissions_sshd_config
-+
-+          - file_groupownership_sshd_private_key
-+          - file_ownership_sshd_private_key
-+          - file_permissions_sshd_private_key
-+
-+          - file_groupownership_sshd_pub_key
-+          - file_ownership_sshd_pub_key
-+          - file_permissions_sshd_pub_key
-+
-+          - file_group_ownership_var_log_audit
-+          - file_ownership_var_log_audit
-+          - file_permissions_var_log_audit
-+
-+          - file_groupownership_audit_configuration
-+          - file_ownership_audit_configuration
-+          - file_permissions_audit_configuration
-+
-+          - file_groupownership_audit_binaries
-+          - file_ownership_audit_binaries
-+          - file_permissions_audit_binaries
-+
-+          - file_groupowner_etc_passwd
-+          - file_owner_etc_passwd
-+          - file_permissions_etc_passwd
-+
-+          - file_groupowner_backup_etc_passwd
-+          - file_owner_backup_etc_passwd
-+          - file_permissions_backup_etc_passwd
-+
-+          - file_groupowner_etc_group
-+          - file_owner_etc_group
-+          - file_permissions_etc_group
-+
-+          - file_groupowner_backup_etc_group
-+          - file_owner_backup_etc_group
-+          - file_permissions_backup_etc_group
-+
-+          - file_groupowner_etc_shadow
-+          - file_owner_etc_shadow
-+          - file_permissions_etc_shadow
-+
-+          - file_groupowner_backup_etc_shadow
-+          - file_owner_backup_etc_shadow
-+          - file_permissions_backup_etc_shadow
-+
-+          - file_groupowner_etc_gshadow
-+          - file_owner_etc_gshadow
-+          - file_permissions_etc_gshadow
-+
-+          - file_groupowner_backup_etc_gshadow
-+          - file_owner_backup_etc_gshadow
-+          - file_permissions_backup_etc_gshadow
-+
-+          - file_groupowner_etc_shells
-+          - file_owner_etc_shells
-+          - file_permissions_etc_shells
-+
-+          - file_permissions_unauthorized_world_writable
-+
-+          - file_permissions_ungroupowned
-+
-+          - file_permissions_unauthorized_suid
-+          - file_permissions_unauthorized_sgid
-+
-+          - file_groupownership_home_directories
-+          - file_ownership_home_directories
-+          - file_permissions_home_directories
-+
-+    - id: SYS.1.3.A15
-+      title: ELIMINATED
-+      levels:
-+          - elevated
-+      description: |-
-+          This requirement has been eliminated.
-+      notes: |-
-+          This requirement has been eliminated.
-+      status: not applicable
-+
-+    - id: SYS.1.3.A16
-+      title: Additional Prevention of Further Intrusion When Vulnerabilities Are Exploited
-+      levels:
-+          - elevated
-+      description: |-
-+          (1) The use of system calls SHOULD be limited to those absolutely necessary, particularly for
-+          exposed services and applications. (2) The standard profiles and/or rules (e.g. of SELinux or
-+          AppArmor) SHOULD be checked manually and, if necessary, adapted to an organisation's own
-+          security policies. (3) If necessary, new rules and profiles SHOULD be drawn up.
-+      notes: |-
-+          This requirement must be implemented organizationally.
-+      status: manual
-+
-+    - id: SYS.1.3.A17
-+      title: Additional Kernel Protection
-+      levels:
-+          - elevated
-+      description: |-
-+          (1) Specially hardened kernels (e.g. grsecurity, PaX) and appropriate protective safeguards such as
-+          memory protection or file system protection SHOULD be implemented to prevent
-+          exploitation of vulnerabilities and propagation in operating systems.
-+      notes: |-
-+          Section 1: Red Hat does not provide specifically hardened kernels. If using them, please be
-+          aware of the support policy for 3rd Party software (https://access.redhat.com/third-party-software-support).
-+      status: does not meet
-+      rules: []
-diff --git a/products/almalinux9/controls/ccn_rhel9.yml b/products/almalinux9/controls/ccn_rhel9.yml
-new file mode 100644
-index 000000000..3233252f5
---- /dev/null
-+++ b/products/almalinux9/controls/ccn_rhel9.yml
-@@ -0,0 +1,844 @@
-+---
-+policy: CCN-STIC-610A22
-+title: Security Profile Application Guide for Red Hat Enterprise Linux 9
-+id: ccn_rhel9
-+version: '2022-10'
-+source: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html
-+
-+levels:
-+    - id: basic
-+    - id: intermediate
-+      inherits_from:
-+          - basic
-+    - id: advanced
-+      inherits_from:
-+          - intermediate
-+
-+reference_type: ccn
-+product: rhel9
-+
-+controls:
-+    - id: reload_dconf_db
-+      title: Reload Dconf Database
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      notes: |-
-+          This is a helper rule to reload Dconf database correctly.
-+      status: automated
-+      rules:
-+          - dconf_db_up_to_date
-+
-+    - id: enable_authselect
-+      title: Enable Authselect
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      notes: |-
-+          The policy doesn't have any section where this would fit better.
-+      status: automated
-+      rules:
-+          - var_authselect_profile=sssd
-+          - enable_authselect
-+
-+    - id: A.3.SEC-RHEL1
-+      title: Session Initiation is Audited
-+      original_title: Se auditan los inicios de sesión.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - audit_rules_session_events_utmp
-+          - audit_rules_session_events_btmp
-+          - audit_rules_session_events_wtmp
-+          - audit_rules_login_events_faillock
-+          - audit_rules_login_events_lastlog
-+
-+    - id: A.3.SEC-RHEL2
-+      title: Control Who Can Access Security and Audit Logs
-+      original_title: Se controla quien puede acceder a los registros de seguridad y auditoría.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - file_permissions_var_log_audit
-+          - file_ownership_var_log_audit
-+          - file_group_ownership_var_log_audit
-+          - directory_permissions_var_log_audit
-+
-+    - id: A.3.SEC-RHEL3
-+      title: System Time Change is Controlled
-+      original_title: Se controla el cambio de hora del sistema.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - package_chrony_installed
-+          - chronyd_specify_remote_server
-+          - chronyd_run_as_chrony_user
-+          - var_multiple_time_servers=rhel
-+
-+    - id: A.3.SEC-RHEL4
-+      title: Control Who Can Generate or Modify Audit Rules
-+      original_title: Se controla quién puede generar o modificar reglas de audit.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - file_permissions_audit_configuration
-+          - file_ownership_audit_configuration
-+          - file_groupownership_audit_configuration
-+
-+    - id: A.3.SEC-RHEL5
-+      title: A Detailed Audit Has Been Implemented Based on Subcategories
-+      original_title: Se ha implementado la auditoría detallada basada en subcategorías.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          It is not clear the intention of this requirement since there is no definition of these
-+          subcategories. The project has many audit related rules. Clarifying these subcategories
-+          we can select the proper rules.
-+
-+    - id: A.3.SEC-RHEL6
-+      title: At Least 90 Days of Activity Logs Are Guaranteed
-+      original_title: Se garantiza al menos 90 días de registros de actividad.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - auditd_data_retention_max_log_file_action
-+          - var_auditd_max_log_file_action=keep_logs
-+
-+    - id: A.3.SEC-RHEL7
-+      title: Modifications to the Sudoers File Are Audited, As Are Changes to Permissions, Users, Groups,
-+          and Passwords
-+      original_title: Se auditan las modificaciones del fichero sudoers, así como los cambios en permisos,
-+          usuarios, grupos y contraseñas.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - audit_sudo_log_events
-+          - audit_rules_usergroup_modification_group
-+          - audit_rules_usergroup_modification_gshadow
-+          - audit_rules_usergroup_modification_opasswd
-+          - audit_rules_usergroup_modification_passwd
-+          - audit_rules_usergroup_modification_shadow
-+          - audit_rules_sysadmin_actions
-+          - audit_rules_dac_modification_chmod
-+          - audit_rules_dac_modification_chown
-+          - audit_rules_dac_modification_fchmod
-+          - audit_rules_dac_modification_fchmodat
-+          - audit_rules_dac_modification_fchown
-+          - audit_rules_dac_modification_fchownat
-+          - audit_rules_dac_modification_fremovexattr
-+          - audit_rules_dac_modification_fsetxattr
-+          - audit_rules_dac_modification_lchown
-+          - audit_rules_dac_modification_lremovexattr
-+          - audit_rules_dac_modification_lsetxattr
-+          - audit_rules_dac_modification_removexattr
-+          - audit_rules_dac_modification_setxattr
-+
-+    - id: A.3.SEC-RHEL8
-+      title: Changes to Cron Settings and Scheduled Tasks Including Startup Scripts Are Audited
-+      original_title: Se auditan los cambios en la configuración de Cron y en tareas programadas incluyendo
-+          los de scripts de inicio.
-+      levels:
-+          - advanced
-+      status: pending
-+      notes: |-
-+          Some possible rules were included here but it is not clear if the requirement intends to
-+          check more than these rules. We can see if more related rules are available in the project
-+          and include everything that makes sense in the context of cron and chrony.
-+      related_rules:
-+          - audit_rules_time_adjtimex
-+          - audit_rules_time_settimeofday
-+          - audit_rules_time_clock_settime
-+          - audit_rules_time_stime
-+          - audit_rules_time_watch_localtime
-+
-+    - id: A.3.SEC-RHEL9
-+      title: Attempts to Access Critical Items Are Audited
-+      original_title: Se auditan los intentos de acceso a elementos críticos.
-+      levels:
-+          - advanced
-+      status: automated
-+      rules:
-+          - audit_rules_unsuccessful_file_modification_creat
-+          - audit_rules_unsuccessful_file_modification_ftruncate
-+          - audit_rules_unsuccessful_file_modification_open
-+          - audit_rules_unsuccessful_file_modification_openat
-+          - audit_rules_unsuccessful_file_modification_truncate
-+
-+    - id: A.3.SEC-RHEL10
-+      title: All Mount Operations on the System and Changes to the Swap Are Audited
-+      original_title: Se audita toda operación de montaje en el sistema y modificaciones en la memoria
-+          de intercambio.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: partial
-+      notes: |-
-+          We probably have audit related rule to monitor mount related syscalls, but it is not clear
-+          about the swap. Is the intention to monitor when swap is changed?
-+      rules:
-+          - audit_rules_media_export
-+
-+    - id: A.3.SEC-RHEL11
-+      title: Modifications in PAM Files Are Audited
-+      original_title: Se auditan modificaciones en ficheros PAM.
-+      levels:
-+          - advanced
-+      status: pending
-+      notes: |-
-+          The intention here is probably to audit changes in /etc/pam.d files, but we need to confirm
-+          this assumption and get more context.
-+
-+    - id: A.4.SEC-RHEL1
-+      title: Common Users Do Dot Have Local Administrator Permissions and Are Not Included in a Sudo
-+          Group
-+      original_title: Los usuarios estándar no disponen de permisos de administrador local ni se encuentran
-+          incluidos en un grupo sudoer.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          It is a little tricky to interpret this requirement. Assuming the "Common users" are actually
-+          interactive users, this requirement would automatically enforce all admin actions to be
-+          performed only by the root user. I am not sure if this is the intetion here.
-+
-+    - id: A.4.SEC-RHEL2
-+      title: The System Has an Updated Antivirus
-+      original_title: El sistema tiene un antivirus y este está actualizado.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          New templated rule is necessary to install the package. But to ensure the chosen antivirus
-+          is actually updated would demand a more complex rule. Maybe this requirement can have at
-+          leastthe partial status after the templated rule.
-+
-+    - id: A.4.SEC-RHEL3
-+      title: Permissions by Partitions Are Modified
-+      original_title: Se modifican los permisos por particiones.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          Related to nosuid, noexec and nodev options but in /boot. More context is needed.
-+
-+    - id: A.5.SEC-RHEL1
-+      title: Login and Impersonation Permissions Are Controlled
-+      original_title: Se controlan los permisos de inicio de sesión y suplantación de identidad.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - sudo_add_use_pty
-+          - use_pam_wheel_for_su
-+
-+    - id: A.5.SEC-RHEL2
-+      title: Elevation Attempts Are Controlled by Defining Users and Sudoer Groups
-+      original_title: Se controlan los intentos de elevación mediante definición de usuarios y grupos
-+          sudoers.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - sudo_require_authentication
-+          - sudo_require_reauthentication
-+
-+    - id: A.5.SEC-RHEL3
-+      title: Access to Encryption Keys is Controlled
-+      original_title: Se controla el acceso a las claves de cifrado.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          There are rules for ssh_keys, for example. We need to confirm the scope of this requirement
-+
-+    - id: A.5.SEC-RHEL4
-+      title: Disable Insecure Encryption Algorithms
-+      original_title: Se han deshabilitado los algoritmos de cifrado inseguros.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - configure_crypto_policy
-+          - var_system_crypto_policy=default_policy
-+
-+    - id: A.5.SEC-RHEL5
-+      title: Recurring Password Change is Required
-+      original_title: Se exige el cambio de contraseña de forma recurrente.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - accounts_maximum_age_login_defs
-+          - accounts_minimum_age_login_defs
-+          - accounts_password_set_max_life_existing
-+          - accounts_password_set_min_life_existing
-+          - accounts_password_set_warn_age_existing
-+          - accounts_password_warn_age_login_defs
-+          - var_accounts_maximum_age_login_defs=45
-+          - var_accounts_minimum_age_login_defs=2
-+          - var_accounts_password_warn_age_login_defs=10
-+
-+    - id: A.5.SEC-RHEL6
-+      title: Secure Protocols Are Used For the Network Authentication Processes
-+      original_title: Se hace uso de protocolos seguros para los procesos de autenticación de red.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - configure_ssh_crypto_policy
-+
-+    - id: A.5.SEC-RHEL7
-+      title: Network Session Inactivity is Controlled
-+      original_title: Se controla la inactividad de la sesión de red.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - sshd_idle_timeout_value=15_minutes
-+          - sshd_set_idle_timeout
-+          - sshd_set_keepalive
-+          - var_sshd_set_keepalive=1
-+
-+    - id: A.5.SEC-RHEL8
-+      title: Local and Remote Console Inactivity is Controlled
-+      original_title: Se controla la inactividad de consola local y remota.
-+      levels:
-+          - advanced
-+      status: automated
-+      rules:
-+          - accounts_tmout
-+          - var_accounts_tmout=5_min
-+
-+    - id: A.6.SEC-RHEL1
-+      title: The Security of Sensitive System Objects is Reinforced
-+      original_title: Se refuerza la seguridad de los objetos sensibles del sistema.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - grub2_enable_selinux
-+          - package_libselinux_installed
-+          - selinux_policytype
-+          - selinux_state
-+          - var_selinux_policy_name=targeted
-+          - var_selinux_state=enforcing
-+
-+    - id: A.6.SEC-RHEL2
-+      title: Access in Recovery Mode Including Grub Boot Modification Mode is Restricted
-+      original_title: Se restringen accesos en modo recuperación incluido el modo modificación de inicio
-+          de grub.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - file_groupowner_grub2_cfg
-+          - file_groupowner_user_cfg
-+          - file_owner_grub2_cfg
-+          - file_owner_user_cfg
-+          - file_permissions_grub2_cfg
-+          - file_permissions_user_cfg
-+
-+    - id: A.6.SEC-RHEL3
-+      title: Service Users Shell is Limited to "/bin/false"
-+      original_title: Se limita la shell de usuarios de servicio a "/bin/false".
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      notes: |-
-+          "/sbin/nologin" might be a better option
-+      rules:
-+          - no_password_auth_for_systemaccounts
-+          - no_shelllogin_for_systemaccounts
-+
-+    - id: A.6.SEC-RHEL4
-+      title: The Use of Sessions With the "root" User is Restricted
-+      original_title: Se restringe el uso de sesiones con usuario "root".
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - ensure_root_password_configured
-+          - no_empty_passwords_etc_shadow
-+
-+    - id: A.6.SEC-RHEL5
-+      title: The Global System Mask is Modified To Be More Restrictive
-+      original_title: Se modifica la máscara global del sistema para ser más restrictiva.
-+      levels:
-+          - advanced
-+      status: automated
-+      rules:
-+          - accounts_umask_etc_bashrc
-+          - accounts_umask_etc_login_defs
-+          - accounts_umask_etc_profile
-+          - var_accounts_user_umask=027
-+
-+    - id: A.6.SEC-RHEL6
-+      title: Unnecessary Groups and Users are Removed From the System
-+      original_title: Se eliminan los grupos y usuarios innecesarios del sistema.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: manual
-+
-+    - id: A.8.SEC-RHEL1
-+      title: Control Who Can Install Software on the System
-+      original_title: Se controla quién puede instalar software en el sistema.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+
-+    - id: A.8.SEC-RHEL2
-+      title: The Operating System is Updated
-+      original_title: El sistema operativo está actualizado.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: manual
-+      related_rules:
-+          - security_patches_up_to_date
-+
-+    - id: A.8.SEC-RHEL3
-+      title: The System Has an Activated Local Firewall
-+      original_title: El sistema tiene un firewall local activado.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - firewalld_loopback_traffic_restricted
-+          - firewalld_loopback_traffic_trusted
-+          - service_firewalld_enabled
-+          - package_firewalld_installed
-+          - service_nftables_disabled
-+          - set_firewalld_default_zone
-+
-+    - id: A.8.SEC-RHEL4
-+      title: Unnecessary Services are Disabled, Reducing the Attack Surface
-+      original_title: Se deshabilitan servicios innecesarios, reduciendo la superficie de exposición.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - kernel_module_squashfs_disabled
-+          - kernel_module_udf_disabled
-+          - package_bind_removed
-+          - package_cyrus-imapd_removed
-+          - package_dovecot_removed
-+          - package_net-snmp_removed
-+          - package_squid_removed
-+          - package_telnet-server_removed
-+          - package_tftp-server_removed
-+          - package_vsftpd_removed
-+
-+    - id: A.8.SEC-RHEL5
-+      title: Application Execution is Controlled
-+      original_title: Se controla la ejecución de aplicaciones.
-+      levels:
-+          - advanced
-+      status: pending
-+      notes: |-
-+          This might be related to SELinux or fapolicyd.
-+          We need more context to confirm the intention of this requirement
-+
-+    - id: A.8.SEC-RHEL6
-+      title: Anti-Ransomware Measures are Enabled
-+      original_title: Se dispone de medidas anti ransomware habilitadas.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: partial
-+      notes: |-
-+          These are mentioned to be reviewed but not enforced:
-+          # net.ipv4.icmp_echo_ignore_all = 1
-+          # net.ipv4.tcp_timestamps = 0
-+          # net.ipv4.tcp_max_syn_backlog = 1280
-+          # sysctl_net_ipv6_conf_all_disable_ipv6
-+          # sysctl_net_ipv6_conf_default_disable_ipv6
-+      rules:
-+          - sysctl_net_ipv4_conf_all_send_redirects
-+          - sysctl_net_ipv4_conf_all_accept_redirects
-+          - sysctl_net_ipv4_conf_all_secure_redirects
-+          - sysctl_net_ipv4_conf_all_accept_source_route
-+          - sysctl_net_ipv4_conf_all_log_martians
-+          - sysctl_net_ipv4_conf_default_send_redirects
-+          - sysctl_net_ipv4_conf_default_accept_redirects
-+          - sysctl_net_ipv4_conf_default_secure_redirects
-+          - sysctl_net_ipv4_conf_default_accept_source_route
-+          - sysctl_net_ipv4_conf_default_log_martians
-+          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
-+          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-+          - sysctl_net_ipv4_tcp_syncookies
-+          - sysctl_net_ipv6_conf_all_accept_source_route
-+          - sysctl_net_ipv6_conf_all_accept_redirects
-+          - sysctl_net_ipv6_conf_all_accept_ra
-+          - sysctl_net_ipv6_conf_default_accept_source_route
-+          - sysctl_net_ipv6_conf_default_accept_redirects
-+          - sysctl_net_ipv6_conf_default_accept_ra
-+          - sysctl_fs_suid_dumpable
-+          - sysctl_net_ipv4_ip_forward
-+          - sysctl_net_ipv4_conf_all_rp_filter
-+          - sysctl_net_ipv4_conf_default_rp_filter
-+
-+    - id: A.8.SEC-RHEL7
-+      title: Password Encrypted Boot That Prevents Modification is Enabled (Protected GRUB)
-+      original_title: Está habilitado el arranque cifrado con contraseña que evite modificaciones (GRUB
-+          protegido).
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - grub2_password
-+
-+    - id: A.8.SEC-RHEL8
-+      title: File Download is Audited
-+      original_title: Se audita la descarga de archivos.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          Is it related to downloads from the Internet to the system or from the system to an external
-+          storage, for example?
-+      related_rules:
-+          - audit_rules_file_deletion_events_rename
-+          - audit_rules_file_deletion_events_renameat
-+          - audit_rules_file_deletion_events_unlink
-+          - audit_rules_file_deletion_events_unlinkat
-+
-+    - id: A.8.SEC-RHEL9
-+      title: System Compilers are Disabled
-+      original_title: Están deshabilitados los compiladores del sistema.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          Maybe simply removing the packages is enough.
-+
-+    - id: A.11.SEC-RHEL1
-+      title: Local Log On To the System is Controlled
-+      original_title: Se controla el inicio de sesión local en el sistema.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          Is it related to TTY access, physical access, local users authentication, etc?
-+          It is not not clear the scope.
-+
-+    - id: A.11.SEC-RHEL2
-+      title: The Security of the SSH Protocol is Strengthened
-+      original_title: Se ha reforzado la seguridad del protocolo SSH.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - sshd_limit_user_access
-+
-+    - id: A.11.SEC-RHEL3
-+      title: A Robust Credential Policy is In Place
-+      original_title: Se dispone de una política de credenciales robusta.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - accounts_password_pam_minclass
-+          - accounts_password_pam_minlen
-+          - accounts_password_pam_retry
-+          - var_password_pam_minclass=4
-+          - var_password_pam_minlen=14
-+
-+    - id: A.11.SEC-RHEL4
-+      title: During Login, the System Displays a Text in Compliance With the Organization's Standards
-+          or Directives
-+      original_title: Durante el inicio de sesión, el sistema muestra un texto en cumplimiento con las
-+          normas o directivas de la organización.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - banner_etc_issue
-+          - banner_etc_issue_net
-+          - banner_etc_motd
-+          - dconf_gnome_banner_enabled
-+          - dconf_gnome_login_banner_text
-+          - sshd_enable_warning_banner_net
-+          - login_banner_text=cis_banners
-+          - motd_banner_text=cis_banners
-+          - remote_login_banner_text=cis_banners
-+
-+    - id: A.11.SEC-RHEL5
-+      title: Network Acess to the System is Controlled
-+      original_title: Se controla el acceso al sistema a través de la red.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: manual
-+      related_rules:
-+          - configure_firewalld_ports
-+
-+    - id: A.11.SEC-RHEL6
-+      title: Only Strong Encryption Algorithms are Allowed in Accesses to the System
-+      original_title: Sólo se permiten algoritmos de cifrado robustos en accesos al sistema.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      notes: |-
-+          It overlaps the rule in A.5.SEC-RHEL6 requirement
-+      related_rules:
-+          - configure_ssh_crypto_policy
-+
-+    - id: A.11.SEC-RHEL7
-+      title: GUI Idle Time is Limited
-+      original_title: Se limita el tiempo de inactividad del GUI.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - dconf_gnome_screensaver_idle_delay
-+          - dconf_gnome_screensaver_lock_delay
-+          - inactivity_timeout_value=5_minutes
-+          - var_screensaver_lock_delay=immediate
-+
-+    - id: A.11.SEC-RHEL8
-+      title: A Dissuasive Banner is Displayed
-+      original_title: Se muestra un banner disuasorio.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          It seems to duplicate the A.11.SEC-RHEL4 requirement
-+
-+    - id: A.11.SEC-RHEL9
-+      title: The User List is Disabled
-+      original_title: Se deshabilita la lista de usuarios.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - dconf_gnome_disable_user_list
-+
-+    - id: A.11.SEC-RHEL10
-+      title: File History is Disabled
-+      original_title: Se deshabilita recordar el historial de ficheros.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          New rules might be necessary.
-+
-+    - id: A.11.SEC-RHEL11
-+      title: Key Combination to Launch GTK Inspector is Disabled
-+      original_title: Se deshabilita combinación de teclas para iniciar el inspector GTK
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          New rules might be necessary.
-+
-+    - id: A.11.SEC-RHEL12
-+      title: Auto-Mounting of Removable Devices on the System is Disabled
-+      original_title: Se deshabilita el auto montaje de dispositivos extraíbles en el sistema.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - dconf_gnome_disable_automount
-+          - dconf_gnome_disable_automount_open
-+          - dconf_gnome_disable_autorun
-+
-+    - id: A.15.SEC-RHEL1
-+      title: The Use of Removable Storage Media is Controlled
-+      original_title: Se controla el uso de medios de almacenamiento extraíbles.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - kernel_module_usb-storage_disabled
-+
-+    - id: A.19.SEC-RHEL1
-+      title: Access to the Folder and File Tree is Controlled
-+      original_title: Se controla el acceso al árbol de carpetas y ficheros.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          More context should be provided to clarify this requirement
-+
-+    - id: A.19.SEC-RHEL2
-+      title: Measures Are Applied to Protect Accounts
-+      original_title: Se aplican medidas para la protección de las cuentas.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          This is already covered by other requirements. Maybe more rules could be included here.
-+
-+    - id: A.19.SEC-RHEL3
-+      title: A Robust Algorithm and Password Complexity Are Enabled
-+      original_title: Está habilitado un algoritmo robusto y la complejidad de contraseñas.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - set_password_hashing_algorithm_systemauth
-+          - set_password_hashing_algorithm_passwordauth
-+          - set_password_hashing_algorithm_logindefs
-+          - var_password_hashing_algorithm=SHA512
-+          - var_password_hashing_algorithm_pam=sha512
-+
-+    - id: A.23.SEC-RHEL1
-+      title: The Installation And Use of Any Device Connected to the Equipment is Controlled
-+      original_title: Se controla la instalación y uso de cualquier dispositivo conectado al equipo.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: automated
-+      rules:
-+          - package_usbguard_installed
-+          - service_usbguard_enabled
-+          - usbguard_generate_policy
-+
-+    - id: A.23.SEC-RHEL2
-+      title: The Dynamic Mounting and Unmounting of File Systems is Restricted
-+      original_title: Se restringe el montaje y desmontaje dinámico de sistemas de archivos.
-+      levels:
-+          - basic
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          It seems to duplicate the A.11.SEC-RHEL12 requirement.
-+
-+    - id: A.24.SEC-RHEL1
-+      title: Privileges That Affect System Performance Are Controlled
-+      original_title: Se controlan los privilegios que afectan al rendimiento del sistema.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: pending
-+      notes: |-
-+          Is it about system limits?
-+
-+    - id: A.24.SEC-RHEL2
-+      title: Control Who Can Turn Off the System
-+      original_title: Se controla quien puede apagar el sistema.
-+      levels:
-+          - intermediate
-+          - advanced
-+      status: pending
-+      related_rules:
-+          - disable_ctrlaltdel_burstaction
-+          - disable_ctrlaltdel_reboot
-+
-+    - id: A.25.SEC-RHEL1
-+      title: System Disk is Encrypted
-+      original_title: El disco del sistema está cifrado.
-+      levels:
-+          - advanced
-+      status: automated
-+      rules:
-+          - encrypt_partitions
-+          - package_cryptsetup-luks_installed
-+
-+    - id: A.25.SEC-RHEL2
-+      title: The Data Disk is Encrypted
-+      original_title: El disco de datos está cifrado.
-+      levels:
-+          - advanced
-+      status: automated
-+      notes: |-
-+          The rules in this requirement overlaps the A.25.SEC-RHEL1 requirement
-+      related_rules:
-+          - package_cryptsetup-luks_installed
-+          - encrypt_partitions
-+
-+    - id: A.30.SEC-RHEL1
-+      title: There Is an Account Lockout Policy for Incorrect Logins
-+      original_title: Existe una política de bloqueo de cuentas ante inicios de sesión incorrectos.
-+      levels:
-+          - advanced
-+      status: automated
-+      rules:
-+          - accounts_passwords_pam_faillock_deny
-+          - accounts_passwords_pam_faillock_unlock_time
-+          - var_accounts_passwords_pam_faillock_deny=8
-+          - var_accounts_passwords_pam_faillock_unlock_time=never
-diff --git a/products/almalinux9/controls/cis_rhel9.yml b/products/almalinux9/controls/cis_rhel9.yml
-new file mode 100644
-index 000000000..5edf9567e
---- /dev/null
-+++ b/products/almalinux9/controls/cis_rhel9.yml
-@@ -0,0 +1,3112 @@
-+---
-+policy: 'CIS Benchmark for Red Hat Enterprise Linux 9'
-+title: 'CIS Benchmark for Red Hat Enterprise Linux 9'
-+id: cis_rhel9
-+version: '2.0.0'
-+source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux
-+
-+levels:
-+    - id: l1_server
-+    - id: l2_server
-+      inherits_from:
-+          - l1_server
-+    - id: l1_workstation
-+    - id: l2_workstation
-+      inherits_from:
-+          - l1_workstation
-+
-+reference_type: cis
-+product: rhel9
-+
-+controls:
-+    - id: reload_dconf_db
-+      title: Reload Dconf database
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      notes: |-
-+          This is a helper rule to reload Dconf database correctly.
-+      status: automated
-+      rules:
-+          - dconf_db_up_to_date
-+
-+    - id: enable_authselect
-+      title: Enable Authselect
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      notes: |-
-+          We need this in all CIS versions, but the policy doesn't have any section where this
-+          would fit better.
-+      status: automated
-+      rules:
-+          - var_authselect_profile=sssd
-+          - enable_authselect
-+
-+    - id: 1.1.1.1
-+      title: Ensure cramfs kernel module is not available (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_cramfs_disabled
-+
-+    - id: 1.1.1.2
-+      title: Ensure freevxfs kernel module is not available (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_freevxfs_disabled
-+
-+    - id: 1.1.1.3
-+      title: Ensure hfs kernel module is not available (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_hfs_disabled
-+
-+    - id: 1.1.1.4
-+      title: Ensure hfsplus kernel module is not available (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_hfsplus_disabled
-+
-+    - id: 1.1.1.5
-+      title: Ensure jffs2 kernel module is not available (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_jffs2_disabled
-+
-+    - id: 1.1.1.6
-+      title: Ensure squashfs kernel module is not available (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_squashfs_disabled
-+
-+    - id: 1.1.1.7
-+      title: Ensure udf kernel module is not available (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_udf_disabled
-+
-+    - id: 1.1.1.8
-+      title: Ensure usb-storage kernel module is not available (Automated)
-+      levels:
-+          - l1_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_usb-storage_disabled
-+
-+    - id: 1.1.1.9
-+      title: Ensure unused filesystems kernel modules are not available (Manual)
-+      levels:
-+          - l1_server
-+          - l2_workstation
-+      status: manual
-+
-+    - id: 1.1.2.1.1
-+      title: Ensure /tmp is a separate partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - partition_for_tmp
-+
-+    - id: 1.1.2.1.2
-+      title: Ensure nodev option set on /tmp partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_tmp_nodev
-+
-+    - id: 1.1.2.1.3
-+      title: Ensure nosuid option set on /tmp partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_tmp_nosuid
-+
-+    - id: 1.1.2.1.4
-+      title: Ensure noexec option set on /tmp partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_tmp_noexec
-+
-+    - id: 1.1.2.2.1
-+      title: Ensure /dev/shm is a separate partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - partition_for_dev_shm
-+
-+    - id: 1.1.2.2.2
-+      title: Ensure nodev option set on /dev/shm partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_dev_shm_nodev
-+
-+    - id: 1.1.2.2.3
-+      title: Ensure nosuid option set on /dev/shm partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_dev_shm_nosuid
-+
-+    - id: 1.1.2.2.4
-+      title: Ensure noexec option set on /dev/shm partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_dev_shm_noexec
-+
-+    - id: 1.1.2.3.1
-+      title: Ensure separate partition exists for /home (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - partition_for_home
-+
-+    - id: 1.1.2.3.2
-+      title: Ensure nodev option set on /home partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_home_nodev
-+
-+    - id: 1.1.2.3.3
-+      title: Ensure nosuid option set on /home partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_home_nosuid
-+
-+    - id: 1.1.2.4.1
-+      title: Ensure separate partition exists for /var (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - partition_for_var
-+
-+    - id: 1.1.2.4.2
-+      title: Ensure nodev option set on /var partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_nodev
-+
-+    - id: 1.1.2.4.3
-+      title: Ensure nosuid option set on /var partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_nosuid
-+
-+    - id: 1.1.2.5.1
-+      title: Ensure separate partition exists for /var/tmp (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - partition_for_var_tmp
-+
-+    - id: 1.1.2.5.2
-+      title: Ensure nodev option set on /var/tmp partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_tmp_nodev
-+
-+    - id: 1.1.2.5.3
-+      title: Ensure nosuid option set on /var/tmp partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_tmp_nosuid
-+
-+    - id: 1.1.2.5.4
-+      title: Ensure noexec option set on /var/tmp partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_tmp_noexec
-+
-+    - id: 1.1.2.6.1
-+      title: Ensure separate partition exists for /var/log (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - partition_for_var_log
-+
-+    - id: 1.1.2.6.2
-+      title: Ensure nodev option set on /var/log partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_log_nodev
-+
-+    - id: 1.1.2.6.3
-+      title: Ensure nosuid option set on /var/log partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_log_nosuid
-+
-+    - id: 1.1.2.6.4
-+      title: Ensure noexec option set on /var/log partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_log_noexec
-+
-+    - id: 1.1.2.7.1
-+      title: Ensure separate partition exists for /var/log/audit (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - partition_for_var_log_audit
-+
-+    - id: 1.1.2.7.2
-+      title: Ensure nodev option set on /var/log/audit partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_log_audit_nodev
-+
-+    - id: 1.1.2.7.3
-+      title: Ensure nosuid option set on /var/log/audit partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_log_audit_nosuid
-+
-+    - id: 1.1.2.7.4
-+      title: Ensure noexec option set on /var/log/audit partition (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - mount_option_var_log_audit_noexec
-+
-+    - id: 1.2.1.1
-+      title: Ensure GPG keys are configured (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+      related_rules:
-+          - ensure_almalinux_gpgkey_installed
-+
-+    - id: 1.2.1.2
-+      title: Ensure gpgcheck is globally activated (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - ensure_gpgcheck_globally_activated
-+          - ensure_gpgcheck_never_disabled
-+
-+    - id: 1.2.1.3
-+      title: Ensure repo_gpgcheck is globally activated (Manual)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: manual
-+
-+    - id: 1.2.1.4
-+      title: Ensure package manager repositories are configured (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+
-+    - id: 1.2.2.1
-+      title: Ensure updates, patches, and additional security software are installed (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+      related_rules:
-+          - security_patches_up_to_date
-+
-+    - id: 1.3.1.1
-+      title: Ensure SELinux is installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_libselinux_installed
-+
-+    - id: 1.3.1.2
-+      title: Ensure SELinux is not disabled in bootloader configuration (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - grub2_enable_selinux
-+
-+    - id: 1.3.1.3
-+      title: Ensure SELinux policy is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - var_selinux_policy_name=targeted
-+          - selinux_policytype
-+
-+    - id: 1.3.1.4
-+      title: Ensure the SELinux mode is not disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - selinux_not_disabled
-+
-+    - id: 1.3.1.5
-+      title: Ensure the SELinux mode is enforcing (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - var_selinux_state=enforcing
-+          - selinux_state
-+
-+    - id: 1.3.1.6
-+      title: Ensure no unconfined services exist (Manual)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: manual
-+      related_rules:
-+          - selinux_confinement_of_daemons
-+
-+    - id: 1.3.1.7
-+      title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_mcstrans_removed
-+
-+    - id: 1.3.1.8
-+      title: Ensure SETroubleshoot is not installed (Automated)
-+      levels:
-+          - l1_server
-+      status: automated
-+      rules:
-+          - package_setroubleshoot_removed
-+
-+    - id: 1.4.1
-+      title: Ensure bootloader password is set (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          RHEL9 unified the paths for grub2 files.
-+      rules:
-+          - grub2_password
-+      related_rules:
-+          - grub2_uefi_password
-+
-+    - id: 1.4.2
-+      title: Ensure access to bootloader config is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          RHEL9 unified the paths for grub2 files. This requirement demands a deeper review of
-+          the rules.
-+      rules:
-+          - file_groupowner_grub2_cfg
-+          - file_owner_grub2_cfg
-+          - file_permissions_grub2_cfg
-+          - file_groupowner_user_cfg
-+          - file_owner_user_cfg
-+          - file_permissions_user_cfg
-+      related_rules:
-+          - file_groupowner_efi_grub2_cfg
-+          - file_owner_efi_grub2_cfg
-+          - file_permissions_efi_grub2_cfg
-+          - file_groupowner_efi_user_cfg
-+          - file_owner_efi_user_cfg
-+          - file_permissions_efi_user_cfg
-+
-+    - id: 1.5.1
-+      title: Ensure address space layout randomization is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          Address Space Layout Randomization (ASLR)
-+      rules:
-+          - sysctl_kernel_randomize_va_space
-+
-+    - id: 1.5.2
-+      title: Ensure ptrace_scope is restricted (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_kernel_yama_ptrace_scope
-+
-+    - id: 1.5.3
-+      title: Ensure core dump backtraces are disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - coredump_disable_backtraces
-+
-+    - id: 1.5.4
-+      title: Ensure core dump storage is disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - coredump_disable_storage
-+
-+    - id: 1.6.1
-+      title: Ensure system wide crypto policy is not set to legacy (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - configure_custom_crypto_policy_cis
-+
-+    - id: 1.6.2
-+      title: Ensure system wide crypto policy is not set in sshd configuration (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - configure_ssh_crypto_policy
-+
-+    - id: 1.6.3
-+      title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - configure_custom_crypto_policy_cis
-+
-+    - id: 1.6.4
-+      title: Ensure system wide crypto policy disables macs less than 128 bits (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - configure_custom_crypto_policy_cis
-+
-+    - id: 1.6.5
-+      title: Ensure system wide crypto policy disables cbc for ssh (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - configure_custom_crypto_policy_cis
-+
-+    - id: 1.6.6
-+      title: Ensure system wide crypto policy disables chacha20-poly1305 for ssh (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+      notes: |-
-+          User should manually ensure that CVE-2023-48795 is addressed.
-+          This is not automated and it might be difficult to automate actually.
-+          Therefore, keeping this control as manual.
-+    - id: 1.6.7
-+      title: Ensure system wide crypto policy disables EtM for ssh (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+
-+    - id: 1.7.1
-+      title: Ensure message of the day is configured properly (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - banner_etc_motd_cis
-+          - cis_banner_text=cis
-+
-+    - id: 1.7.2
-+      title: Ensure local login warning banner is configured properly (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - banner_etc_issue_cis
-+          - cis_banner_text=cis
-+
-+    - id: 1.7.3
-+      title: Ensure remote login warning banner is configured properly (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - banner_etc_issue_net_cis
-+          - cis_banner_text=cis
-+
-+    - id: 1.7.4
-+      title: Ensure access to /etc/motd is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_etc_motd
-+          - file_owner_etc_motd
-+          - file_permissions_etc_motd
-+
-+    - id: 1.7.5
-+      title: Ensure access to /etc/issue is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_etc_issue
-+          - file_owner_etc_issue
-+          - file_permissions_etc_issue
-+
-+    - id: 1.7.6
-+      title: Ensure access to /etc/issue.net is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_etc_issue_net
-+          - file_owner_etc_issue_net
-+          - file_permissions_etc_issue_net
-+
-+    - id: 1.8.1
-+      title: Ensure GNOME Display Manager is removed (Automated)
-+      levels:
-+          - l2_server
-+      status: automated
-+      rules:
-+          - package_gdm_removed
-+
-+    - id: 1.8.2
-+      title: Ensure GDM login banner is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - dconf_gnome_banner_enabled
-+          - dconf_gnome_login_banner_text
-+          - login_banner_text=cis_banners
-+
-+    - id: 1.8.3
-+      title: Ensure GDM disable-user-list option is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - dconf_gnome_disable_user_list
-+
-+    - id: 1.8.4
-+      title: Ensure GDM screen locks when the user is idle (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - dconf_gnome_screensaver_idle_delay
-+          - dconf_gnome_screensaver_lock_delay
-+          - inactivity_timeout_value=15_minutes
-+          - var_screensaver_lock_delay=5_seconds
-+
-+    - id: 1.8.5
-+      title: Ensure GDM screen locks cannot be overridden (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - dconf_gnome_session_idle_user_locks
-+          - dconf_gnome_screensaver_user_locks
-+
-+    - id: 1.8.6
-+      title: Ensure GDM automatic mounting of removable media is disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - dconf_gnome_disable_automount
-+          - dconf_gnome_disable_automount_open
-+
-+    - id: 1.8.7
-+      title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated)
-+      levels:
-+          - l1_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - dconf_gnome_disable_automount
-+          - dconf_gnome_disable_automount_open
-+
-+    - id: 1.8.8
-+      title: Ensure GDM autorun-never is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - dconf_gnome_disable_autorun
-+
-+    - id: 1.8.9
-+      title: Ensure GDM autorun-never is not overridden (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - dconf_gnome_disable_autorun
-+
-+    - id: 1.8.10
-+      title: Ensure XDMCP is not enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - gnome_gdm_disable_xdmcp
-+
-+    - id: 2.1.1
-+      title: Ensure autofs services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - service_autofs_disabled
-+
-+    - id: 2.1.2
-+      title: Ensure avahi daemon services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - service_avahi-daemon_disabled
-+      related_rules:
-+          - package_avahi_removed
-+
-+    - id: 2.1.3
-+      title: Ensure dhcp server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_dhcp_removed
-+      related_rules:
-+          - service_dhcpd_disabled
-+
-+    - id: 2.1.4
-+      title: Ensure dns server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_bind_removed
-+      related_rules:
-+          - service_named_disabled
-+
-+    - id: 2.1.5
-+      title: Ensure dnsmasq services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_dnsmasq_removed
-+
-+    - id: 2.1.6
-+      title: Ensure samba file server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_samba_removed
-+      related_rules:
-+          - service_smb_disabled
-+
-+    - id: 2.1.7
-+      title: Ensure ftp server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_vsftpd_removed
-+      related_rules:
-+          - service_vsftpd_disabled
-+
-+    - id: 2.1.8
-+      title: Ensure message access server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_dovecot_removed
-+          - package_cyrus-imapd_removed
-+      related_rules:
-+          - service_dovecot_disabled
-+    # new rule would be nice to disable cyrus-imapd service
-+
-+    - id: 2.1.9
-+      title: Ensure network file system services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the
-+          nfs-utils package.
-+      rules:
-+          - service_nfs_disabled
-+      related_rules:
-+          - package_nfs-utils_removed
-+
-+    - id: 2.1.10
-+      title: Ensure nis server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: It appears that the ypserv package was never in RHEL 9.
-+      related_rules:
-+          - service_ypserv_disabled
-+          - package_ypserv_removed
-+
-+    - id: 2.1.11
-+      title: Ensure print server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+      status: automated
-+      rules:
-+          - service_cups_disabled
-+      related_rules:
-+          - package_cups_removed
-+
-+    - id: 2.1.12
-+      title: Ensure rpcbind services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils
-+          package used for The Network File System (NFS), are dependent on the rpcbind package.
-+      rules:
-+          - service_rpcbind_disabled
-+      related_rules:
-+          - package_rpcbind_removed
-+
-+    - id: 2.1.13
-+      title: Ensure rsync services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_rsync_removed
-+      related_rules:
-+          - service_rsyncd_disabled
-+
-+    - id: 2.1.14
-+      title: Ensure snmp services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_net-snmp_removed
-+      related_rules:
-+          - service_snmpd_disabled
-+
-+    - id: 2.1.15
-+      title: Ensure telnet server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_telnet-server_removed
-+      related_rules:
-+          - service_telnet_disabled
-+
-+    - id: 2.1.16
-+      title: Ensure tftp server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_tftp-server_removed
-+      related_rules:
-+          - service_tftp_disabled
-+
-+    - id: 2.1.17
-+      title: Ensure web proxy server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_squid_removed
-+      related_rules:
-+          - service_squid_disabled
-+
-+    - id: 2.1.18
-+      title: Ensure web server services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_httpd_removed
-+          - package_nginx_removed
-+      related_rules:
-+          - service_httpd_disabled
-+    # rule would be nice to disable nginx service
-+
-+    - id: 2.1.19
-+      title: Ensure xinetd services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: The xinetd appears to never have been in RHEL 9.
-+      related_rules:
-+          - package_xinetd_removed
-+          - service_xinetd_disabled
-+
-+    - id: 2.1.20
-+      title: Ensure X window server services are not in use (Automated)
-+      levels:
-+          - l2_server
-+      status: automated
-+      notes: |-
-+          The rule also configures correct run level to prevent unbootable system.
-+      rules:
-+          - package_xorg-x11-server-common_removed
-+          - xwindows_runlevel_target
-+
-+    - id: 2.1.21
-+      title: Ensure mail transfer agents are configured for local-only mode (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - postfix_network_listening_disabled
-+          - var_postfix_inet_interfaces=loopback-only
-+          - has_nonlocal_mta
-+
-+    - id: 2.1.22
-+      title: Ensure only approved services are listening on a network interface (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+
-+    - id: 2.2.1
-+      title: Ensure ftp client is not installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_ftp_removed
-+
-+    - id: 2.2.2
-+      title: Ensure ldap client is not installed (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - package_openldap-clients_removed
-+
-+    - id: 2.2.3
-+      title: Ensure nis client is not installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: It appears this package was never in RHEL 9.
-+      related_rules:
-+          - package_ypbind_removed
-+
-+    - id: 2.2.4
-+      title: Ensure telnet client is not installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_telnet_removed
-+
-+    - id: 2.2.5
-+      title: Ensure tftp client is not installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_tftp_removed
-+
-+    - id: 2.3.1
-+      title: Ensure time synchronization is in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_chrony_installed
-+
-+    - id: 2.3.2
-+      title: Ensure chrony is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - chronyd_specify_remote_server
-+          - var_multiple_time_servers=rhel
-+
-+    - id: 2.3.3
-+      title: Ensure chrony is not run as the root user (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - chronyd_run_as_chrony_user
-+
-+    - id: 2.4.1.1
-+      title: Ensure cron daemon is enabled and active (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_cron_installed
-+          - service_crond_enabled
-+
-+    - id: 2.4.1.2
-+      title: Ensure permissions on /etc/crontab are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_crontab
-+          - file_owner_crontab
-+          - file_permissions_crontab
-+
-+    - id: 2.4.1.3
-+      title: Ensure permissions on /etc/cron.hourly are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_cron_hourly
-+          - file_owner_cron_hourly
-+          - file_permissions_cron_hourly
-+
-+    - id: 2.4.1.4
-+      title: Ensure permissions on /etc/cron.daily are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_cron_daily
-+          - file_owner_cron_daily
-+          - file_permissions_cron_daily
-+
-+    - id: 2.4.1.5
-+      title: Ensure permissions on /etc/cron.weekly are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_cron_weekly
-+          - file_owner_cron_weekly
-+          - file_permissions_cron_weekly
-+
-+    - id: 2.4.1.6
-+      title: Ensure permissions on /etc/cron.monthly are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_cron_monthly
-+          - file_owner_cron_monthly
-+          - file_permissions_cron_monthly
-+
-+    - id: 2.4.1.7
-+      title: Ensure permissions on /etc/cron.d are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_cron_d
-+          - file_owner_cron_d
-+          - file_permissions_cron_d
-+
-+    - id: 2.4.1.8
-+      title: Ensure crontab is restricted to authorized users (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_cron_deny_not_exist
-+          - file_cron_allow_exists
-+          - file_groupowner_cron_allow
-+          - file_owner_cron_allow
-+          - file_permissions_cron_allow
-+
-+    - id: 2.4.2.1
-+      title: Ensure at is restricted to authorized users (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_at_deny_not_exist
-+          - file_at_allow_exists
-+          - file_groupowner_at_allow
-+          - file_owner_at_allow
-+          - file_permissions_at_allow
-+
-+    - id: 3.1.1
-+      title: Ensure IPv6 status is identified (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+
-+    - id: 3.1.2
-+      title: Ensure wireless interfaces are disabled (Automated)
-+      levels:
-+          - l1_server
-+      status: automated
-+      rules:
-+          - wireless_disable_interfaces
-+
-+    - id: 3.1.3
-+      title: Ensure bluetooth services are not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - service_bluetooth_disabled
-+
-+    - id: 3.2.1
-+      title: Ensure dccp kernel module is not available (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_dccp_disabled
-+
-+    - id: 3.2.2
-+      title: Ensure tipc kernel module is not available (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_tipc_disabled
-+
-+    - id: 3.2.3
-+      title: Ensure rds kernel module is not available (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_rds_disabled
-+
-+    - id: 3.2.4
-+      title: Ensure sctp kernel module is not available (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - kernel_module_sctp_disabled
-+
-+    - id: 3.3.1
-+      title: Ensure IP forwarding is disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv4_ip_forward
-+          - sysctl_net_ipv6_conf_all_forwarding
-+          - sysctl_net_ipv6_conf_all_forwarding_value=disabled
-+
-+    - id: 3.3.2
-+      title: Ensure packet redirect sending is disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv4_conf_all_send_redirects
-+          - sysctl_net_ipv4_conf_default_send_redirects
-+
-+    - id: 3.3.3
-+      title: Ensure bogus icmp responses are ignored (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
-+          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
-+
-+    - id: 3.3.4
-+      title: Ensure broadcast icmp requests are ignored (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-+          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
-+
-+    - id: 3.3.5
-+      title: Ensure icmp redirects are not accepted (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv4_conf_all_accept_redirects
-+          - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
-+          - sysctl_net_ipv4_conf_default_accept_redirects
-+          - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
-+          - sysctl_net_ipv6_conf_all_accept_redirects
-+          - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
-+          - sysctl_net_ipv6_conf_default_accept_redirects
-+          - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
-+
-+    - id: 3.3.6
-+      title: Ensure secure icmp redirects are not accepted (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv4_conf_all_secure_redirects
-+          - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
-+          - sysctl_net_ipv4_conf_default_secure_redirects
-+          - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
-+
-+    - id: 3.3.7
-+      title: Ensure reverse path filtering is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv4_conf_all_rp_filter
-+          - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
-+          - sysctl_net_ipv4_conf_default_rp_filter
-+          - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
-+
-+    - id: 3.3.8
-+      title: Ensure source routed packets are not accepted (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv4_conf_all_accept_source_route
-+          - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
-+          - sysctl_net_ipv4_conf_default_accept_source_route
-+          - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
-+          - sysctl_net_ipv6_conf_all_accept_source_route
-+          - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
-+          - sysctl_net_ipv6_conf_default_accept_source_route
-+          - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
-+
-+    - id: 3.3.9
-+      title: Ensure suspicious packets are logged (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv4_conf_all_log_martians
-+          - sysctl_net_ipv4_conf_all_log_martians_value=enabled
-+          - sysctl_net_ipv4_conf_default_log_martians
-+          - sysctl_net_ipv4_conf_default_log_martians_value=enabled
-+
-+    - id: 3.3.10
-+      title: Ensure tcp syn cookies is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv4_tcp_syncookies
-+          - sysctl_net_ipv4_tcp_syncookies_value=enabled
-+
-+    - id: 3.3.11
-+      title: Ensure IPv6 router advertisements are not accepted (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sysctl_net_ipv6_conf_all_accept_ra
-+          - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
-+          - sysctl_net_ipv6_conf_default_accept_ra
-+          - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
-+
-+    - id: 4.1.1
-+      title: Ensure nftables is installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_nftables_installed
-+
-+    - id: 4.1.2
-+      title: Ensure a single firewall configuration utility is in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - service_firewalld_enabled
-+          - package_firewalld_installed
-+          - service_nftables_disabled
-+
-+    - id: 4.2.1
-+      title: Ensure firewalld drops unnecessary services and ports (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+      related_rules:
-+          - configure_firewalld_ports
-+
-+    - id: 4.2.2
-+      title: Ensure firewalld loopback traffic is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - firewalld_loopback_traffic_trusted
-+          - firewalld_loopback_traffic_restricted
-+
-+    - id: 4.3.1
-+      title: Ensure nftables base chains exist (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: supported
-+      notes: |-
-+          RHEL systems use firewalld for firewall management. Although nftables is the default
-+          back-end for firewalld, it is not recommended to use nftables directly when firewalld
-+          is in use. When using firewalld the base chains are installed by default.
-+      related_rules:
-+          - set_nftables_base_chain
-+          - var_nftables_table=firewalld
-+          - var_nftables_family=inet
-+          - var_nftables_base_chain_names=chain_names
-+          - var_nftables_base_chain_types=chain_types
-+          - var_nftables_base_chain_hooks=chain_hooks
-+          - var_nftables_base_chain_priorities=chain_priorities
-+          - var_nftables_base_chain_policies=chain_policies
-+
-+    - id: 4.3.2
-+      title: Ensure nftables established connections are configured (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+
-+    - id: 4.3.3
-+      title: Ensure nftables default deny firewall policy (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: supported
-+      notes: |-
-+          RHEL systems use firewalld for firewall management. Although nftables is the default
-+          back-end for firewalld, it is not recommended to use nftables directly when firewalld
-+          is in use.
-+      related_rules:
-+          - nftables_ensure_default_deny_policy
-+
-+    - id: 4.3.4
-+      title: Ensure nftables loopback traffic is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: supported
-+      notes: |-
-+          RHEL systems use firewalld for firewall management. Although nftables is the default
-+          back-end for firewalld, it is not recommended to use nftables directly when firewalld
-+          is in use.
-+      related_rules:
-+          - set_nftables_loopback_traffic
-+
-+    - id: 5.1.1
-+      title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_sshd_config
-+          - file_owner_sshd_config
-+          - file_permissions_sshd_config
-+
-+    - id: 5.1.2
-+      title: Ensure permissions on SSH private host key files are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_permissions_sshd_private_key
-+          - file_ownership_sshd_private_key
-+          - file_groupownership_sshd_private_key
-+
-+    - id: 5.1.3
-+      title: Ensure permissions on SSH public host key files are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_permissions_sshd_pub_key
-+          - file_ownership_sshd_pub_key
-+          - file_groupownership_sshd_pub_key
-+
-+    - id: 5.1.4
-+      title: Ensure sshd Ciphers are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - configure_custom_crypto_policy_cis
-+
-+    - id: 5.1.5
-+      title: Ensure sshd KexAlgorithms is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          The status was automated but we need to double check the approach used in this rule.
-+          Therefore I moved it to pending until deeper investigation.
-+      rules:
-+          - sshd_use_strong_kex
-+          - sshd_strong_kex=cis_rhel9
-+
-+    - id: 5.1.6
-+      title: Ensure sshd MACs are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - configure_custom_crypto_policy_cis
-+
-+    - id: 5.1.7
-+      title: Ensure sshd access is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_limit_user_access
-+
-+    - id: 5.1.8
-+      title: Ensure sshd Banner is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_enable_warning_banner_net
-+      related_rules:
-+          - sshd_enable_warning_banner
-+
-+    - id: 5.1.9
-+      title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          The requirement gives an example of 45 seconds, but is flexible about the values. It is only
-+          necessary to ensure there is a timeout configured in alignment to the site policy.
-+      rules:
-+          - sshd_idle_timeout_value=5_minutes
-+          - sshd_set_idle_timeout
-+          - sshd_set_keepalive
-+          - var_sshd_set_keepalive=1
-+
-+    - id: 5.1.10
-+      title: Ensure sshd DisableForwarding is enabled (Automated)
-+      levels:
-+          - l2_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_disable_forwarding
-+      related_rules:
-+          - sshd_disable_tcp_forwarding
-+          - sshd_disable_x11_forwarding
-+
-+    - id: 5.1.11
-+      title: Ensure sshd GSSAPIAuthentication is disabled (Automated)
-+      levels:
-+          - l2_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          Introduced in CIS RHEL9 v2.0.0
-+      rules:
-+          - sshd_disable_gssapi_auth
-+
-+    - id: 5.1.12
-+      title: Ensure sshd HostbasedAuthentication is disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - disable_host_auth
-+
-+    - id: 5.1.13
-+      title: Ensure sshd IgnoreRhosts is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_disable_rhosts
-+
-+    - id: 5.1.14
-+      title: Ensure sshd LoginGraceTime is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_set_login_grace_time
-+          - var_sshd_set_login_grace_time=60
-+
-+    - id: 5.1.15
-+      title: Ensure sshd LogLevel is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          The CIS benchmark is not opinionated about which loglevel is selected here. Here, this
-+          profile uses VERBOSE by default, as it allows for the capture of login and logout activity
-+          as well as key fingerprints.
-+      rules:
-+          - sshd_set_loglevel_verbose
-+      related_rules:
-+          - sshd_set_loglevel_info
-+
-+    - id: 5.1.16
-+      title: Ensure sshd MaxAuthTries is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_max_auth_tries_value=4
-+          - sshd_set_max_auth_tries
-+
-+    - id: 5.1.17
-+      title: Ensure sshd MaxStartups is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_set_maxstartups
-+          - var_sshd_set_maxstartups=10:30:60
-+
-+    - id: 5.1.18
-+      title: Ensure sshd MaxSessions is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_set_max_sessions
-+          - var_sshd_max_sessions=10
-+
-+    - id: 5.1.19
-+      title: Ensure sshd PermitEmptyPasswords is disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_disable_empty_passwords
-+
-+    - id: 5.1.20
-+      title: Ensure sshd PermitRootLogin is disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_disable_root_login
-+
-+    - id: 5.1.21
-+      title: Ensure sshd PermitUserEnvironment is disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_do_not_permit_user_env
-+
-+    - id: 5.1.22
-+      title: Ensure sshd UsePAM is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sshd_enable_pam
-+
-+    - id: 5.2.1
-+      title: Ensure sudo is installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_sudo_installed
-+
-+    - id: 5.2.2
-+      title: Ensure sudo commands use pty (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sudo_add_use_pty
-+
-+    - id: 5.2.3
-+      title: Ensure sudo log file exists (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sudo_custom_logfile
-+
-+    - id: 5.2.4
-+      title: Ensure users must provide password for escalation (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - sudo_require_authentication
-+
-+    - id: 5.2.5
-+      title: Ensure re-authentication for privilege escalation is not disabled globally (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sudo_require_reauthentication
-+
-+    - id: 5.2.6
-+      title: Ensure sudo authentication timeout is configured correctly (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - sudo_require_reauthentication
-+
-+    - id: 5.2.7
-+      title: Ensure access to the su command is restricted (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          Members of "wheel" or GID 0 groups are checked by default if the group option is not set for
-+          pam_wheel.so module. The recommendation states the group should be empty to reinforce the
-+          use of "sudo" for privileged access. Therefore, members of these groups should be manually
-+          checked or a different group should be informed.
-+      rules:
-+          - var_pam_wheel_group_for_su=cis
-+          - use_pam_wheel_group_for_su
-+          - ensure_pam_wheel_group_empty
-+
-+    - id: 5.3.1.1
-+      title: Ensure latest version of pam is installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          It is necessary a new rule to ensure PAM package is updated.
-+
-+    - id: 5.3.1.2
-+      title: Ensure latest version of authselect is installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          It is necessary a new rule to ensure authselect package is updated.
-+
-+    - id: 5.3.1.3
-+      title: Ensure latest version of libpwquality is installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          It is necessary a new rule to ensure libpwquality package is updated.
-+      rules:
-+          - package_pam_pwquality_installed
-+
-+    - id: 5.3.2.1
-+      title: Ensure active authselect profile includes pam modules (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: partial
-+      notes: |-
-+          This requirement is hard to be automated without any specific requirement. The policy even
-+          states that provided commands are examples, other custom settings might be in place and the
-+          settings might be different depending on site policies. The other rules will already make
-+          sure there is a correct autheselect profile regardless of the existing settings. It is
-+          necessary to better discuss with CIS Community.
-+      related_rules:
-+          - no_empty_passwords
-+
-+    - id: 5.3.2.2
-+      title: Ensure pam_faillock module is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          This requirement is also indirectly satisfied by the requirement 5.3.3.1.
-+      rules:
-+          - account_password_pam_faillock_password_auth
-+          - account_password_pam_faillock_system_auth
-+
-+    - id: 5.3.2.3
-+      title: Ensure pam_pwquality module is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          This requirement is also indirectly satisfied by the requirement 5.3.3.2.
-+      related_rules:
-+          - package_pam_pwquality_installed
-+
-+    - id: 5.3.2.4
-+      title: Ensure pam_pwhistory module is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          The module is properly enabled by the rules mentioned in related_rules.
-+          Requirements in 5.3.3.3 use these rules.
-+      related_rules:
-+          - accounts_password_pam_pwhistory_remember_password_auth
-+          - accounts_password_pam_pwhistory_remember_system_auth
-+
-+    - id: 5.3.2.5
-+      title: Ensure pam_unix module is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: partial
-+      notes: |-
-+          This module is always present by default. It is necessary to investigate if a new rule to
-+          check its existence needs to be created. But so far the rule no_empty_passwords, used in
-+          5.3.3.4 can ensure this requirement is attended.
-+      related_rules:
-+          - no_empty_passwords
-+
-+    - id: 5.3.3.1.1
-+      title: Ensure password failed attempts lockout is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_passwords_pam_faillock_deny
-+          - var_accounts_passwords_pam_faillock_deny=5
-+
-+    - id: 5.3.3.1.2
-+      title: Ensure password unlock time is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          The policy also accepts value 0, which means the locked accounts should be manually unlocked
-+          by an administrator. However, it also mentions that using value 0 can facilitate a DoS
-+          attack to legitimate users.
-+      rules:
-+          - accounts_passwords_pam_faillock_unlock_time
-+          - var_accounts_passwords_pam_faillock_unlock_time=900
-+
-+    - id: 5.3.3.1.3
-+      title: Ensure password failed attempts lockout includes root account (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - accounts_passwords_pam_faillock_deny_root
-+
-+    - id: 5.3.3.2.1
-+      title: Ensure password number of changed characters is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_password_pam_difok
-+          - var_password_pam_difok=2
-+
-+    - id: 5.3.3.2.2
-+      title: Ensure password length is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_password_pam_minlen
-+          - var_password_pam_minlen=14
-+
-+    - id: 5.3.3.2.3
-+      title: Ensure password complexity is configured (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          This requirement is expected to be manual. However, in previous versions of the policy
-+          it was already automated the configuration of "minclass" option. This posture was kept for
-+          RHEL 9 in this new version. Rules related to other options are informed in related_rules.
-+          In short, minclass=4 alone can achieve the same result achieved by the combination of the
-+          other 4 options mentioned in the policy.
-+      rules:
-+          - accounts_password_pam_minclass
-+          - var_password_pam_minclass=4
-+      related_rules:
-+          - accounts_password_pam_dcredit
-+          - accounts_password_pam_lcredit
-+          - accounts_password_pam_ocredit
-+          - accounts_password_pam_ucredit
-+
-+    - id: 5.3.3.2.4
-+      title: Ensure password same consecutive characters is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_password_pam_maxrepeat
-+          - var_password_pam_maxrepeat=3
-+
-+    - id: 5.3.3.2.5
-+      title: Ensure password maximum sequential characters is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_password_pam_maxsequence
-+          - var_password_pam_maxsequence=3
-+
-+    - id: 5.3.3.2.6
-+      title: Ensure password dictionary check is enabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_password_pam_dictcheck
-+          - var_password_pam_dictcheck=1
-+
-+    - id: 5.3.3.2.7
-+      title: Ensure password quality is enforced for the root user (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_password_pam_enforce_root
-+
-+    - id: 5.3.3.3.1
-+      title: Ensure password history remember is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          Although mentioned in the section 5.3.3.3, there is no explicit requirement to configure
-+          retry option of pam_pwhistory. If come in the future, the rule accounts_password_pam_retry
-+          can be used.
-+      rules:
-+          - accounts_password_pam_pwhistory_remember_password_auth
-+          - accounts_password_pam_pwhistory_remember_system_auth
-+          - var_password_pam_remember_control_flag=requisite_or_required
-+          - var_password_pam_remember=24
-+      related_rules:
-+          - accounts_password_pam_retry
-+
-+    - id: 5.3.3.3.2
-+      title: Ensure password history is enforced for the root user (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: planned
-+      notes: |-
-+          A new rule needs to be created to check and remediate the enforce_for_root option in
-+          /etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference.
-+
-+    - id: 5.3.3.3.3
-+      title: Ensure pam_pwhistory includes use_authtok (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: partial
-+      notes: |-
-+          In RHEL 9 pam_pwhistory is enabled via authselect feature, as required in 5.3.2.4. The
-+          feature automatically set "use_authok" option. In any case, we don't have a rule to check
-+          this option specifically.
-+      related_rules:
-+          - accounts_password_pam_pwhistory_remember_password_auth
-+          - accounts_password_pam_pwhistory_remember_system_auth
-+
-+    - id: 5.3.3.4.1
-+      title: Ensure pam_unix does not include nullok (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          The rule more specifically used in this requirement also satify the requirement 5.3.2.5.
-+      rules:
-+          - no_empty_passwords
-+
-+    - id: 5.3.3.4.2
-+      title: Ensure pam_unix does not include remember (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          Usage of pam_unix.so module together with "remember" option is deprecated and is not
-+          recommened by this policy. Instead, it should be used remember option of pam_pwhistory
-+          module, as required in 5.3.3.3.1. See here for more details about pam_unix.so:
-+          https://bugzilla.redhat.com/show_bug.cgi?id=1778929
-+          A new rule needs to be created to remove the remember option from pam_unix module.
-+
-+    - id: 5.3.3.4.3
-+      title: Ensure pam_unix includes a strong password hashing algorithm (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          Changes in logindefs mentioned in this requirement are more specifically covered by 5.4.1.4
-+      rules:
-+          - set_password_hashing_algorithm_systemauth
-+          - set_password_hashing_algorithm_passwordauth
-+          - var_password_hashing_algorithm_pam=sha512
-+
-+    - id: 5.3.3.4.4
-+      title: Ensure pam_unix includes use_authtok (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: partial
-+      notes: |-
-+          In RHEL 9 pam_unix is enabled by default in all authselect profiles already with the
-+          use_authtok option set. In any case, we don't have a rule to check this option specifically,
-+          like in 5.3.3.3.3.
-+
-+    - id: 5.4.1.1
-+      title: Ensure password expiration is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_maximum_age_login_defs
-+          - var_accounts_maximum_age_login_defs=365
-+          - accounts_password_set_max_life_existing
-+
-+    - id: 5.4.1.2
-+      title: Ensure minimum password days is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - accounts_minimum_age_login_defs
-+          - var_accounts_minimum_age_login_defs=1
-+          - accounts_password_set_min_life_existing
-+
-+    - id: 5.4.1.3
-+      title: Ensure password expiration warning days is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_password_warn_age_login_defs
-+          - var_accounts_password_warn_age_login_defs=7
-+          - accounts_password_set_warn_age_existing
-+
-+    - id: 5.4.1.4
-+      title: Ensure strong password hashing algorithm is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - set_password_hashing_algorithm_libuserconf
-+          - set_password_hashing_algorithm_logindefs
-+          - var_password_hashing_algorithm=SHA512
-+          - var_password_hashing_algorithm_pam=sha512
-+
-+    - id: 5.4.1.5
-+      title: Ensure inactive password lock is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - account_disable_post_pw_expiration
-+          - accounts_set_post_pw_existing
-+          - var_account_disable_post_pw_expiration=45
-+
-+    - id: 5.4.1.6
-+      title: Ensure all users last password change date is in the past (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_password_last_change_is_in_past
-+
-+    - id: 5.4.2.1
-+      title: Ensure root is the only UID 0 account (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_no_uid_except_zero
-+
-+    - id: 5.4.2.2
-+      title: Ensure root is the only GID 0 account (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: partial
-+      notes: |-
-+          The rule confirms the primary group for root, but doesn't check if any other user are also
-+          using GID 0. New rule is necessary.
-+          There is assessment but no automated remediation for this rule and this sounds reasonable.
-+      rules:
-+          - accounts_root_gid_zero
-+
-+    - id: 5.4.2.3
-+      title: Ensure group root is the only GID 0 group (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          There is assessment but no automated remediation for this rule and this sounds reasonable.
-+      rules:
-+          - groups_no_zero_gid_except_root
-+
-+    - id: 5.4.2.4
-+      title: Ensure root account access is controlled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - ensure_root_password_configured
-+
-+    - id: 5.4.2.5
-+      title: Ensure root path integrity (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_root_path_dirs_no_write
-+          - root_path_no_dot
-+          - no_dirs_unowned_by_root
-+          - root_path_all_dirs
-+
-+    - id: 5.4.2.6
-+      title: Ensure root user umask is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          There is no rule to ensure umask in /root/.bash_profile and /root/.bashrc. A new rule have
-+          to be created. It can be based on accounts_umask_interactive_users.
-+
-+    - id: 5.4.2.7
-+      title: Ensure system accounts do not have a valid login shell (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - no_password_auth_for_systemaccounts
-+          - no_shelllogin_for_systemaccounts
-+
-+    - id: 5.4.2.8
-+      title: Ensure accounts without a valid login shell are locked (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          Introduced in CIS RHEL9 v2.0.0.
-+          New rule is necessary.
-+
-+    - id: 5.4.3.1
-+      title: Ensure nologin is not listed in /etc/shells (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: pending
-+      notes: |-
-+          It is necessary to create a new rule to check and remove nologin from /etc/shells.
-+          The no_tmux_in_shells rule can be used as referece.
-+
-+    - id: 5.4.3.2
-+      title: Ensure default user shell timeout is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_tmout
-+          - var_accounts_tmout=15_min
-+
-+    - id: 5.4.3.3
-+      title: Ensure default user umask is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_umask_etc_bashrc
-+          - accounts_umask_etc_login_defs
-+          - accounts_umask_etc_profile
-+          - var_accounts_user_umask=027
-+
-+    - id: 6.1.1
-+      title: Ensure AIDE is installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_aide_installed
-+          - aide_build_database
-+
-+    - id: 6.1.2
-+      title: Ensure filesystem integrity is regularly checked (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - aide_periodic_cron_checking
-+
-+    - id: 6.1.3
-+      title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - aide_check_audit_tools
-+      related_rules:
-+          - aide_use_fips_hashes
-+
-+    - id: 6.2.1.1
-+      title: Ensure journald service is enabled and active (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - service_systemd-journald_enabled
-+
-+    - id: 6.2.1.2
-+      title: Ensure journald log file access is configured (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+
-+    - id: 6.2.1.3
-+      title: Ensure journald log file rotation is configured (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+
-+    - id: 6.2.1.4
-+      title: Ensure only one logging system is in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          It is necessary to create a new rule to check the status of journald and rsyslog.
-+          It would also be necessary a new rule to disable or remove rsyslog.
-+
-+    - id: 6.2.2.1.1
-+      title: Ensure systemd-journal-remote is installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - package_systemd-journal-remote_installed
-+
-+    - id: 6.2.2.1.2
-+      title: Ensure systemd-journal-upload authentication is configured (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+
-+    - id: 6.2.2.1.3
-+      title: Ensure systemd-journal-upload is enabled and active (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          Introduced in CIS RHEL9 v2.0.0.
-+          New templated rule is necessary.
-+
-+    - id: 6.2.2.1.4
-+      title: Ensure systemd-journal-remote service is not in use (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - socket_systemd-journal-remote_disabled
-+
-+    - id: 6.2.2.2
-+      title: Ensure journald ForwardToSyslog is disabled (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: pending
-+      notes: |-
-+          This rule conflicts with 6.2.3.3. More investigation is needed to properly solve this.
-+      related_rules:
-+          - journald_forward_to_syslog
-+
-+    - id: 6.2.2.3
-+      title: Ensure journald Compress is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - journald_compress
-+
-+    - id: 6.2.2.4
-+      title: Ensure journald Storage is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - journald_storage
-+
-+    - id: 6.2.3.1
-+      title: Ensure rsyslog is installed (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: supported
-+      related_rules:
-+          - package_rsyslog_installed
-+
-+    - id: 6.2.3.2
-+      title: Ensure rsyslog service is enabled and active (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: supported
-+      related_rules:
-+          - service_rsyslog_enabled
-+
-+    - id: 6.2.3.3
-+      title: Ensure journald is configured to send logs to rsyslog (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: supported
-+      related_rules:
-+          - journald_forward_to_syslog
-+
-+    - id: 6.2.3.4
-+      title: Ensure rsyslog log file creation mode is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: supported
-+      related_rules:
-+          - rsyslog_filecreatemode
-+
-+    - id: 6.2.3.5
-+      title: Ensure rsyslog logging is configured (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+
-+    - id: 6.2.3.6
-+      title: Ensure rsyslog is configured to send logs to a remote log host (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+      related_rules:
-+          - rsyslog_remote_loghost
-+
-+    - id: 6.2.3.7
-+      title: Ensure rsyslog is not configured to receive logs from a remote client (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: supported
-+      related_rules:
-+          - rsyslog_nolisten
-+
-+    - id: 6.2.3.8
-+      title: Ensure rsyslog logrotate is configured (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+      related_rules:
-+          - ensure_logrotate_activated
-+          - package_logrotate_installed
-+          - timer_logrotate_enabled
-+
-+    - id: 6.2.4.1
-+      title: Ensure access to all logfiles has been configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      notes: |-
-+          It is not harmful to run these rules even if rsyslog is not installed or active.
-+      rules:
-+          - rsyslog_files_groupownership
-+          - rsyslog_files_ownership
-+          - rsyslog_files_permissions
-+
-+    - id: 6.3.1.1
-+      title: Ensure auditd packages are installed (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - package_audit_installed
-+          - package_audit-libs_installed
-+
-+    - id: 6.3.1.2
-+      title: Ensure auditing for processes that start prior to auditd is enabled (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - grub2_audit_argument
-+
-+    - id: 6.3.1.3
-+      title: Ensure audit_backlog_limit is sufficient (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - grub2_audit_backlog_limit_argument
-+          - var_audit_backlog_limit=8192
-+
-+    - id: 6.3.1.4
-+      title: Ensure auditd service is enabled and active (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - service_auditd_enabled
-+
-+    - id: 6.3.2.1
-+      title: Ensure audit log storage size is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - auditd_data_retention_max_log_file
-+          - var_auditd_max_log_file=6
-+
-+    - id: 6.3.2.2
-+      title: Ensure audit logs are not automatically deleted (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - auditd_data_retention_max_log_file_action
-+          - var_auditd_max_log_file_action=keep_logs
-+
-+    - id: 6.3.2.3
-+      title: Ensure system is disabled when audit logs are full (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - auditd_data_disk_error_action
-+          - auditd_data_disk_full_action
-+          - var_auditd_disk_error_action=cis_rhel9
-+          - var_auditd_disk_full_action=cis_rhel9
-+
-+    - id: 6.3.2.4
-+      title: Ensure system warns when audit logs are low on space (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - auditd_data_retention_action_mail_acct
-+          - auditd_data_retention_admin_space_left_action
-+          - auditd_data_retention_space_left_action
-+          - var_auditd_action_mail_acct=root
-+          - var_auditd_admin_space_left_action=cis_rhel9
-+          - var_auditd_space_left_action=cis_rhel9
-+
-+    - id: 6.3.3.1
-+      title: Ensure changes to system administration scope (sudoers) is collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_sysadmin_actions
-+
-+    - id: 6.3.3.2
-+      title: Ensure actions as another user are always logged (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_suid_auid_privilege_function
-+
-+    - id: 6.3.3.3
-+      title: Ensure events that modify the sudo log file are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_sudo_log_events
-+
-+    - id: 6.3.3.4
-+      title: Ensure events that modify date and time information are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_time_adjtimex
-+          - audit_rules_time_settimeofday
-+          - audit_rules_time_clock_settime
-+          - audit_rules_time_watch_localtime
-+      related_rules:
-+          - audit_rules_time_stime
-+
-+    - id: 6.3.3.5
-+      title: Ensure events that modify the system's network environment are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: partial
-+      rules:
-+          - audit_rules_networkconfig_modification
-+          - audit_rules_networkconfig_modification_hostname_file
-+          - audit_rules_networkconfig_modification_network_scripts
-+          - audit_rules_networkconfig_modification_networkmanager
-+
-+    - id: 6.3.3.6
-+      title: Ensure use of privileged commands are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_privileged_commands
-+
-+    - id: 6.3.3.7
-+      title: Ensure unsuccessful file access attempts are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_unsuccessful_file_modification_creat
-+          - audit_rules_unsuccessful_file_modification_ftruncate
-+          - audit_rules_unsuccessful_file_modification_open
-+          - audit_rules_unsuccessful_file_modification_openat
-+          - audit_rules_unsuccessful_file_modification_truncate
-+
-+    - id: 6.3.3.8
-+      title: Ensure events that modify user/group information are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_usergroup_modification_group
-+          - audit_rules_usergroup_modification_gshadow
-+          - audit_rules_usergroup_modification_opasswd
-+          - audit_rules_usergroup_modification_passwd
-+          - audit_rules_usergroup_modification_shadow
-+          - audit_rules_usergroup_modification_nsswitch_conf
-+          - audit_rules_usergroup_modification_pam_conf
-+          - audit_rules_usergroup_modification_pamd
-+
-+    - id: 6.3.3.9
-+      title: Ensure discretionary access control permission modification events are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_dac_modification_chmod
-+          - audit_rules_dac_modification_chown
-+          - audit_rules_dac_modification_fchmod
-+          - audit_rules_dac_modification_fchmodat
-+          - audit_rules_dac_modification_fchown
-+          - audit_rules_dac_modification_fchownat
-+          - audit_rules_dac_modification_fremovexattr
-+          - audit_rules_dac_modification_fsetxattr
-+          - audit_rules_dac_modification_lchown
-+          - audit_rules_dac_modification_lremovexattr
-+          - audit_rules_dac_modification_lsetxattr
-+          - audit_rules_dac_modification_removexattr
-+          - audit_rules_dac_modification_setxattr
-+
-+    - id: 6.3.3.10
-+      title: Ensure successful file system mounts are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_media_export
-+
-+    - id: 6.3.3.11
-+      title: Ensure session initiation information is collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_session_events_utmp
-+          - audit_rules_session_events_btmp
-+          - audit_rules_session_events_wtmp
-+
-+    - id: 6.3.3.12
-+      title: Ensure login and logout events are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_login_events_faillock
-+          - audit_rules_login_events_lastlog
-+          - var_accounts_passwords_pam_faillock_dir=run
-+
-+    - id: 6.3.3.13
-+      title: Ensure file deletion events by users are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_file_deletion_events_rename
-+          - audit_rules_file_deletion_events_renameat
-+          - audit_rules_file_deletion_events_unlink
-+          - audit_rules_file_deletion_events_unlinkat
-+
-+    - id: 6.3.3.14
-+      title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_mac_modification
-+          - audit_rules_mac_modification_usr_share
-+
-+    - id: 6.3.3.15
-+      title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_execution_chcon
-+
-+    - id: 6.3.3.16
-+      title: Ensure successful and unsuccessful attempts to use the setfacl command are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_execution_setfacl
-+
-+    - id: 6.3.3.17
-+      title: Ensure successful and unsuccessful attempts to use the chacl command are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_execution_chacl
-+
-+    - id: 6.3.3.18
-+      title: Ensure successful and unsuccessful attempts to use the usermod command are collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_privileged_commands_usermod
-+
-+    - id: 6.3.3.19
-+      title: Ensure kernel module loading unloading and modification is collected (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_kernel_module_loading_create
-+          - audit_rules_kernel_module_loading_delete
-+          - audit_rules_kernel_module_loading_finit
-+          - audit_rules_kernel_module_loading_init
-+          - audit_rules_kernel_module_loading_query
-+          - audit_rules_privileged_commands_kmod
-+
-+    - id: 6.3.3.20
-+      title: Ensure the audit configuration is immutable (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - audit_rules_immutable
-+
-+    - id: 6.3.3.21
-+      title: Ensure the running and on disk configuration is the same (Manual)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: manual
-+
-+    - id: 6.3.4.1
-+      title: Ensure the audit log file directory mode is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - directory_permissions_var_log_audit
-+
-+    - id: 6.3.4.2
-+      title: Ensure audit log files mode is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - file_permissions_var_log_audit
-+
-+    - id: 6.3.4.3
-+      title: Ensure audit log files owner is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - file_ownership_var_log_audit_stig
-+
-+    - id: 6.3.4.4
-+      title: Ensure audit log files group owner is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - file_group_ownership_var_log_audit
-+
-+    - id: 6.3.4.5
-+      title: Ensure audit configuration files mode is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - file_permissions_audit_configuration
-+
-+    - id: 6.3.4.6
-+      title: Ensure audit configuration files owner is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - file_ownership_audit_configuration
-+
-+    - id: 6.3.4.7
-+      title: Ensure audit configuration files group owner is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - file_groupownership_audit_configuration
-+
-+    - id: 6.3.4.8
-+      title: Ensure audit tools mode is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - file_permissions_audit_binaries
-+
-+    - id: 6.3.4.9
-+      title: Ensure audit tools owner is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - file_ownership_audit_binaries
-+
-+    - id: 6.3.4.10
-+      title: Ensure audit tools group owner is configured (Automated)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: automated
-+      rules:
-+          - file_groupownership_audit_binaries
-+
-+    - id: 7.1.1
-+      title: Ensure permissions on /etc/passwd are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_etc_passwd
-+          - file_owner_etc_passwd
-+          - file_permissions_etc_passwd
-+
-+    - id: 7.1.2
-+      title: Ensure permissions on /etc/passwd- are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_backup_etc_passwd
-+          - file_owner_backup_etc_passwd
-+          - file_permissions_backup_etc_passwd
-+
-+    - id: 7.1.3
-+      title: Ensure permissions on /etc/group are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_etc_group
-+          - file_owner_etc_group
-+          - file_permissions_etc_group
-+
-+    - id: 7.1.4
-+      title: Ensure permissions on /etc/group- are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_backup_etc_group
-+          - file_owner_backup_etc_group
-+          - file_permissions_backup_etc_group
-+
-+    - id: 7.1.5
-+      title: Ensure permissions on /etc/shadow are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_owner_etc_shadow
-+          - file_groupowner_etc_shadow
-+          - file_permissions_etc_shadow
-+
-+    - id: 7.1.6
-+      title: Ensure permissions on /etc/shadow- are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_backup_etc_shadow
-+          - file_owner_backup_etc_shadow
-+          - file_permissions_backup_etc_shadow
-+
-+    - id: 7.1.7
-+      title: Ensure permissions on /etc/gshadow are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_etc_gshadow
-+          - file_owner_etc_gshadow
-+          - file_permissions_etc_gshadow
-+
-+    - id: 7.1.8
-+      title: Ensure permissions on /etc/gshadow- are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_backup_etc_gshadow
-+          - file_owner_backup_etc_gshadow
-+          - file_permissions_backup_etc_gshadow
-+
-+    - id: 7.1.9
-+      title: Ensure permissions on /etc/shells are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_groupowner_etc_shells
-+          - file_owner_etc_shells
-+          - file_permissions_etc_shells
-+
-+    - id: 7.1.10
-+      title: Ensure permissions on /etc/security/opasswd are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: partial
-+      rules:
-+    # TODO: We need another rule that checks /etc/security/opasswd.old
-+          - file_etc_security_opasswd
-+
-+    - id: 7.1.11
-+      title: Ensure world writable files and directories are secured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - file_permissions_unauthorized_world_writable
-+          - dir_perms_world_writable_sticky_bits
-+
-+    - id: 7.1.12
-+      title: Ensure no files or directories without an owner and a group exist (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: partial
-+      rules:
-+    # TODO: add rules for unowned/ungrouped directories
-+          - no_files_unowned_by_user
-+          - file_permissions_ungroupowned
-+
-+    - id: 7.1.13
-+      title: Ensure SUID and SGID files are reviewed (Manual)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: manual
-+      related_rules:
-+          - file_permissions_unauthorized_suid
-+          - file_permissions_unauthorized_sgid
-+
-+    - id: 7.1.14
-+      title: Audit system file permissions (Manual)
-+      levels:
-+          - l2_server
-+          - l2_workstation
-+      status: manual
-+      related_rules:
-+          - rpm_verify_permissions
-+          - rpm_verify_ownership
-+
-+    - id: 7.2.1
-+      title: Ensure accounts in /etc/passwd use shadowed passwords (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_password_all_shadowed
-+
-+    - id: 7.2.2
-+      title: Ensure /etc/shadow password fields are not empty (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - no_empty_passwords_etc_shadow
-+
-+    - id: 7.2.3
-+      title: Ensure all groups in /etc/passwd exist in /etc/group (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - gid_passwd_group_same
-+
-+    - id: 7.2.4
-+      title: Ensure no duplicate UIDs exist (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - account_unique_id
-+
-+    - id: 7.2.5
-+      title: Ensure no duplicate GIDs exist (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - group_unique_id
-+
-+    - id: 7.2.6
-+      title: Ensure no duplicate user names exist (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - account_unique_name
-+
-+    - id: 7.2.7
-+      title: Ensure no duplicate group names exist (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - group_unique_name
-+
-+    - id: 7.2.8
-+      title: Ensure local interactive user home directories are configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      status: automated
-+      rules:
-+          - accounts_user_interactive_home_directory_exists
-+          - file_ownership_home_directories
-+          - file_permissions_home_directories
-+      related_rules:
-+          - file_groupownership_home_directories
-+
-+    - id: 7.2.9
-+      title: Ensure local interactive user dot files access is configured (Automated)
-+      levels:
-+          - l1_server
-+          - l1_workstation
-+      notes: |-
-+          Missing a rule to check that .bash_history is mode 0600 or more restrictive.
-+      status: partial
-+      rules:
-+          - accounts_user_dot_group_ownership
-+          - accounts_user_dot_user_ownership
-+          - accounts_user_dot_no_world_writable_programs
-+          - file_permission_user_init_files
-+          - var_user_initialization_files_regex=all_dotfiles
-+          - no_forward_files
-+          - no_netrc_files
-+          - no_rsh_trust_files
-+      related_rules:
-+          - accounts_users_netrc_file_permissions
-diff --git a/products/almalinux9/controls/stig_rhel9.yml b/products/almalinux9/controls/stig_rhel9.yml
-new file mode 100644
-index 000000000..b4eb65598
---- /dev/null
-+++ b/products/almalinux9/controls/stig_rhel9.yml
-@@ -0,0 +1,3889 @@
-+---
-+policy: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
-+title: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
-+id: stig_rhel9
-+source: https://www.cyber.mil/stigs/downloads/
-+version: V2R4
-+reference_type: stigid
-+product: rhel9
-+
-+levels:
-+    - id: high
-+    - id: medium
-+    - id: low
-+
-+controls:
-+    - id: needed_rules
-+      levels:
-+          - medium
-+      rules:
-+          - enable_authselect
-+          - var_authselect_profile=sssd
-+
-+    - id: RHEL-09-171011
-+      levels:
-+          - medium
-+      rules:
-+          - dconf_gnome_login_banner_text
-+    - id: RHEL-09-211010
-+      levels:
-+          - high
-+      title: RHEL 9 must be a vendor-supported release.
-+      rules:
-+          - installed_OS_is_vendor_supported
-+      status: automated
-+
-+    - id: RHEL-09-211015
-+      levels:
-+          - medium
-+      title: RHEL 9 vendor packaged system security patches and updates must be installed and up to date.
-+      rules:
-+          - security_patches_up_to_date
-+      status: automated
-+
-+    - id: RHEL-09-211020
-+      levels:
-+          - medium
-+      title: RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting
-+          local or remote access to the system via a command line user logon.
-+      rules:
-+          - banner_etc_issue
-+          - login_banner_text=dod_banners
-+      status: automated
-+
-+    - id: RHEL-09-211030
-+      levels:
-+          - medium
-+      title: The graphical display manager must not be the default target on RHEL 9 unless approved.
-+      rules:
-+          - xwindows_runlevel_target
-+      status: automated
-+
-+    - id: RHEL-09-211035
-+      levels:
-+          - low
-+      title: RHEL 9 must enable the hardware random number generator entropy gatherer service.
-+      related_rules:
-+          - service_rngd_enabled  # This rule is causing test failures, See https://github.com/ComplianceAsCode/content/pull/10153
-+      status: pending
-+
-+    - id: RHEL-09-211040
-+      levels:
-+          - medium
-+      title: RHEL 9 systemd-journald service must be enabled.
-+      rules:
-+          - service_systemd-journald_enabled
-+      status: automated
-+
-+    - id: RHEL-09-211045
-+      levels:
-+          - high
-+      title: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
-+      rules:
-+          - disable_ctrlaltdel_burstaction
-+      status: automated
-+
-+    - id: RHEL-09-211050
-+      levels:
-+          - high
-+      title: The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.
-+      rules:
-+          - disable_ctrlaltdel_reboot
-+      status: automated
-+
-+    - id: RHEL-09-211055
-+      levels:
-+          - medium
-+      title: RHEL 9 debug-shell systemd service must be disabled.
-+      status: automated
-+      rules:
-+          - service_debug-shell_disabled
-+
-+    - id: RHEL-09-212010
-+      levels:
-+          - medium
-+      title: RHEL 9 must require a boot loader superuser password.
-+      rules:
-+          - grub2_password
-+      status: automated
-+
-+    - id: RHEL-09-212015
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable the ability of systemd to spawn an interactive boot process.
-+      rules:
-+          - grub2_disable_interactive_boot
-+      status: automated
-+
-+    - id: RHEL-09-212020
-+      levels:
-+          - high
-+      title: RHEL 9 must require a unique superusers name upon booting into single-user and maintenance
-+          modes.
-+      rules:
-+          - grub2_admin_username
-+      status: automated
-+
-+    - id: RHEL-09-212025
-+      levels:
-+          - medium
-+      title: RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.
-+      rules:
-+          - file_groupowner_grub2_cfg
-+      status: automated
-+
-+    - id: RHEL-09-212030
-+      levels:
-+          - medium
-+      title: RHEL 9 /boot/grub2/grub.cfg file must be owned by root.
-+      rules:
-+          - file_owner_grub2_cfg
-+      status: automated
-+
-+    - id: RHEL-09-212035
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable virtual system calls.
-+      rules:
-+          - grub2_vsyscall_argument
-+      status: automated
-+
-+    - id: RHEL-09-212040
-+      levels:
-+          - medium
-+      title: RHEL 9 must clear the page allocator to prevent use-after-free attacks.
-+      rules:
-+          - grub2_page_poison_argument
-+      status: automated
-+
-+    - id: RHEL-09-212045
-+      levels:
-+          - medium
-+      title: RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
-+      rules:
-+          - grub2_init_on_free
-+      status: automated
-+
-+    - id: RHEL-09-212050
-+      levels:
-+          - low
-+      title: RHEL 9 must enable mitigations against processor-based vulnerabilities.
-+      rules:
-+          - grub2_pti_argument
-+      status: automated
-+
-+    - id: RHEL-09-212055
-+      levels:
-+          - low
-+      title: RHEL 9 must enable auditing of processes that start prior to the audit daemon.
-+      rules:
-+          - grub2_audit_argument
-+      status: automated
-+
-+    - id: RHEL-09-213010
-+      levels:
-+          - medium
-+      title: RHEL 9 must restrict access to the kernel message buffer.
-+      rules:
-+          - sysctl_kernel_dmesg_restrict
-+      status: automated
-+
-+    - id: RHEL-09-213015
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent kernel profiling by nonprivileged users.
-+      rules:
-+          - sysctl_kernel_perf_event_paranoid
-+      status: automated
-+
-+    - id: RHEL-09-213020
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent the loading of a new kernel for later execution.
-+      rules:
-+          - sysctl_kernel_kexec_load_disabled
-+      status: automated
-+
-+    - id: RHEL-09-213025
-+      levels:
-+          - medium
-+      title: RHEL 9 must restrict exposed kernel pointer addresses access.
-+      rules:
-+          - sysctl_kernel_kptr_restrict
-+      status: automated
-+
-+    - id: RHEL-09-213030
-+      levels:
-+          - medium
-+      title: RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
-+      rules:
-+          - sysctl_fs_protected_hardlinks
-+      status: automated
-+
-+    - id: RHEL-09-213035
-+      levels:
-+          - medium
-+      title: RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
-+      rules:
-+          - sysctl_fs_protected_symlinks
-+      status: automated
-+
-+    - id: RHEL-09-213040
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable the kernel.core_pattern.
-+      rules:
-+          - sysctl_kernel_core_pattern
-+      status: automated
-+
-+    - id: RHEL-09-213045
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.
-+      rules:
-+          - kernel_module_atm_disabled
-+      status: automated
-+
-+    - id: RHEL-09-213050
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured to disable the Controller Area Network kernel module.
-+      rules:
-+          - kernel_module_can_disabled
-+      status: automated
-+
-+    - id: RHEL-09-213055
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured to disable the FireWire kernel module.
-+      rules:
-+          - kernel_module_firewire-core_disabled
-+      status: automated
-+
-+    - id: RHEL-09-213060
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
-+      rules:
-+          - kernel_module_sctp_disabled
-+      status: automated
-+
-+    - id: RHEL-09-213065
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
-+      rules:
-+          - kernel_module_tipc_disabled
-+      status: automated
-+
-+    - id: RHEL-09-213070
-+      levels:
-+          - medium
-+      title: RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from
-+          unauthorized code execution.
-+      rules:
-+          - sysctl_kernel_randomize_va_space
-+      status: automated
-+
-+    - id: RHEL-09-213075
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable access to network bpf system call from nonprivileged processes.
-+      rules:
-+          - sysctl_kernel_unprivileged_bpf_disabled
-+      status: automated
-+
-+    - id: RHEL-09-213080
-+      levels:
-+          - medium
-+      title: RHEL 9 must restrict usage of ptrace to descendant processes.
-+      rules:
-+          - sysctl_kernel_yama_ptrace_scope
-+      status: automated
-+
-+    - id: RHEL-09-213085
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable core dump backtraces.
-+      rules:
-+          - coredump_disable_backtraces
-+      status: automated
-+
-+    - id: RHEL-09-213090
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable storing core dumps.
-+      rules:
-+          - coredump_disable_storage
-+      status: automated
-+
-+    - id: RHEL-09-213095
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable core dumps for all users.
-+      rules:
-+          - disable_users_coredumps
-+      status: automated
-+
-+    - id: RHEL-09-213100
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable acquiring, saving, and processing core dumps.
-+      rules:
-+          - service_systemd-coredump_disabled
-+      status: automated
-+
-+    - id: RHEL-09-213105
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable the use of user namespaces.
-+      rules:
-+          - sysctl_user_max_user_namespaces_no_remediation
-+      status: automated
-+
-+    - id: RHEL-09-213110
-+      levels:
-+          - medium
-+      title: RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.
-+      rules:
-+          - sysctl_kernel_exec_shield
-+      status: automated
-+
-+    - id: RHEL-09-213115
-+      levels:
-+          - medium
-+      title: The kdump service on RHEL 9 must be disabled.
-+      rules:
-+          - service_kdump_disabled
-+      status: automated
-+
-+    - id: RHEL-09-214010
-+      levels:
-+          - medium
-+      title: RHEL 9 must ensure cryptographic verification of vendor software packages.
-+      rules:
-+          - ensure_almalinux_gpgkey_installed
-+      status: automated
-+
-+    - id: RHEL-09-214015
-+      levels:
-+          - high
-+      title: RHEL 9 must check the GPG signature of software packages originating from external software
-+          repositories before installation.
-+      rules:
-+          - ensure_gpgcheck_globally_activated
-+      status: automated
-+
-+    - id: RHEL-09-214020
-+      levels:
-+          - high
-+      title: RHEL 9 must check the GPG signature of locally installed software packages before installation.
-+      rules:
-+          - ensure_gpgcheck_local_packages
-+      status: automated
-+
-+    - id: RHEL-09-214025
-+      levels:
-+          - high
-+      title: RHEL 9 must have GPG signature verification enabled for all software repositories.
-+      rules:
-+          - ensure_gpgcheck_never_disabled
-+      status: automated
-+
-+    - id: RHEL-09-214030
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured so that the cryptographic hashes of system files match vendor
-+          values.
-+      related_rules:
-+          - rpm_verify_hashes  # Due to crypto policies this cannot be selected at this time
-+      status: pending
-+
-+    - id: RHEL-09-214035
-+      levels:
-+          - low
-+      title: RHEL 9 must remove all software components after updated versions have been installed.
-+      rules:
-+          - clean_components_post_updating
-+      status: automated
-+
-+    - id: RHEL-09-215010
-+      levels:
-+          - medium
-+      title: RHEL 9 subscription-manager package must be installed.
-+      rules:
-+          - package_subscription-manager_installed
-+      status: automated
-+
-+    - id: RHEL-09-215015
-+      levels:
-+          - high
-+      title: RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.
-+      rules:
-+          - package_vsftpd_removed
-+      status: automated
-+
-+    - id: RHEL-09-215020
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have the sendmail package installed.
-+      rules:
-+          - package_sendmail_removed
-+      status: automated
-+
-+    - id: RHEL-09-215025
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have the nfs-utils package installed.
-+      rules:
-+          - package_nfs-utils_removed
-+      status: automated
-+
-+    - id: RHEL-09-215030
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have the ypserv package installed.
-+      related_rules:
-+          - package_ypserv_removed
-+      status: not applicable  # The ypserv package is not available in RHEL 9
-+
-+    - id: RHEL-09-215035
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have the rsh-server package installed.
-+      related_rules:
-+          - package_rsh-server_removed
-+      status: not applicable  # The rsh-server package is not available in RHEL 9
-+
-+    - id: RHEL-09-215040
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have the telnet-server package installed.
-+      rules:
-+          - package_telnet-server_removed
-+      status: automated
-+
-+    - id: RHEL-09-215045
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have the gssproxy package installed.
-+      rules:
-+          - package_gssproxy_removed
-+      status: automated
-+
-+    - id: RHEL-09-215050
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have the iprutils package installed.
-+      rules:
-+          - package_iprutils_removed
-+      status: automated
-+
-+    - id: RHEL-09-215055
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have the tuned package installed.
-+      rules:
-+          - package_tuned_removed
-+      status: automated
-+
-+    - id: RHEL-09-215060
-+      levels:
-+          - high
-+      title: RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
-+      rules:
-+          - package_tftp-server_removed
-+      status: automated
-+
-+    - id: RHEL-09-215065
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have the quagga package installed.
-+      related_rules:
-+          - package_quagga_removed
-+      status: not applicable  # The quagga package is not available in RHEL 9
-+
-+    - id: RHEL-09-215070
-+      levels:
-+          - medium
-+      title: A graphical display manager must not be installed on RHEL 9 unless approved.
-+      rules:
-+          - xwindows_remove_packages
-+      status: automated
-+
-+    - id: RHEL-09-215075
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the openssl-pkcs11 package installed.
-+      rules:
-+          - install_smartcard_packages
-+      status: automated
-+
-+    - id: RHEL-09-215080
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the gnutls-utils package installed.
-+      rules:
-+          - package_gnutls-utils_installed
-+      status: automated
-+
-+    - id: RHEL-09-215085
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the nss-tools package installed.
-+      rules:
-+          - package_nss-tools_installed
-+      status: automated
-+
-+    - id: RHEL-09-215090
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the rng-tools package installed.
-+      rules:
-+          - package_rng-tools_installed
-+      status: automated
-+
-+    - id: RHEL-09-215095
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the s-nail package installed.
-+      rules:
-+          - package_s-nail_installed
-+      status: automated
-+
-+    - id: RHEL-09-215100
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the crypto-policies package installed.
-+      rules:
-+          - package_crypto-policies_installed
-+      status: automated
-+
-+    - id: RHEL-09-215101
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the Postfix package installed.
-+      status: automated
-+      rules:
-+          - package_postfix_installed
-+
-+    - id: RHEL-09-215105
-+      levels:
-+          - medium
-+      title: RHEL 9 must implement a FIPS 140-3 compliant systemwide cryptographic policy.
-+      rules:
-+          - configure_crypto_policy
-+          - fips_crypto_subpolicy
-+          - fips_custom_stig_sub_policy
-+      status: automated
-+
-+    - id: RHEL-09-231010
-+      levels:
-+          - medium
-+      title: A separate RHEL 9 file system must be used for user home directories (such as /home or an
-+          equivalent).
-+      rules:
-+          - partition_for_home
-+      status: automated
-+
-+    - id: RHEL-09-231015
-+      levels:
-+          - medium
-+      title: RHEL 9 must use a separate file system for /tmp.
-+      rules:
-+          - partition_for_tmp
-+      status: automated
-+
-+    - id: RHEL-09-231020
-+      levels:
-+          - low
-+      title: RHEL 9 must use a separate file system for /var.
-+      rules:
-+          - partition_for_var
-+      status: automated
-+
-+    - id: RHEL-09-231025
-+      levels:
-+          - low
-+      title: RHEL 9 must use a separate file system for /var/log.
-+      rules:
-+          - partition_for_var_log
-+      status: automated
-+
-+    - id: RHEL-09-231030
-+      levels:
-+          - low
-+      title: RHEL 9 must use a separate file system for the system audit data path.
-+      rules:
-+          - partition_for_var_log_audit
-+      status: automated
-+
-+    - id: RHEL-09-231035
-+      levels:
-+          - medium
-+      title: RHEL 9 must use a separate file system for /var/tmp.
-+      rules:
-+          - partition_for_var_tmp
-+      status: automated
-+
-+    - id: RHEL-09-231040
-+      levels:
-+          - medium
-+      title: RHEL 9 file system automount function must be disabled unless required.
-+      rules:
-+          - service_autofs_disabled
-+      status: automated
-+
-+    - id: RHEL-09-231045
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent device files from being interpreted on file systems that contain user
-+          home directories.
-+      rules:
-+          - mount_option_home_nodev
-+      status: automated
-+
-+    - id: RHEL-09-231050
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file
-+          systems that contain user home directories.
-+      rules:
-+          - mount_option_home_nosuid
-+      status: automated
-+
-+    - id: RHEL-09-231055
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent code from being executed on file systems that contain user home directories.
-+      rules:
-+          - mount_option_home_noexec
-+      status: automated
-+
-+    - id: RHEL-09-231065
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent special devices on file systems that are imported via Network File System
-+          (NFS).
-+      rules:
-+          - mount_option_nodev_remote_filesystems
-+      status: automated
-+
-+    - id: RHEL-09-231070
-+      levels:
-+          - medium
-+      title: RHEL 9  must prevent code from being executed on file systems that are imported via Network
-+          File System (NFS).
-+      rules:
-+          - mount_option_noexec_remote_filesystems
-+      status: automated
-+
-+    - id: RHEL-09-231075
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file
-+          systems that are imported via Network File System (NFS).
-+      rules:
-+          - mount_option_nosuid_remote_filesystems
-+      status: automated
-+
-+    - id: RHEL-09-231080
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent code from being executed on file systems that are used with removable
-+          media.
-+      rules:
-+          - mount_option_noexec_removable_partitions
-+      status: automated
-+
-+    - id: RHEL-09-231085
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent special devices on file systems that are used with removable media.
-+      rules:
-+          - mount_option_nodev_removable_partitions
-+      status: automated
-+
-+    - id: RHEL-09-231090
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file
-+          systems that are used with removable media.
-+      rules:
-+          - mount_option_nosuid_removable_partitions
-+      status: automated
-+
-+    - id: RHEL-09-231095
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /boot with the nodev option.
-+      rules:
-+          - mount_option_boot_nodev
-+      status: automated
-+
-+    - id: RHEL-09-231100
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the
-+          /boot directory.
-+      rules:
-+          - mount_option_boot_nosuid
-+      status: automated
-+
-+    - id: RHEL-09-231105
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the
-+          /boot/efi directory.
-+      rules:
-+          - mount_option_boot_efi_nosuid
-+      status: automated
-+
-+    - id: RHEL-09-231110
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /dev/shm with the nodev option.
-+      rules:
-+          - mount_option_dev_shm_nodev
-+      status: automated
-+
-+    - id: RHEL-09-231115
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /dev/shm with the noexec option.
-+      rules:
-+          - mount_option_dev_shm_noexec
-+      status: automated
-+
-+    - id: RHEL-09-231120
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /dev/shm with the nosuid option.
-+      rules:
-+          - mount_option_dev_shm_nosuid
-+      status: automated
-+
-+    - id: RHEL-09-231125
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /tmp with the nodev option.
-+      rules:
-+          - mount_option_tmp_nodev
-+      status: automated
-+
-+    - id: RHEL-09-231130
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /tmp with the noexec option.
-+      rules:
-+          - mount_option_tmp_noexec
-+      status: automated
-+
-+    - id: RHEL-09-231135
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /tmp with the nosuid option.
-+      rules:
-+          - mount_option_tmp_nosuid
-+      status: automated
-+
-+    - id: RHEL-09-231140
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /var with the nodev option.
-+      rules:
-+          - mount_option_var_nodev
-+      status: automated
-+
-+    - id: RHEL-09-231145
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /var/log with the nodev option.
-+      rules:
-+          - mount_option_var_log_nodev
-+      status: automated
-+
-+    - id: RHEL-09-231150
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /var/log with the noexec option.
-+      rules:
-+          - mount_option_var_log_noexec
-+      status: automated
-+
-+    - id: RHEL-09-231155
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /var/log with the nosuid option.
-+      rules:
-+          - mount_option_var_log_nosuid
-+      status: automated
-+
-+    - id: RHEL-09-231160
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /var/log/audit with the nodev option.
-+      rules:
-+          - mount_option_var_log_audit_nodev
-+      status: automated
-+
-+    - id: RHEL-09-231165
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /var/log/audit with the noexec option.
-+      rules:
-+          - mount_option_var_log_audit_noexec
-+      status: automated
-+
-+    - id: RHEL-09-231170
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /var/log/audit with the nosuid option.
-+      rules:
-+          - mount_option_var_log_audit_nosuid
-+      status: automated
-+
-+    - id: RHEL-09-231175
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /var/tmp with the nodev option.
-+      rules:
-+          - mount_option_var_tmp_nodev
-+      status: automated
-+
-+    - id: RHEL-09-231180
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /var/tmp with the noexec option.
-+      rules:
-+          - mount_option_var_tmp_noexec
-+      status: automated
-+
-+    - id: RHEL-09-231185
-+      levels:
-+          - medium
-+      title: RHEL 9 must mount /var/tmp with the nosuid option.
-+      rules:
-+          - mount_option_var_tmp_nosuid
-+      status: automated
-+
-+    - id: RHEL-09-231190
-+      levels:
-+          - high
-+      title: RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized
-+          disclosure or modification of all information that requires at rest protection.
-+      rules:
-+          - encrypt_partitions
-+      status: automated
-+
-+    - id: RHEL-09-231195
-+      levels:
-+          - low
-+      title: RHEL 9 must disable mounting of cramfs.
-+      rules:
-+          - kernel_module_cramfs_disabled
-+      status: automated
-+
-+    - id: RHEL-09-231200
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent special devices on non-root local partitions.
-+      rules:
-+          - mount_option_nodev_nonroot_local_partitions
-+      status: automated
-+
-+    - id: RHEL-09-232010
-+      levels:
-+          - medium
-+      title: RHEL 9 system commands must have mode 755 or less permissive.
-+      rules:
-+          - file_permissions_binary_dirs
-+      status: automated
-+
-+    - id: RHEL-09-232015
-+      levels:
-+          - medium
-+      title: RHEL 9 library directories must have mode 755 or less permissive.
-+      rules:
-+          - dir_permissions_library_dirs
-+      status: automated
-+
-+    - id: RHEL-09-232020
-+      levels:
-+          - medium
-+      title: RHEL 9 library files must have mode 755 or less permissive.
-+      rules:
-+          - file_permissions_library_dirs
-+      status: automated
-+
-+    - id: RHEL-09-232025
-+      levels:
-+          - medium
-+      title: RHEL 9 /var/log directory must have mode 0755 or less permissive.
-+      rules:
-+          - file_permissions_var_log
-+      status: automated
-+
-+    - id: RHEL-09-232030
-+      levels:
-+          - medium
-+      title: RHEL 9 /var/log/messages file must have mode 0640 or less permissive.
-+      rules:
-+          - file_permissions_var_log_messages
-+      status: automated
-+
-+    - id: RHEL-09-232035
-+      levels:
-+          - medium
-+      title: RHEL 9 audit tools must have a mode of 0755 or less permissive.
-+      rules:
-+          - file_audit_tools_permissions
-+      status: automated
-+
-+    - id: RHEL-09-232040
-+      levels:
-+          - medium
-+      title: RHEL 9 cron configuration directories must have a mode of 0700 or less permissive.
-+      rules:
-+          - package_cron_installed
-+          - file_permissions_cron_d
-+          - file_permissions_cron_daily
-+          - file_permissions_cron_hourly
-+          - file_permissions_cron_monthly
-+          - file_permissions_cron_weekly
-+      status: automated
-+
-+    - id: RHEL-09-232045
-+      levels:
-+          - medium
-+      title: All RHEL 9 local initialization files must have mode 0740 or less permissive.
-+      rules:
-+          - file_permission_user_init_files_root
-+          - var_user_initialization_files_regex=all_dotfiles
-+          - rootfiles_configured
-+      status: automated
-+
-+    - id: RHEL-09-232050
-+      levels:
-+          - medium
-+      title: All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.
-+      rules:
-+          - file_permissions_home_directories
-+      status: automated
-+
-+    - id: RHEL-09-232055
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
-+      rules:
-+          - file_permissions_etc_group
-+      status: automated
-+
-+    - id: RHEL-09-232060
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
-+      rules:
-+          - file_permissions_backup_etc_group
-+      status: automated
-+
-+    - id: RHEL-09-232065
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized
-+          access.
-+      rules:
-+          - file_permissions_etc_gshadow
-+      status: automated
-+
-+    - id: RHEL-09-232070
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized
-+          access.
-+      rules:
-+          - file_permissions_backup_etc_gshadow
-+      status: automated
-+
-+    - id: RHEL-09-232075
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
-+      rules:
-+          - file_permissions_etc_passwd
-+      status: automated
-+
-+    - id: RHEL-09-232080
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized
-+          access.
-+      rules:
-+          - file_permissions_backup_etc_passwd
-+      status: automated
-+
-+    - id: RHEL-09-232085
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized
-+          access.
-+      rules:
-+          - file_permissions_backup_etc_shadow
-+      status: automated
-+
-+    - id: RHEL-09-232090
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/group file must be owned by root.
-+      rules:
-+          - file_owner_etc_group
-+      status: automated
-+
-+    - id: RHEL-09-232095
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/group file must be group-owned by root.
-+      rules:
-+          - file_groupowner_etc_group
-+      status: automated
-+
-+    - id: RHEL-09-232100
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/group- file must be owned by root.
-+      rules:
-+          - file_owner_backup_etc_group
-+
-+    - id: RHEL-09-232103
-+      title: RHEL 9 "/etc/audit/" must be owned by root.
-+      levels:
-+          - medium
-+      rules:
-+          - file_ownership_audit_configuration
-+      status: automated
-+
-+    - id: RHEL-09-232104
-+      title: RHEL 9 "/etc/audit/" must be group-owned by root.
-+      levels:
-+          - medium
-+      rules:
-+          - file_groupownership_audit_configuration
-+
-+    - id: RHEL-09-232105
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/group- file must be group-owned by root.
-+      rules:
-+          - file_groupowner_backup_etc_group
-+      status: automated
-+
-+    - id: RHEL-09-232110
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/gshadow file must be owned by root.
-+      rules:
-+          - file_owner_etc_gshadow
-+      status: automated
-+
-+    - id: RHEL-09-232115
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/gshadow file must be group-owned by root.
-+      rules:
-+          - file_groupowner_etc_gshadow
-+      status: automated
-+
-+    - id: RHEL-09-232120
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/gshadow- file must be owned by root.
-+      rules:
-+          - file_owner_backup_etc_gshadow
-+      status: automated
-+
-+    - id: RHEL-09-232125
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/gshadow- file must be group-owned by root.
-+      rules:
-+          - file_groupowner_backup_etc_gshadow
-+      status: automated
-+
-+    - id: RHEL-09-232130
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/passwd file must be owned by root.
-+      rules:
-+          - file_owner_etc_passwd
-+      status: automated
-+
-+    - id: RHEL-09-232135
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/passwd file must be group-owned by root.
-+      rules:
-+          - file_groupowner_etc_passwd
-+      status: automated
-+
-+    - id: RHEL-09-232140
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/passwd- file must be owned by root.
-+      rules:
-+          - file_owner_backup_etc_passwd
-+      status: automated
-+
-+    - id: RHEL-09-232145
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/passwd- file must be group-owned by root.
-+      rules:
-+          - file_groupowner_backup_etc_passwd
-+      status: automated
-+
-+    - id: RHEL-09-232150
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/shadow file must be owned by root.
-+      rules:
-+          - file_owner_etc_shadow
-+      status: automated
-+
-+    - id: RHEL-09-232155
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/shadow file must be group-owned by root.
-+      rules:
-+          - file_groupowner_etc_shadow
-+      status: automated
-+
-+    - id: RHEL-09-232160
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/shadow- file must be owned by root.
-+      rules:
-+          - file_owner_backup_etc_shadow
-+      status: automated
-+
-+    - id: RHEL-09-232165
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/shadow- file must be group-owned by root.
-+      rules:
-+          - file_groupowner_backup_etc_shadow
-+      status: automated
-+
-+    - id: RHEL-09-232170
-+      levels:
-+          - medium
-+      title: RHEL 9 /var/log directory must be owned by root.
-+      rules:
-+          - file_owner_var_log
-+      status: automated
-+
-+    - id: RHEL-09-232175
-+      levels:
-+          - medium
-+      title: RHEL 9 /var/log directory must be group-owned by root.
-+      rules:
-+          - file_groupowner_var_log
-+      status: automated
-+
-+    - id: RHEL-09-232180
-+      levels:
-+          - medium
-+      title: RHEL 9 /var/log/messages file must be owned by root.
-+      rules:
-+          - file_owner_var_log_messages
-+      status: automated
-+
-+    - id: RHEL-09-232185
-+      levels:
-+          - medium
-+      title: RHEL 9 /var/log/messages file must be group-owned by root.
-+      rules:
-+          - file_groupowner_var_log_messages
-+      status: automated
-+
-+    - id: RHEL-09-232190
-+      levels:
-+          - medium
-+      title: RHEL 9 system commands must be owned by root.
-+      rules:
-+          - file_ownership_binary_dirs
-+      status: automated
-+
-+    - id: RHEL-09-232195
-+      levels:
-+          - medium
-+      title: RHEL 9 system commands must be group-owned by root or a system account.
-+      rules:
-+          - file_groupownership_system_commands_dirs
-+      status: automated
-+
-+    - id: RHEL-09-232200
-+      levels:
-+          - medium
-+      title: RHEL 9 library files must be owned by root.
-+      rules:
-+          - file_ownership_library_dirs
-+      status: automated
-+
-+    - id: RHEL-09-232205
-+      levels:
-+          - medium
-+      title: RHEL 9 library files must be group-owned by root or a system account.
-+      rules:
-+          - root_permissions_syslibrary_files
-+      status: automated
-+
-+    - id: RHEL-09-232210
-+      levels:
-+          - medium
-+      title: RHEL 9 library directories must be owned by root.
-+      rules:
-+          - dir_ownership_library_dirs
-+      status: automated
-+
-+    - id: RHEL-09-232215
-+      levels:
-+          - medium
-+      title: RHEL 9 library directories must be group-owned by root or a system account.
-+      rules:
-+          - dir_group_ownership_library_dirs
-+      status: automated
-+
-+    - id: RHEL-09-232220
-+      levels:
-+          - medium
-+      title: RHEL 9 audit tools must be owned by root.
-+      rules:
-+          - file_audit_tools_ownership
-+      status: automated
-+
-+    - id: RHEL-09-232225
-+      levels:
-+          - medium
-+      title: RHEL 9 audit tools must be group-owned by root.
-+      rules:
-+          - file_audit_tools_group_ownership
-+      status: automated
-+
-+    - id: RHEL-09-232230
-+      levels:
-+          - medium
-+      title: RHEL 9 cron configuration files directory must be owned by root.
-+      rules:
-+          - file_owner_cron_d
-+          - file_owner_cron_daily
-+          - file_owner_cron_hourly
-+          - file_owner_cron_monthly
-+          - file_owner_cron_weekly
-+          - file_owner_crontab
-+          - file_owner_cron_deny
-+      status: automated
-+
-+    - id: RHEL-09-232235
-+      levels:
-+          - medium
-+      title: RHEL 9 cron configuration files directory must be group-owned by root.
-+      rules:
-+          - file_groupowner_cron_d
-+          - file_groupowner_cron_daily
-+          - file_groupowner_cron_hourly
-+          - file_groupowner_cron_monthly
-+          - file_groupowner_cron_weekly
-+          - file_groupowner_crontab
-+          - file_groupowner_cron_deny
-+      status: automated
-+
-+    - id: RHEL-09-232240
-+      levels:
-+          - medium
-+      title: All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application
-+          user.
-+      rules:
-+          - dir_perms_world_writable_root_owned
-+      status: automated
-+
-+    - id: RHEL-09-232245
-+      levels:
-+          - medium
-+      title: A sticky bit must be set on all RHEL 9 public directories.
-+      rules:
-+          - dir_perms_world_writable_sticky_bits
-+      status: automated
-+
-+    - id: RHEL-09-232250
-+      levels:
-+          - medium
-+      title: All RHEL 9 local files and directories must have a valid group owner.
-+      rules:
-+          - file_permissions_ungroupowned
-+      status: automated
-+
-+    - id: RHEL-09-232255
-+      levels:
-+          - medium
-+      title: All RHEL 9 local files and directories must have a valid owner.
-+      rules:
-+          - no_files_unowned_by_user
-+      status: automated
-+
-+    - id: RHEL-09-232260
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured so that all system device files are correctly labeled to prevent
-+          unauthorized modification.
-+      rules:
-+          - selinux_all_devicefiles_labeled
-+      status: automated
-+
-+    - id: RHEL-09-232270
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
-+      rules:
-+          - file_permissions_etc_shadow
-+      status: automated
-+
-+    - id: RHEL-09-251010
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the firewalld package installed.
-+      rules:
-+          - package_firewalld_installed
-+      status: automated
-+
-+    - id: RHEL-09-251015
-+      levels:
-+          - medium
-+      title: The firewalld service on RHEL 9 must be active.
-+      rules:
-+          - service_firewalld_enabled
-+      status: automated
-+
-+    - id: RHEL-09-251020
-+      levels:
-+          - medium
-+      title: A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections
-+          to other systems.
-+      rules:
-+          - configured_firewalld_default_deny
-+      status: automated
-+
-+    - id: RHEL-09-251030
-+      levels:
-+          - medium
-+      title: RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring
-+          rate-limiting measures on impacted network interfaces are implemented.
-+      rules:
-+          - firewalld-backend
-+      status: automated
-+
-+    - id: RHEL-09-251035
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured to prohibit or restrict the use of functions, ports, protocols,
-+          and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category
-+          Assignments List (CAL) and vulnerability assessments.
-+      rules:
-+          - firewalld_sshd_port_enabled
-+      status: automated
-+
-+    - id: RHEL-09-251040
-+      levels:
-+          - medium
-+      title: RHEL 9 network interfaces must not be in promiscuous mode.
-+      rules:
-+          - network_sniffer_disabled
-+      status: automated
-+
-+    - id: RHEL-09-251045
-+      levels:
-+          - medium
-+      title: RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.
-+      rules:
-+          - sysctl_net_core_bpf_jit_harden
-+      status: automated
-+
-+    - id: RHEL-09-252010
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the chrony package installed.
-+      rules:
-+          - package_chrony_installed
-+      status: automated
-+
-+    - id: RHEL-09-252015
-+      levels:
-+          - medium
-+      title: RHEL 9 chronyd service must be enabled.
-+      rules:
-+          - service_chronyd_enabled
-+      status: automated
-+
-+    - id: RHEL-09-252020
-+      levels:
-+          - medium
-+      title: RHEL 9 must securely compare internal information system clocks at least every 24 hours.
-+      rules:
-+          - chronyd_or_ntpd_set_maxpoll
-+          - chronyd_server_directive
-+          - chronyd_specify_remote_server
-+          - var_multiple_time_servers=stig
-+          - var_time_service_set_maxpoll=18_hours
-+      status: automated
-+
-+    - id: RHEL-09-252025
-+      levels:
-+          - low
-+      title: RHEL 9 must disable the chrony daemon from acting as a server.
-+      rules:
-+          - chronyd_client_only
-+      status: automated
-+
-+    - id: RHEL-09-252030
-+      levels:
-+          - low
-+      title: RHEL 9 must disable network management of the chrony daemon.
-+      rules:
-+          - chronyd_no_chronyc_network
-+      status: automated
-+
-+    - id: RHEL-09-252035
-+      levels:
-+          - medium
-+      title: RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers
-+          configured.
-+      rules:
-+          - network_configure_name_resolution
-+      status: automated
-+
-+    - id: RHEL-09-252040
-+      levels:
-+          - medium
-+      title: RHEL 9 must configure a DNS processing mode set be Network Manager.
-+      rules:
-+          - networkmanager_dns_mode
-+          - var_networkmanager_dns_mode=explicit_default
-+      status: automated
-+
-+    - id: RHEL-09-252045
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have unauthorized IP tunnels configured.
-+      rules:
-+          - libreswan_approved_tunnels
-+      status: automated
-+
-+    - id: RHEL-09-252050
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured to prevent unrestricted mail relaying.
-+      rules:
-+          - postfix_prevent_unrestricted_relay
-+      status: automated
-+
-+    - id: RHEL-09-252060
-+      levels:
-+          - medium
-+      title: RHEL 9 must forward mail from postmaster to the root account using a postfix alias.
-+      rules:
-+          - postfix_client_configure_mail_alias_postmaster
-+      status: automated
-+
-+    - id: RHEL-09-252065
-+      levels:
-+          - medium
-+      title: RHEL 9 libreswan package must be installed.
-+      rules:
-+          - package_libreswan_installed
-+      status: automated
-+
-+    - id: RHEL-09-252070
-+      levels:
-+          - high
-+      title: There must be no shosts.equiv files on RHEL 9.
-+      rules:
-+          - no_host_based_files
-+      status: automated
-+
-+    - id: RHEL-09-252075
-+      levels:
-+          - high
-+      title: There must be no .shosts files on RHEL 9.
-+      rules:
-+          - no_user_host_based_files
-+      status: automated
-+
-+    - id: RHEL-09-253010
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured to use TCP syncookies.
-+      rules:
-+          - sysctl_net_ipv4_tcp_syncookies
-+      status: automated
-+
-+    - id: RHEL-09-253015
-+      levels:
-+          - medium
-+      title: RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol
-+          (ICMP) redirect messages.
-+      rules:
-+          - sysctl_net_ipv4_conf_all_accept_redirects
-+      status: automated
-+
-+    - id: RHEL-09-253020
-+      levels:
-+          - medium
-+      title: RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
-+      rules:
-+          - sysctl_net_ipv4_conf_all_accept_source_route
-+      status: automated
-+
-+    - id: RHEL-09-253025
-+      levels:
-+          - medium
-+      title: RHEL 9 must log IPv4 packets with impossible addresses.
-+      rules:
-+          - sysctl_net_ipv4_conf_all_log_martians
-+      status: automated
-+
-+    - id: RHEL-09-253030
-+      levels:
-+          - medium
-+      title: RHEL 9 must log IPv4 packets with impossible addresses by default.
-+      rules:
-+          - sysctl_net_ipv4_conf_default_log_martians
-+      status: automated
-+
-+    - id: RHEL-09-253035
-+      levels:
-+          - medium
-+      title: RHEL 9 must use reverse path filtering on all IPv4 interfaces.
-+      rules:
-+          - sysctl_net_ipv4_conf_all_rp_filter
-+      status: automated
-+
-+    - id: RHEL-09-253040
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from
-+          being accepted.
-+      rules:
-+          - sysctl_net_ipv4_conf_default_accept_redirects
-+      status: automated
-+
-+    - id: RHEL-09-253045
-+      levels:
-+          - medium
-+      title: RHEL 9 must not forward IPv4 source-routed packets by default.
-+      rules:
-+          - sysctl_net_ipv4_conf_default_accept_source_route
-+      status: automated
-+
-+    - id: RHEL-09-253050
-+      levels:
-+          - medium
-+      title: RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.
-+      rules:
-+          - sysctl_net_ipv4_conf_default_rp_filter
-+      status: automated
-+
-+    - id: RHEL-09-253055
-+      levels:
-+          - medium
-+      title: RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast
-+          address.
-+      rules:
-+          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-+      status: automated
-+
-+    - id: RHEL-09-253060
-+      levels:
-+          - medium
-+      title: RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response
-+          errors logs.
-+      rules:
-+          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
-+      status: automated
-+
-+    - id: RHEL-09-253065
-+      levels:
-+          - medium
-+      title: RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.
-+      rules:
-+          - sysctl_net_ipv4_conf_all_send_redirects
-+      status: automated
-+
-+    - id: RHEL-09-253070
-+      levels:
-+          - medium
-+      title: RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects
-+          by default.
-+      rules:
-+          - sysctl_net_ipv4_conf_default_send_redirects
-+      status: automated
-+
-+    - id: RHEL-09-253075
-+      levels:
-+          - medium
-+      title: RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.
-+      rules:
-+          - sysctl_net_ipv4_conf_all_forwarding
-+      status: automated
-+
-+    - id: RHEL-09-254010
-+      levels:
-+          - medium
-+      title: RHEL 9 must not accept router advertisements on all IPv6 interfaces.
-+      rules:
-+          - sysctl_net_ipv6_conf_all_accept_ra
-+      status: automated
-+
-+    - id: RHEL-09-254015
-+      levels:
-+          - medium
-+      title: RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
-+      rules:
-+          - sysctl_net_ipv6_conf_all_accept_redirects
-+      status: automated
-+
-+    - id: RHEL-09-254020
-+      levels:
-+          - medium
-+      title: RHEL 9 must not forward IPv6 source-routed packets.
-+      rules:
-+          - sysctl_net_ipv6_conf_all_accept_source_route
-+      status: automated
-+
-+    - id: RHEL-09-254025
-+      levels:
-+          - medium
-+      title: RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.
-+      rules:
-+          - sysctl_net_ipv6_conf_all_forwarding
-+      status: automated
-+
-+    - id: RHEL-09-254030
-+      levels:
-+          - medium
-+      title: RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.
-+      rules:
-+          - sysctl_net_ipv6_conf_default_accept_ra
-+      status: automated
-+
-+    - id: RHEL-09-254035
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from
-+          being accepted.
-+      rules:
-+          - sysctl_net_ipv6_conf_default_accept_redirects
-+      status: automated
-+
-+    - id: RHEL-09-254040
-+      levels:
-+          - medium
-+      title: RHEL 9 must not forward IPv6 source-routed packets by default.
-+      rules:
-+          - sysctl_net_ipv6_conf_default_accept_source_route
-+      status: automated
-+
-+    - id: RHEL-09-255010
-+      levels:
-+          - medium
-+      title: All RHEL 9 networked systems must have SSH installed.
-+      rules:
-+          - package_openssh-server_installed
-+      status: automated
-+
-+    - id: RHEL-09-255015
-+      levels:
-+          - medium
-+      title: All RHEL 9 networked systems must have and implement SSH to protect the confidentiality
-+          and integrity of transmitted and received information, as well as information during preparation
-+          for transmission.
-+      rules:
-+          - service_sshd_enabled
-+      status: automated
-+
-+    - id: RHEL-09-255020
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the openssh-clients package installed.
-+      rules:
-+          - package_openssh-clients_installed
-+      status: automated
-+
-+    - id: RHEL-09-255025
-+      levels:
-+          - medium
-+      title: RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting
-+          local or remote access to the system via a SSH logon.
-+      rules:
-+          - sshd_enable_warning_banner
-+      status: automated
-+
-+    - id: RHEL-09-255030
-+      levels:
-+          - medium
-+      title: RHEL 9 must log SSH connection attempts and failures to the server.
-+      rules:
-+          - sshd_set_loglevel_verbose
-+      status: automated
-+
-+    - id: RHEL-09-255035
-+      levels:
-+          - medium
-+      title: RHEL 9 SSHD must accept public key authentication.
-+      rules:
-+          - sshd_enable_pubkey_auth
-+      status: automated
-+
-+    - id: RHEL-09-255040
-+      levels:
-+          - high
-+      title: RHEL 9 SSHD must not allow blank passwords.
-+      rules:
-+          - sshd_disable_empty_passwords
-+      status: automated
-+
-+    - id: RHEL-09-255045
-+      levels:
-+          - medium
-+      title: RHEL 9 must not permit direct logons to the root account using remote access via SSH.
-+      rules:
-+          - sshd_disable_root_login
-+      status: automated
-+
-+    - id: RHEL-09-255050
-+      levels:
-+          - high
-+      title: RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
-+      rules:
-+          - sshd_enable_pam
-+      status: automated
-+
-+    - id: RHEL-09-255055
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH daemon must be configured to use system-wide crypto policies.
-+      rules:
-+          - file_sshd_50_redhat_exists
-+          - sshd_include_crypto_policy
-+      status: automated
-+
-+    - id: RHEL-09-255060
-+      levels:
-+          - medium
-+      title: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of
-+          SSH client connections.
-+      rules:
-+          - sshd_include_crypto_policy
-+      status: automated
-+    - id: RHEL-09-255064
-+      title: The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing
-+          FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client
-+          connections.
-+      levels:
-+          - medium
-+      rules:
-+          - harden_sshd_ciphers_openssh_conf_crypto_policy
-+          - sshd_approved_ciphers=stig_rhel9
-+    - id: RHEL-09-255065
-+      levels:
-+          - medium
-+      title: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of
-+          SSH server connections.
-+      rules:
-+          - harden_sshd_ciphers_opensshserver_conf_crypto_policy
-+          - sshd_approved_ciphers=stig_rhel9
-+      status: automated
-+    - id: RHEL-09-255070
-+      levels:
-+          - medium
-+      title: The RHEL 9 SSH client must be configured to use only DOD-approved Message Authentication
-+          Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality
-+          of SSH client connections.
-+      rules:
-+          - harden_sshd_macs_openssh_conf_crypto_policy
-+          - sshd_approved_macs=stig_rhel9
-+
-+    - id: RHEL-09-255075
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing
-+          FIPS 140-3 validated cryptographic hash algorithms.
-+      status: automated
-+      rules:
-+          - harden_sshd_macs_opensshserver_conf_crypto_policy
-+          - sshd_approved_macs=stig_rhel9
-+
-+    - id: RHEL-09-255080
-+      levels:
-+          - medium
-+      title: RHEL 9 must not allow a noncertificate trusted host SSH logon to the system.
-+      rules:
-+          - disable_host_auth
-+      status: automated
-+
-+    - id: RHEL-09-255085
-+      levels:
-+          - medium
-+      title: RHEL 9 must not allow users to override SSH environment variables.
-+      rules:
-+          - sshd_do_not_permit_user_env
-+      status: automated
-+
-+    - id: RHEL-09-255090
-+      levels:
-+          - medium
-+      title: RHEL 9 must force a frequent session key renegotiation for SSH connections to the server.
-+      rules:
-+          - sshd_rekey_limit
-+          - var_rekey_limit_size=1G
-+          - var_rekey_limit_time=1hour
-+      status: automated
-+
-+    - id: RHEL-09-255095
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured so that all network connections associated with SSH traffic terminate
-+          after becoming unresponsive.
-+      rules:
-+          - sshd_set_keepalive
-+          - var_sshd_set_keepalive=1
-+      status: automated
-+
-+    - id: RHEL-09-255100
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured so that all network connections associated with SSH traffic are
-+          terminated after 10 minutes of becoming unresponsive.
-+      rules:
-+          - sshd_set_idle_timeout
-+          - sshd_idle_timeout_value=10_minutes
-+      status: automated
-+
-+    - id: RHEL-09-255105
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH server configuration file must be group-owned by root.
-+      rules:
-+          - file_groupowner_sshd_config
-+          - directory_groupowner_sshd_config_d
-+          - file_groupowner_sshd_drop_in_config
-+      status: automated
-+
-+    - id: RHEL-09-255110
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH server configuration file must be owned by root.
-+      rules:
-+          - file_owner_sshd_config
-+          - directory_owner_sshd_config_d
-+          - file_owner_sshd_drop_in_config
-+      status: automated
-+
-+    - id: RHEL-09-255115
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH server configuration file must have mode 0600 or less permissive.
-+      rules:
-+          - file_permissions_sshd_config
-+          - directory_permissions_sshd_config_d
-+          - file_permissions_sshd_drop_in_config
-+      status: automated
-+
-+    - id: RHEL-09-255120
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH private host key files must have mode 0640 or less permissive.
-+      rules:
-+          - file_permissions_sshd_private_key
-+      status: automated
-+
-+    - id: RHEL-09-255125
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH public host key files must have mode 0644 or less permissive.
-+      rules:
-+          - file_permissions_sshd_pub_key
-+      status: automated
-+
-+    - id: RHEL-09-255130
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH daemon must not allow compression or must only allow compression after successful
-+          authentication.
-+      rules:
-+          - sshd_disable_compression
-+          - var_sshd_disable_compression=no
-+      status: automated
-+
-+    - id: RHEL-09-255135
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH daemon must not allow GSSAPI authentication.
-+      rules:
-+          - sshd_disable_gssapi_auth
-+      status: automated
-+
-+    - id: RHEL-09-255140
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH daemon must not allow Kerberos authentication.
-+      rules:
-+          - sshd_disable_kerb_auth
-+      status: automated
-+
-+    - id: RHEL-09-255145
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH daemon must not allow rhosts authentication.
-+      rules:
-+          - sshd_disable_rhosts
-+      status: automated
-+
-+    - id: RHEL-09-255150
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH daemon must not allow known hosts authentication.
-+      rules:
-+          - sshd_disable_user_known_hosts
-+      status: automated
-+
-+    - id: RHEL-09-255155
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH daemon must disable remote X connections for interactive users.
-+      rules:
-+          - sshd_disable_x11_forwarding
-+      status: automated
-+
-+    - id: RHEL-09-255160
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.
-+      rules:
-+          - sshd_enable_strictmodes
-+      status: automated
-+
-+    - id: RHEL-09-255165
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH daemon must display the date and time of the last successful account logon upon
-+          an SSH logon.
-+      rules:
-+          - sshd_print_last_log
-+      status: automated
-+
-+    - id: RHEL-09-255175
-+      levels:
-+          - medium
-+      title: RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
-+      rules:
-+          - sshd_x11_use_localhost
-+      status: automated
-+
-+    - id: RHEL-09-271010
-+      levels:
-+          - medium
-+      title: RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting
-+          local or remote access to the system via a graphical user logon.
-+      rules:
-+          - dconf_gnome_banner_enabled
-+      status: automated
-+
-+    - id: RHEL-09-271015
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent a user from overriding the banner-message-enable setting for the graphical
-+          user interface.
-+      rules:
-+          - dconf_gnome_banner_enabled
-+      status: automated
-+
-+    - id: RHEL-09-271020
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable the graphical user interface automount function unless required.
-+      rules:
-+          - dconf_gnome_disable_automount_open
-+      status: automated
-+
-+    - id: RHEL-09-271025
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent a user from overriding the disabling of the graphical user interface
-+          automount function.
-+      rules:
-+          - dconf_gnome_disable_automount_open
-+      status: automated
-+
-+    - id: RHEL-09-271030
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable the graphical user interface autorun function unless required.
-+      rules:
-+          - dconf_gnome_disable_autorun
-+      status: automated
-+
-+    - id: RHEL-09-271035
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent a user from overriding the disabling of the graphical user interface
-+          autorun function.
-+      rules:
-+          - dconf_gnome_disable_autorun
-+      status: automated
-+
-+    - id: RHEL-09-271040
-+      levels:
-+          - high
-+      title: RHEL 9 must not allow unattended or automatic logon via the graphical user interface.
-+      rules:
-+          - gnome_gdm_disable_automatic_login
-+      status: automated
-+
-+    - id: RHEL-09-271045
-+      levels:
-+          - medium
-+      title: RHEL 9 must be able to initiate directly a session lock for all connection types using smart
-+          card when the smart card is removed.
-+      rules:
-+          - dconf_gnome_lock_screen_on_smartcard_removal
-+      status: automated
-+
-+    - id: RHEL-09-271050
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card
-+          removal action.
-+      rules:
-+          - dconf_gnome_lock_screen_on_smartcard_removal
-+      status: automated
-+
-+    - id: RHEL-09-271055
-+      levels:
-+          - medium
-+      title: RHEL 9 must enable a user session lock until that user re-establishes access using established
-+          identification and authentication procedures for graphical user sessions.
-+      rules:
-+          - dconf_gnome_screensaver_lock_enabled
-+      status: automated
-+
-+    - id: RHEL-09-271060
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the
-+          graphical user interface.
-+      rules:
-+          - dconf_gnome_screensaver_lock_enabled
-+      status: automated
-+
-+    - id: RHEL-09-271065
-+      levels:
-+          - medium
-+      title: RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.
-+      rules:
-+          - dconf_gnome_screensaver_idle_delay
-+      status: automated
-+
-+    - id: RHEL-09-271070
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical
-+          user interface.
-+      rules:
-+          - dconf_gnome_session_idle_user_locks
-+      status: automated
-+
-+    - id: RHEL-09-271075
-+      levels:
-+          - medium
-+      title: RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is
-+          activated.
-+      rules:
-+          - dconf_gnome_screensaver_lock_delay
-+      status: automated
-+
-+    - id: RHEL-09-271080
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent a user from overriding the session lock-delay setting for the graphical
-+          user interface.
-+      rules:
-+          - dconf_gnome_screensaver_user_locks
-+      status: automated
-+
-+    - id: RHEL-09-271085
-+      levels:
-+          - medium
-+      title: RHEL 9 must conceal, via the session lock, information previously visible on the display
-+          with a publicly viewable image.
-+      rules:
-+          - dconf_gnome_screensaver_mode_blank
-+      status: automated
-+
-+    - id: RHEL-09-271090
-+      levels:
-+          - medium
-+      title: RHEL 9 effective dconf policy must match the policy keyfiles.
-+      rules:
-+          - dconf_db_up_to_date
-+      status: automated
-+
-+    - id: RHEL-09-271095
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable the ability of a user to restart the system from the login screen.
-+      rules:
-+          - dconf_gnome_disable_restart_shutdown
-+      status: automated
-+
-+    - id: RHEL-09-271100
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical
-+          user interface.
-+      rules:
-+          - dconf_gnome_disable_restart_shutdown
-+      status: automated
-+
-+    - id: RHEL-09-271105
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a
-+          system to shut down or reboot.
-+      rules:
-+          - dconf_gnome_disable_ctrlaltdel_reboot
-+      status: automated
-+
-+    - id: RHEL-09-271110
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical
-+          user interface.
-+      rules:
-+          - dconf_gnome_disable_ctrlaltdel_reboot
-+      status: automated
-+
-+    - id: RHEL-09-271115
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable the user list at logon for graphical user interfaces.
-+      rules:
-+          - dconf_gnome_disable_user_list
-+      status: automated
-+
-+    - id: RHEL-09-291010
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured to disable USB mass storage.
-+      rules:
-+          - kernel_module_usb-storage_disabled
-+      status: automated
-+
-+    - id: RHEL-09-291015
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the USBGuard package installed.
-+      rules:
-+          - package_usbguard_installed
-+      status: automated
-+
-+    - id: RHEL-09-291020
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the USBGuard package enabled.
-+      rules:
-+          - service_usbguard_enabled
-+      status: automated
-+
-+    - id: RHEL-09-291025
-+      levels:
-+          - low
-+      title: RHEL 9 must enable Linux audit logging for the USBGuard daemon.
-+      rules:
-+          - configure_usbguard_auditbackend
-+      status: automated
-+
-+    - id: RHEL-09-291030
-+      levels:
-+          - medium
-+      title: RHEL 9 must block unauthorized peripherals before establishing a connection.
-+      rules:
-+          - usbguard_generate_policy
-+      status: automated
-+
-+    - id: RHEL-09-291035
-+      levels:
-+          - medium
-+      title: RHEL 9 Bluetooth must be disabled.
-+      rules:
-+          - kernel_module_bluetooth_disabled
-+      status: automated
-+
-+    - id: RHEL-09-291040
-+      levels:
-+          - medium
-+      title: RHEL 9 wireless network adapters must be disabled.
-+      rules:
-+          - wireless_disable_interfaces
-+      status: automated
-+
-+    - id: RHEL-09-411010
-+      levels:
-+          - medium
-+      title: RHEL 9 user account passwords for new users or password changes must have a 60-day maximum
-+          password lifetime restriction in /etc/login.defs.
-+      rules:
-+          - accounts_maximum_age_login_defs
-+      status: automated
-+
-+    - id: RHEL-09-411015
-+      levels:
-+          - medium
-+      title: RHEL 9 user account passwords must have a 60-day maximum password lifetime restriction.
-+      rules:
-+          - accounts_password_set_max_life_existing
-+          - var_accounts_maximum_age_login_defs=60
-+      status: automated
-+
-+    - id: RHEL-09-411020
-+      levels:
-+          - medium
-+      title: All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.
-+      rules:
-+          - accounts_have_homedir_login_defs
-+      status: automated
-+
-+    - id: RHEL-09-411025
-+      levels:
-+          - medium
-+      title: RHEL 9 must set the umask value to 077 for all local interactive user accounts.
-+      rules:
-+          - accounts_umask_interactive_users
-+          - var_accounts_user_umask=077
-+      status: automated
-+
-+    - id: RHEL-09-411030
-+      levels:
-+          - medium
-+      title: RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users.
-+      rules:
-+          - account_unique_id
-+      status: automated
-+
-+    - id: RHEL-09-411035
-+      levels:
-+          - medium
-+      title: RHEL 9 system accounts must not have an interactive login shell.
-+      rules:
-+          - no_shelllogin_for_systemaccounts
-+      status: automated
-+
-+    - id: RHEL-09-411040
-+      levels:
-+          - medium
-+      title: RHEL 9 must automatically expire temporary accounts within 72 hours.
-+      rules:
-+          - account_temp_expire_date
-+      status: automated
-+
-+    - id: RHEL-09-411045
-+      levels:
-+          - medium
-+      title: All RHEL 9 interactive users must have a primary group that exists.
-+      rules:
-+          - gid_passwd_group_same
-+      status: automated
-+
-+    - id: RHEL-09-411050
-+      levels:
-+          - medium
-+      title: RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after
-+          35 days of inactivity.
-+      rules:
-+          - account_disable_post_pw_expiration
-+          - var_account_disable_post_pw_expiration=35
-+      status: automated
-+
-+    - id: RHEL-09-411055
-+      levels:
-+          - medium
-+      title: Executable search paths within the initialization files of all local interactive RHEL 9
-+          users must only contain paths that resolve to the system default or the users home directory.
-+      rules:
-+          - accounts_user_home_paths_only
-+      status: automated
-+
-+    - id: RHEL-09-411060
-+      levels:
-+          - medium
-+      title: All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd
-+          file.
-+      rules:
-+          - accounts_user_interactive_home_directory_defined
-+      status: automated
-+
-+    - id: RHEL-09-411065
-+      levels:
-+          - medium
-+      title: All RHEL 9 local interactive user home directories defined in the /etc/passwd file must
-+          exist.
-+      rules:
-+          - accounts_user_interactive_home_directory_exists
-+      status: automated
-+
-+    - id: RHEL-09-411070
-+      levels:
-+          - medium
-+      title: All RHEL 9 local interactive user home directories must be group-owned by the home directory
-+          owner's primary group.
-+      rules:
-+          - file_groupownership_home_directories
-+      status: automated
-+
-+    - id: RHEL-09-411075
-+      levels:
-+          - medium
-+      title: RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur.
-+      rules:
-+          - accounts_passwords_pam_faillock_deny
-+          - var_accounts_passwords_pam_faillock_deny=3
-+      status: automated
-+
-+    - id: RHEL-09-411080
-+      levels:
-+          - medium
-+      title: RHEL 9 must automatically lock the root account until the root account is released by an
-+          administrator when three unsuccessful logon attempts occur during a 15-minute time period.
-+      rules:
-+          - accounts_passwords_pam_faillock_deny_root
-+      status: automated
-+
-+    - id: RHEL-09-411085
-+      levels:
-+          - medium
-+      title: RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during
-+          a 15-minute time period.
-+      rules:
-+          - accounts_passwords_pam_faillock_interval
-+          - var_accounts_passwords_pam_faillock_fail_interval=900
-+      status: automated
-+
-+    - id: RHEL-09-411090
-+      levels:
-+          - medium
-+      title: RHEL 9 must maintain an account lock until the locked account is released by an administrator.
-+      rules:
-+          - accounts_passwords_pam_faillock_unlock_time
-+          - var_accounts_passwords_pam_faillock_unlock_time=never
-+      status: automated
-+
-+    - id: RHEL-09-411095
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have unauthorized accounts.
-+      rules:
-+          - accounts_authorized_local_users
-+          - var_accounts_authorized_local_users_regex=rhel9
-+      status: automated
-+
-+    - id: RHEL-09-411100
-+      levels:
-+          - high
-+      title: The root account must be the only account having unrestricted access to RHEL 9 system.
-+      rules:
-+          - accounts_no_uid_except_zero
-+      status: automated
-+
-+    - id: RHEL-09-411105
-+      levels:
-+          - medium
-+      title: RHEL 9 must ensure account lockouts persist.
-+      rules:
-+          - accounts_passwords_pam_faillock_dir
-+      status: automated
-+
-+    - id: RHEL-09-411110
-+      levels:
-+          - medium
-+      title: RHEL 9 groups must have unique Group ID (GID).
-+      rules:
-+          - group_unique_id
-+      status: automated
-+
-+    - id: RHEL-09-411115
-+      levels:
-+          - medium
-+      title: Local RHEL 9 initialization files must not execute world-writable programs.
-+      rules:
-+          - accounts_user_dot_no_world_writable_programs
-+      status: automated
-+
-+    - id: RHEL-09-412035
-+      levels:
-+          - medium
-+      title: RHEL 9 must automatically exit interactive command shell user sessions after 15 minutes
-+          of inactivity.
-+      rules:
-+          - accounts_tmout
-+          - var_accounts_tmout=10_min
-+      status: automated
-+
-+    - id: RHEL-09-412040
-+      levels:
-+          - low
-+      title: RHEL 9 must limit the number of concurrent sessions to ten for all accounts and/or account
-+          types.
-+      rules:
-+          - accounts_max_concurrent_login_sessions
-+          - var_accounts_max_concurrent_login_sessions=10
-+      status: automated
-+
-+    - id: RHEL-09-412045
-+      levels:
-+          - medium
-+      title: RHEL 9 must log username information when unsuccessful logon attempts occur.
-+      rules:
-+          - accounts_passwords_pam_faillock_audit
-+      status: automated
-+
-+    - id: RHEL-09-412050
-+      levels:
-+          - medium
-+      title: RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed
-+          logon attempt.
-+      rules:
-+          - accounts_logon_fail_delay
-+          - var_accounts_fail_delay=4
-+      status: automated
-+
-+    - id: RHEL-09-412055
-+      levels:
-+          - medium
-+      title: RHEL 9 must define default permissions for the bash shell.
-+      rules:
-+          - accounts_umask_etc_bashrc
-+      status: automated
-+
-+    - id: RHEL-09-412060
-+      levels:
-+          - medium
-+      title: RHEL 9 must define default permissions for the c shell.
-+      rules:
-+          - accounts_umask_etc_csh_cshrc
-+      status: automated
-+
-+    - id: RHEL-09-412065
-+      levels:
-+          - medium
-+      title: RHEL 9 must define default permissions for all authenticated users in such a way that the
-+          user can only read and modify their own files.
-+      rules:
-+          - accounts_umask_etc_login_defs
-+      status: automated
-+
-+    - id: RHEL-09-412070
-+      levels:
-+          - medium
-+      title: RHEL 9 must define default permissions for the system default profile.
-+      rules:
-+          - accounts_umask_etc_profile
-+      status: automated
-+
-+    - id: RHEL-09-412075
-+      levels:
-+          - low
-+      title: RHEL 9 must display the date and time of the last successful account logon upon logon.
-+      rules:
-+          - display_login_attempts
-+      status: automated
-+
-+    - id: RHEL-09-412080
-+      levels:
-+          - medium
-+      title: RHEL 9 must terminate idle user sessions.
-+      rules:
-+          - logind_session_timeout
-+          - var_logind_session_timeout=15_minutes
-+      status: automated
-+
-+    - id: RHEL-09-431010
-+      levels:
-+          - high
-+      title: RHEL 9 must use a Linux Security Module configured to enforce limits on system services.
-+      rules:
-+          - selinux_state
-+          - var_selinux_state=enforcing
-+      status: automated
-+
-+    - id: RHEL-09-431015
-+      levels:
-+          - medium
-+      title: RHEL 9 must enable the SELinux targeted policy.
-+      rules:
-+          - selinux_policytype
-+          - var_selinux_policy_name=targeted
-+      status: automated
-+
-+    - id: RHEL-09-431016
-+      title: 'RHEL 9 must elevate the SELinux context when an administrator calls the sudo command.'
-+      rules:
-+          - selinux_context_elevation_for_sudo
-+      status: automated
-+
-+    - id: RHEL-09-431020
-+      levels:
-+          - medium
-+      title: RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally
-+          directory.
-+      rules:
-+          - account_password_selinux_faillock_dir
-+      status: automated
-+
-+    - id: RHEL-09-431025
-+      levels:
-+          - medium
-+      title: RHEL 9 must have policycoreutils package installed.
-+      rules:
-+          - package_policycoreutils_installed
-+      status: automated
-+
-+    - id: RHEL-09-431030
-+      levels:
-+          - medium
-+      title: RHEL 9 policycoreutils-python-utils package must be installed.
-+      rules:
-+          - package_policycoreutils-python-utils_installed
-+      status: automated
-+
-+    - id: RHEL-09-432010
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the sudo package installed.
-+      rules:
-+          - package_sudo_installed
-+      status: automated
-+
-+    - id: RHEL-09-432015
-+      levels:
-+          - medium
-+      title: RHEL 9 must require reauthentication when using the "sudo" command.
-+      rules:
-+          - sudo_require_reauthentication
-+          - var_sudo_timestamp_timeout=always_prompt
-+      status: automated
-+
-+    - id: RHEL-09-432020
-+      levels:
-+          - medium
-+      title: RHEL 9 must use the invoking user's password for privilege escalation when using "sudo".
-+      rules:
-+          - sudoers_validate_passwd
-+      status: automated
-+
-+    - id: RHEL-09-432025
-+      levels:
-+          - medium
-+      title: RHEL 9 must require users to reauthenticate for privilege escalation.
-+      rules:
-+          - sudo_remove_no_authenticate
-+      status: automated
-+
-+    - id: RHEL-09-432030
-+      levels:
-+          - medium
-+      title: RHEL 9 must restrict privilege elevation to authorized personnel.
-+      rules:
-+          - sudo_restrict_privilege_elevation_to_authorized
-+      status: automated
-+
-+    - id: RHEL-09-432035
-+      levels:
-+          - medium
-+      title: RHEL 9 must restrict the use of the "su" command.
-+      rules:
-+          - use_pam_wheel_for_su
-+      status: automated
-+
-+    - id: RHEL-09-433010
-+      levels:
-+          - medium
-+      title: RHEL 9 fapolicy module must be installed.
-+      rules:
-+          - package_fapolicyd_installed
-+      status: automated
-+
-+    - id: RHEL-09-433015
-+      levels:
-+          - medium
-+      title: RHEL 9 fapolicy module must be enabled.
-+      rules:
-+          - service_fapolicyd_enabled
-+      status: automated
-+
-+    - id: RHEL-09-433016
-+      levels:
-+          - medium
-+      title: The RHEL 9 fapolicy module must be configured to employ a deny-all, permit-by-exception
-+          policy to allow the execution of authorized software programs.
-+      rules:
-+          - fapolicy_default_deny
-+      status: automated
-+
-+    - id: RHEL-09-611010
-+      levels:
-+          - medium
-+      title: RHEL 9 must ensure the password complexity module in the system-auth file is configured
-+          for three retries or less.
-+      rules:
-+          - accounts_password_pam_pwquality_retry
-+          - var_password_pam_retry=3
-+      status: automated
-+
-+    - id: RHEL-09-611025
-+      levels:
-+          - high
-+      title: RHEL 9 must not allow blank or null passwords.
-+      rules:
-+          - no_empty_passwords
-+      status: automated
-+
-+    - id: RHEL-09-611030
-+      levels:
-+          - medium
-+      title: RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth
-+          file.
-+      rules:
-+          - account_password_pam_faillock_system_auth
-+      status: automated
-+
-+    - id: RHEL-09-611035
-+      levels:
-+          - medium
-+      title: RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth
-+          file.
-+      rules:
-+          - account_password_pam_faillock_password_auth
-+      status: automated
-+
-+    - id: RHEL-09-611040
-+      levels:
-+          - medium
-+      title: RHEL 9 must ensure the password complexity module is enabled in the password-auth file.
-+      rules:
-+          - accounts_password_pam_pwquality_password_auth
-+      status: automated
-+
-+    - id: RHEL-09-611045
-+      levels:
-+          - medium
-+      title: RHEL 9 must ensure the password complexity module is enabled in the system-auth file.
-+      rules:
-+          - accounts_password_pam_pwquality_system_auth
-+      status: automated
-+
-+    - id: RHEL-09-611050
-+      levels:
-+          - medium
-+      title: RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.
-+      rules:
-+          - accounts_password_pam_unix_rounds_password_auth
-+          - var_password_pam_unix_rounds=100000
-+      status: automated
-+
-+    - id: RHEL-09-611055
-+      levels:
-+          - medium
-+      title: RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.
-+      rules:
-+          - accounts_password_pam_unix_rounds_system_auth
-+      status: automated
-+
-+    - id: RHEL-09-611060
-+      levels:
-+          - medium
-+      title: RHEL 9 must enforce password complexity rules for the root account.
-+      rules:
-+          - accounts_password_pam_enforce_root
-+      status: automated
-+
-+    - id: RHEL-09-611065
-+      levels:
-+          - medium
-+      title: RHEL 9 must enforce password complexity by requiring that at least one lowercase character
-+          be used.
-+      rules:
-+          - accounts_password_pam_lcredit
-+          - var_password_pam_lcredit=1
-+      status: automated
-+
-+    - id: RHEL-09-611070
-+      levels:
-+          - medium
-+      title: RHEL 9 must enforce password complexity by requiring that at least one numeric character
-+          be used.
-+      rules:
-+          - accounts_password_pam_dcredit
-+          - var_password_pam_dcredit=1
-+      status: automated
-+
-+    - id: RHEL-09-611075
-+      levels:
-+          - medium
-+      title: RHEL 9 passwords for new users or password changes must have a 24 hours minimum password
-+          lifetime restriction in /etc/login.defs.
-+      rules:
-+          - accounts_minimum_age_login_defs
-+      status: automated
-+
-+    - id: RHEL-09-611080
-+      levels:
-+          - medium
-+      title: RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow.
-+      rules:
-+          - accounts_password_set_min_life_existing
-+          - var_accounts_minimum_age_login_defs=1
-+      status: automated
-+
-+    - id: RHEL-09-611085
-+      levels:
-+          - medium
-+      title: RHEL 9 must require users to provide a password for privilege escalation.
-+      rules:
-+          - sudo_remove_nopasswd
-+      status: automated
-+
-+    - id: RHEL-09-611090
-+      levels:
-+          - medium
-+      title: RHEL 9 passwords must be created with a minimum of 15 characters.
-+      rules:
-+          - accounts_password_pam_minlen
-+          - var_password_pam_minlen=15
-+      status: automated
-+
-+    - id: RHEL-09-611100
-+      levels:
-+          - medium
-+      title: RHEL 9 must enforce password complexity by requiring that at least one special character
-+          be used.
-+      rules:
-+          - accounts_password_pam_ocredit
-+          - var_password_pam_ocredit=1
-+      status: automated
-+
-+    - id: RHEL-09-611105
-+      levels:
-+          - medium
-+      title: RHEL 9 must prevent the use of dictionary words for passwords.
-+      rules:
-+          - accounts_password_pam_dictcheck
-+          - var_password_pam_dictcheck=1
-+      status: automated
-+
-+    - id: RHEL-09-611110
-+      levels:
-+          - medium
-+      title: RHEL 9 must enforce password complexity by requiring that at least one uppercase character
-+          be used.
-+      rules:
-+          - accounts_password_pam_ucredit
-+          - var_password_pam_ucredit=1
-+      status: automated
-+
-+    - id: RHEL-09-611115
-+      levels:
-+          - medium
-+      title: RHEL 9 must require the change of at least eight characters when passwords are changed.
-+      rules:
-+          - accounts_password_pam_difok
-+          - var_password_pam_difok=8
-+      status: automated
-+
-+    - id: RHEL-09-611120
-+      levels:
-+          - medium
-+      title: RHEL 9 must require the maximum number of repeating characters of the same character class
-+          be limited to four when passwords are changed.
-+      rules:
-+          - accounts_password_pam_maxclassrepeat
-+          - var_password_pam_maxclassrepeat=4
-+      status: automated
-+
-+    - id: RHEL-09-611125
-+      levels:
-+          - medium
-+      title: RHEL 9 must require the maximum number of repeating characters be limited to three when
-+          passwords are changed.
-+      rules:
-+          - accounts_password_pam_maxrepeat
-+          - var_password_pam_maxrepeat=3
-+      status: automated
-+
-+    - id: RHEL-09-611130
-+      levels:
-+          - medium
-+      title: RHEL 9 must require the change of at least four character classes when passwords are changed.
-+      rules:
-+          - accounts_password_pam_minclass
-+          - var_password_pam_minclass=4
-+      status: automated
-+
-+    - id: RHEL-09-611135
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured so that user and group account administration utilities are configured
-+          to store only encrypted representations of passwords.
-+      rules:
-+          - set_password_hashing_algorithm_libuserconf
-+          - var_password_hashing_algorithm_pam=sha512
-+      status: automated
-+
-+    - id: RHEL-09-611140
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured to use the shadow file to store only encrypted representations
-+          of passwords.
-+      rules:
-+          - set_password_hashing_algorithm_logindefs
-+          - var_password_hashing_algorithm=SHA512
-+      status: automated
-+
-+    - id: RHEL-09-611145
-+      levels:
-+          - medium
-+      title: RHEL 9 must not be configured to bypass password requirements for privilege escalation.
-+      rules:
-+          - disallow_bypass_password_sudo
-+      status: automated
-+
-+    - id: RHEL-09-611155
-+      levels:
-+          - medium
-+      title: RHEL 9 must not have accounts configured with blank or null passwords.
-+      rules:
-+          - no_empty_passwords_etc_shadow
-+      status: automated
-+
-+    - id: RHEL-09-611160
-+      levels:
-+          - medium
-+      title: RHEL 9 must use the CAC smart card driver.
-+      rules:
-+          - configure_opensc_card_drivers
-+          - var_smartcard_drivers=cac
-+      status: automated
-+
-+    - id: RHEL-09-611165
-+      levels:
-+          - medium
-+      title: RHEL 9 must enable certificate based smart card authentication.
-+      rules:
-+          - sssd_enable_smartcards
-+      status: automated
-+
-+    - id: RHEL-09-611170
-+      levels:
-+          - medium
-+      title: RHEL 9 must implement certificate status checking for multifactor authentication.
-+      rules:
-+          - sssd_certificate_verification
-+          - var_sssd_certificate_verification_digest_function=sha512
-+      status: automated
-+
-+    - id: RHEL-09-611175
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the pcsc-lite package installed.
-+      rules:
-+          - package_pcsc-lite_installed
-+      status: automated
-+
-+    - id: RHEL-09-611180
-+      levels:
-+          - medium
-+      title: The pcscd service on RHEL 9 must be active.
-+      rules:
-+          - service_pcscd_enabled
-+      status: automated
-+
-+    - id: RHEL-09-611185
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the opensc package installed.
-+      rules:
-+          - package_opensc_installed
-+      status: automated
-+
-+    - id: RHEL-09-611190
-+      levels:
-+          - medium
-+      title: RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding
-+          private key.
-+      rules:
-+          - ssh_keys_passphrase_protected
-+      status: automated
-+
-+    - id: RHEL-09-611195
-+      levels:
-+          - medium
-+      title: RHEL 9 must require authentication to access emergency mode.
-+      rules:
-+          - require_emergency_target_auth
-+      status: automated
-+
-+    - id: RHEL-09-611200
-+      levels:
-+          - medium
-+      title: RHEL 9 must require authentication to access single-user mode.
-+      rules:
-+          - require_singleuser_auth
-+      status: automated
-+
-+    - id: RHEL-09-631010
-+      levels:
-+          - medium
-+      title: RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification
-+          path (which includes status information) to an accepted trust anchor.
-+      rules:
-+          - sssd_has_trust_anchor
-+      status: automated
-+
-+    - id: RHEL-09-631015
-+      levels:
-+          - medium
-+      title: RHEL 9 must map the authenticated identity to the user or group account for PKI-based authentication.
-+      rules:
-+          - sssd_enable_certmap
-+      status: automated
-+
-+    - id: RHEL-09-631020
-+      levels:
-+          - medium
-+      title: RHEL 9 must prohibit the use of cached authenticators after one day.
-+      rules:
-+          - sssd_offline_cred_expiration
-+      status: automated
-+
-+    - id: RHEL-09-651010
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the AIDE package installed.
-+      rules:
-+          - package_aide_installed
-+          - aide_build_database
-+      status: automated
-+
-+    - id: RHEL-09-651015
-+      levels:
-+          - medium
-+      title: RHEL 9 must routinely check the baseline configuration for unauthorized changes and notify
-+          the system administrator when anomalies in the operation of any security functions are discovered.
-+      rules:
-+          - aide_scan_notification
-+      status: automated
-+
-+    - id: RHEL-09-651020
-+      levels:
-+          - medium
-+      title: RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic
-+          hashes for validating file contents and directories.
-+      rules:
-+          - aide_use_fips_hashes
-+      status: automated
-+
-+    - id: RHEL-09-651025
-+      levels:
-+          - medium
-+      title: RHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools.
-+      rules:
-+          - aide_check_audit_tools
-+      status: automated
-+
-+    - id: RHEL-09-651030
-+      levels:
-+          - low
-+      title: RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists
-+          (ACLs).
-+      rules:
-+          - aide_verify_acls
-+      status: automated
-+
-+    - id: RHEL-09-651035
-+      levels:
-+          - low
-+      title: RHEL 9 must be configured so that the file integrity tool verifies extended attributes.
-+      rules:
-+          - aide_verify_ext_attributes
-+      status: automated
-+
-+    - id: RHEL-09-652010
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the rsyslog package installed.
-+      rules:
-+          - package_rsyslog_installed
-+      status: automated
-+
-+    - id: RHEL-09-652015
-+      levels:
-+          - medium
-+      title: RHEL 9 must have the packages required for encrypting offloaded audit logs installed.
-+      rules:
-+          - package_rsyslog-gnutls_installed
-+      status: automated
-+
-+    - id: RHEL-09-652020
-+      levels:
-+          - medium
-+      title: The rsyslog service on RHEL 9 must be active.
-+      rules:
-+          - service_rsyslog_enabled
-+      status: automated
-+
-+    - id: RHEL-09-652025
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other
-+          servers unless the server is being used for log aggregation.
-+      rules:
-+          - rsyslog_nolisten
-+      status: automated
-+
-+    - id: RHEL-09-652030
-+      levels:
-+          - medium
-+      title: All RHEL 9 remote access methods must be monitored.
-+      rules:
-+          - rsyslog_remote_access_monitoring
-+      status: automated
-+
-+    - id: RHEL-09-652040
-+      levels:
-+          - medium
-+      title: RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.
-+      rules:
-+          - rsyslog_encrypt_offload_actionsendstreamdriverauthmode
-+      status: automated
-+
-+    - id: RHEL-09-652045
-+      levels:
-+          - medium
-+      title: RHEL 9 must encrypt the transfer of audit records offloaded onto a different system or media
-+          from the system being audited via rsyslog.
-+      rules:
-+          - rsyslog_encrypt_offload_actionsendstreamdrivermode
-+      status: automated
-+
-+    - id: RHEL-09-652050
-+      levels:
-+          - medium
-+      title: RHEL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different
-+          system or media from the system being audited via rsyslog.
-+      rules:
-+          - rsyslog_encrypt_offload_defaultnetstreamdriver
-+      status: automated
-+
-+    - id: RHEL-09-652055
-+      levels:
-+          - medium
-+      title: RHEL 9 must be configured to forward audit records via TCP to a different system or media
-+          from the system being audited via rsyslog.
-+      rules:
-+          - rsyslog_remote_loghost
-+      status: automated
-+
-+    - id: RHEL-09-652060
-+      levels:
-+          - medium
-+      title: RHEL 9 must use cron logging.
-+      rules:
-+          - rsyslog_cron_logging
-+      status: automated
-+
-+    - id: RHEL-09-653010
-+      levels:
-+          - medium
-+      title: RHEL 9 audit package must be installed.
-+      rules:
-+          - package_audit_installed
-+      status: automated
-+
-+    - id: RHEL-09-653015
-+      levels:
-+          - medium
-+      title: RHEL 9 audit service must be enabled.
-+      rules:
-+          - service_auditd_enabled
-+      status: automated
-+
-+    - id: RHEL-09-653020
-+      levels:
-+          - medium
-+      title: RHEL 9 audit system must take appropriate action when an error writing to the audit storage
-+          volume occurs.
-+      rules:
-+          - auditd_data_disk_error_action_stig
-+          - var_auditd_disk_error_action=halt
-+      status: automated
-+
-+    - id: RHEL-09-653025
-+      levels:
-+          - medium
-+      title: RHEL 9 audit system must take appropriate action when the audit storage volume is full.
-+      rules:
-+          - auditd_data_disk_full_action_stig
-+          - var_auditd_disk_full_action=halt
-+      status: automated
-+
-+    - id: RHEL-09-653030
-+      levels:
-+          - medium
-+      title: RHEL 9 must allocate audit record storage capacity to store at least one week's worth of
-+          audit records.
-+      rules:
-+          - auditd_audispd_configure_sufficiently_large_partition
-+      status: automated
-+
-+    - id: RHEL-09-653035
-+      levels:
-+          - medium
-+      title: RHEL 9 must take action when allocated audit record storage volume reaches 75 percent of
-+          the repository maximum audit record storage capacity.
-+      rules:
-+          - auditd_data_retention_space_left_percentage
-+          - var_auditd_space_left_percentage=25pc
-+      status: automated
-+
-+    - id: RHEL-09-653040
-+      levels:
-+          - medium
-+      title: RHEL 9 must notify the system administrator (SA) and information system security officer
-+          (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
-+      rules:
-+          - auditd_data_retention_space_left_action
-+          - var_auditd_space_left_action=email
-+      status: automated
-+
-+    - id: RHEL-09-653045
-+      levels:
-+          - medium
-+      title: RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of
-+          the audit record storage capacity.
-+      rules:
-+          - auditd_data_retention_admin_space_left_percentage
-+          - var_auditd_admin_space_left_percentage=5pc
-+      status: automated
-+
-+    - id: RHEL-09-653050
-+      levels:
-+          - medium
-+      title: RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of
-+          the repository maximum audit record storage capacity.
-+      rules:
-+          - auditd_data_retention_admin_space_left_action
-+          - var_auditd_admin_space_left_action=single
-+      status: automated
-+
-+    - id: RHEL-09-653055
-+      levels:
-+          - medium
-+      title: RHEL 9 audit system must take appropriate action when the audit files have reached maximum
-+          size.
-+      rules:
-+          - auditd_data_retention_max_log_file_action_stig
-+          - var_auditd_max_log_file_action=rotate
-+      status: automated
-+
-+    - id: RHEL-09-653060
-+      levels:
-+          - medium
-+      title: RHEL 9 must label all offloaded audit logs before sending them to the central log server.
-+      rules:
-+          - auditd_name_format
-+          - var_auditd_name_format=stig
-+      status: automated
-+
-+    - id: RHEL-09-653065
-+      levels:
-+          - medium
-+      title: RHEL 9 must take appropriate action when the internal event queue is full.
-+      rules:
-+          - auditd_overflow_action
-+      status: automated
-+
-+    - id: RHEL-09-653070
-+      levels:
-+          - medium
-+      title: RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a
-+          minimum) must be alerted of an audit processing failure event.
-+      rules:
-+          - auditd_data_retention_action_mail_acct
-+          - var_auditd_action_mail_acct=root
-+      status: automated
-+
-+    - id: RHEL-09-653075
-+      levels:
-+          - medium
-+      title: RHEL 9 audit system must audit local events.
-+      rules:
-+          - auditd_local_events
-+      status: automated
-+
-+    - id: RHEL-09-653080
-+      levels:
-+          - medium
-+      title: RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent
-+          unauthorized read access.
-+      rules:
-+          - directory_group_ownership_var_log_audit
-+      status: automated
-+
-+    - id: RHEL-09-653085
-+      levels:
-+          - medium
-+      title: RHEL 9 audit log directory must be owned by root to prevent unauthorized read access.
-+      rules:
-+          - directory_ownership_var_log_audit
-+      status: automated
-+
-+    - id: RHEL-09-653090
-+      levels:
-+          - medium
-+      title: RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access
-+          to the audit log.
-+      rules:
-+          - file_permissions_var_log_audit
-+      status: automated
-+
-+    - id: RHEL-09-653095
-+      levels:
-+          - medium
-+      title: RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.
-+      rules:
-+          - auditd_freq
-+          - var_auditd_freq=100
-+      status: automated
-+
-+    - id: RHEL-09-653100
-+      levels:
-+          - medium
-+      title: RHEL 9 must produce audit records containing information to establish the identity of any
-+          individual or process associated with the event.
-+      rules:
-+          - auditd_log_format
-+      status: automated
-+
-+    - id: RHEL-09-653105
-+      levels:
-+          - medium
-+      title: RHEL 9 must write audit records to disk.
-+      rules:
-+          - auditd_write_logs
-+      status: automated
-+
-+    - id: RHEL-09-653110
-+      levels:
-+          - medium
-+      title: RHEL 9 must allow only the information system security manager (ISSM) (or individuals or
-+          roles appointed by the ISSM) to select which auditable events are to be audited.
-+      rules:
-+          - file_permissions_audit_configuration
-+      status: automated
-+
-+    - id: RHEL-09-653115
-+      levels:
-+          - medium
-+      title: RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized
-+          access.
-+      rules:
-+          - file_permissions_etc_audit_auditd
-+      status: automated
-+
-+    - id: RHEL-09-653120
-+      levels:
-+          - low
-+      title: RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that
-+          start prior to the audit daemon.
-+      rules:
-+          - grub2_audit_backlog_limit_argument
-+          - var_audit_backlog_limit=8192
-+      status: automated
-+
-+    - id: RHEL-09-653125
-+      levels:
-+          - medium
-+      title: RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and
-+          system administrator (SA) (at a minimum) in the event of an audit processing failure.
-+      rules:
-+          - postfix_client_configure_mail_alias
-+      status: automated
-+
-+    - id: RHEL-09-653130
-+      levels:
-+          - medium
-+      title: RHEL 9 audispd-plugins package must be installed.
-+      rules:
-+          - package_audispd-plugins_installed
-+      status: automated
-+
-+    - id: RHEL-09-654010
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit uses of the "execve" system call.
-+      rules:
-+          - audit_rules_suid_privilege_function
-+      status: automated
-+
-+    - id: RHEL-09-654015
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
-+      rules:
-+          - audit_rules_dac_modification_chmod
-+          - audit_rules_dac_modification_fchmod
-+          - audit_rules_dac_modification_fchmodat
-+      status: automated
-+
-+    - id: RHEL-09-654020
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
-+      rules:
-+          - audit_rules_dac_modification_chown
-+          - audit_rules_dac_modification_fchown
-+          - audit_rules_dac_modification_fchownat
-+          - audit_rules_dac_modification_lchown
-+      status: automated
-+
-+    - id: RHEL-09-654025
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr,
-+          and lremovexattr system calls.
-+      rules:
-+          - audit_rules_dac_modification_setxattr
-+          - audit_rules_dac_modification_fsetxattr
-+          - audit_rules_dac_modification_lsetxattr
-+          - audit_rules_dac_modification_removexattr
-+          - audit_rules_dac_modification_fremovexattr
-+          - audit_rules_dac_modification_lremovexattr
-+      status: automated
-+
-+    - id: RHEL-09-654030
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of umount system calls.
-+      rules:
-+          - audit_rules_privileged_commands_umount
-+      status: automated
-+
-+    - id: RHEL-09-654035
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the chacl command.
-+      rules:
-+          - audit_rules_execution_chacl
-+      status: automated
-+
-+    - id: RHEL-09-654040
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the setfacl command.
-+      rules:
-+          - audit_rules_execution_setfacl
-+      status: automated
-+
-+    - id: RHEL-09-654045
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the chcon command.
-+      rules:
-+          - audit_rules_execution_chcon
-+      status: automated
-+
-+    - id: RHEL-09-654050
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the semanage command.
-+      rules:
-+          - audit_rules_execution_semanage
-+      status: automated
-+
-+    - id: RHEL-09-654055
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the setfiles command.
-+      rules:
-+          - audit_rules_execution_setfiles
-+      status: automated
-+
-+    - id: RHEL-09-654060
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the setsebool command.
-+      rules:
-+          - audit_rules_execution_setsebool
-+      status: automated
-+
-+    - id: RHEL-09-654065
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
-+      rules:
-+          - audit_rules_file_deletion_events_rename
-+          - audit_rules_file_deletion_events_unlink
-+          - audit_rules_file_deletion_events_rmdir
-+          - audit_rules_file_deletion_events_renameat
-+          - audit_rules_file_deletion_events_unlinkat
-+      status: automated
-+
-+    - id: RHEL-09-654070
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at
-+          system calls.
-+      rules:
-+          - audit_rules_unsuccessful_file_modification_creat
-+          - audit_rules_unsuccessful_file_modification_truncate
-+          - audit_rules_unsuccessful_file_modification_ftruncate
-+          - audit_rules_unsuccessful_file_modification_open
-+          - audit_rules_unsuccessful_file_modification_openat
-+          - audit_rules_unsuccessful_file_modification_open_by_handle_at
-+      status: automated
-+
-+    - id: RHEL-09-654075
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the delete_module system call.
-+      rules:
-+          - audit_rules_kernel_module_loading_delete
-+      status: automated
-+
-+    - id: RHEL-09-654080
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the init_module and finit_module system calls.
-+      rules:
-+          - audit_rules_kernel_module_loading_finit
-+          - audit_rules_kernel_module_loading_init
-+      status: automated
-+
-+    - id: RHEL-09-654085
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the chage command.
-+      rules:
-+          - audit_rules_privileged_commands_chage
-+      status: automated
-+
-+    - id: RHEL-09-654090
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the chsh command.
-+      rules:
-+          - audit_rules_privileged_commands_chsh
-+      status: automated
-+
-+    - id: RHEL-09-654095
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the crontab command.
-+      rules:
-+          - audit_rules_privileged_commands_crontab
-+      status: automated
-+
-+    - id: RHEL-09-654096
-+      title: RHEL 9 must audit any script or executable called by cron as root or by any privileged user.
-+      rules:
-+          - audit_rules_etc_cron_d
-+          - audit_rules_var_spool_cron
-+      status: automated
-+
-+    - id: RHEL-09-654100
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the gpasswd command.
-+      rules:
-+          - audit_rules_privileged_commands_gpasswd
-+      status: automated
-+
-+    - id: RHEL-09-654105
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the kmod command.
-+      rules:
-+          - audit_rules_privileged_commands_kmod
-+      status: automated
-+
-+    - id: RHEL-09-654110
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the newgrp command.
-+      rules:
-+          - audit_rules_privileged_commands_newgrp
-+      status: automated
-+
-+    - id: RHEL-09-654115
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the pam_timestamp_check command.
-+      rules:
-+          - audit_rules_privileged_commands_pam_timestamp_check
-+      status: automated
-+
-+    - id: RHEL-09-654120
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the passwd command.
-+      rules:
-+          - audit_rules_privileged_commands_passwd
-+      status: automated
-+
-+    - id: RHEL-09-654125
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the postdrop command.
-+      rules:
-+          - audit_rules_privileged_commands_postdrop
-+      status: automated
-+
-+    - id: RHEL-09-654130
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the postqueue command.
-+      rules:
-+          - audit_rules_privileged_commands_postqueue
-+      status: automated
-+
-+    - id: RHEL-09-654135
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the ssh-agent command.
-+      rules:
-+          - audit_rules_privileged_commands_ssh_agent
-+      status: automated
-+
-+    - id: RHEL-09-654140
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the ssh-keysign command.
-+      rules:
-+          - audit_rules_privileged_commands_ssh_keysign
-+      status: automated
-+
-+    - id: RHEL-09-654145
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the su command.
-+      rules:
-+          - audit_rules_privileged_commands_su
-+      status: automated
-+
-+    - id: RHEL-09-654150
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the sudo command.
-+      rules:
-+          - audit_rules_privileged_commands_sudo
-+      status: automated
-+
-+    - id: RHEL-09-654155
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the sudoedit command.
-+      rules:
-+          - audit_rules_privileged_commands_sudoedit
-+      status: automated
-+
-+    - id: RHEL-09-654160
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the unix_chkpwd command.
-+      rules:
-+          - audit_rules_privileged_commands_unix_chkpwd
-+      status: automated
-+
-+    - id: RHEL-09-654165
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the unix_update command.
-+      rules:
-+          - audit_rules_privileged_commands_unix_update
-+      status: automated
-+
-+    - id: RHEL-09-654170
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the userhelper command.
-+      rules:
-+          - audit_rules_privileged_commands_userhelper
-+      status: automated
-+
-+    - id: RHEL-09-654175
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the usermod command.
-+      rules:
-+          - audit_rules_privileged_commands_usermod
-+      status: automated
-+
-+    - id: RHEL-09-654180
-+      levels:
-+          - medium
-+      title: RHEL 9 must audit all uses of the mount command.
-+      rules:
-+          - audit_rules_privileged_commands_mount
-+      status: automated
-+
-+    - id: RHEL-09-654185
-+      levels:
-+          - medium
-+      title: Successful/unsuccessful uses of the init command in RHEL 9 must generate an audit record.
-+      rules:
-+          - audit_privileged_commands_init
-+      status: automated
-+
-+    - id: RHEL-09-654190
-+      levels:
-+          - medium
-+      title: Successful/unsuccessful uses of the poweroff command in RHEL 9 must generate an audit record.
-+      rules:
-+          - audit_privileged_commands_poweroff
-+      status: automated
-+
-+    - id: RHEL-09-654195
-+      levels:
-+          - medium
-+      title: Successful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record.
-+      rules:
-+          - audit_privileged_commands_reboot
-+      status: automated
-+
-+    - id: RHEL-09-654200
-+      levels:
-+          - medium
-+      title: Successful/unsuccessful uses of the shutdown command in RHEL 9 must generate an audit record.
-+      rules:
-+          - audit_privileged_commands_shutdown
-+      status: automated
-+
-+    - id: RHEL-09-654205
-+      levels:
-+          - medium
-+      title: Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit
-+          record.
-+      rules:
-+          - audit_rules_dac_modification_umount
-+      status: automated
-+
-+    - id: RHEL-09-654210
-+      levels:
-+          - medium
-+      title: Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit
-+          record.
-+      rules:
-+          - audit_rules_dac_modification_umount2
-+      status: automated
-+
-+    - id: RHEL-09-654215
-+      levels:
-+          - medium
-+      title: RHEL 9 must generate audit records for all account creations, modifications, disabling,
-+          and termination events that affect /etc/sudoers.
-+      rules:
-+          - audit_rules_sudoers
-+      status: automated
-+
-+    - id: RHEL-09-654220
-+      levels:
-+          - medium
-+      title: RHEL 9 must generate audit records for all account creations, modifications, disabling,
-+          and termination events that affect /etc/sudoers.d/ directory.
-+      rules:
-+          - audit_rules_sudoers_d
-+      status: automated
-+
-+    - id: RHEL-09-654225
-+      levels:
-+          - medium
-+      title: RHEL 9 must generate audit records for all account creations, modifications, disabling,
-+          and termination events that affect /etc/group.
-+      rules:
-+          - audit_rules_usergroup_modification_group
-+      status: automated
-+
-+    - id: RHEL-09-654230
-+      levels:
-+          - medium
-+      title: RHEL 9 must generate audit records for all account creations, modifications, disabling,
-+          and termination events that affect /etc/gshadow.
-+      rules:
-+          - audit_rules_usergroup_modification_gshadow
-+      status: automated
-+
-+    - id: RHEL-09-654235
-+      levels:
-+          - medium
-+      title: RHEL 9 must generate audit records for all account creations, modifications, disabling,
-+          and termination events that affect /etc/opasswd.
-+      rules:
-+          - audit_rules_usergroup_modification_opasswd
-+      status: automated
-+
-+    - id: RHEL-09-654240
-+      levels:
-+          - medium
-+      title: RHEL 9 must generate audit records for all account creations, modifications, disabling,
-+          and termination events that affect /etc/passwd.
-+      rules:
-+          - audit_rules_usergroup_modification_passwd
-+      status: automated
-+
-+    - id: RHEL-09-654245
-+      levels:
-+          - medium
-+      title: RHEL 9 must generate audit records for all account creations, modifications, disabling,
-+          and termination events that affect /etc/shadow.
-+      rules:
-+          - audit_rules_usergroup_modification_shadow
-+      status: automated
-+
-+    - id: RHEL-09-654250
-+      levels:
-+          - medium
-+      title: RHEL 9 must generate audit records for all account creations, modifications, disabling,
-+          and termination events that affect /var/log/faillock.
-+      rules:
-+          - audit_rules_login_events_faillock
-+      status: automated
-+
-+    - id: RHEL-09-654255
-+      levels:
-+          - medium
-+      title: RHEL 9 must generate audit records for all account creations, modifications, disabling,
-+          and termination events that affect /var/log/lastlog.
-+      rules:
-+          - audit_rules_login_events_lastlog
-+      status: automated
-+
-+    - id: RHEL-09-654260
-+      levels:
-+          - medium
-+      title: RHEL 9 must generate audit records for all account creations, modifications, disabling,
-+          and termination events that affect /var/log/tallylog.
-+      rules:
-+          - audit_rules_login_events_tallylog
-+      status: automated
-+
-+    - id: RHEL-09-654265
-+      levels:
-+          - medium
-+      title: RHEL 9 must take appropriate action when a critical audit processing failure occurs.
-+      rules:
-+          - audit_rules_system_shutdown
-+      status: automated
-+
-+    - id: RHEL-09-654270
-+      levels:
-+          - medium
-+      title: RHEL 9 audit system must protect logon UIDs from unauthorized change.
-+      rules:
-+          - audit_rules_immutable_login_uids
-+      status: automated
-+
-+    - id: RHEL-09-654275
-+      levels:
-+          - medium
-+      title: RHEL 9 audit system must protect auditing rules from unauthorized change.
-+      rules:
-+          - audit_rules_immutable
-+      status: automated
-+
-+    - id: RHEL-09-671010
-+      levels:
-+          - high
-+      title: RHEL 9 must enable FIPS mode.
-+      rules:
-+          - enable_fips_mode
-+          - sysctl_crypto_fips_enabled
-+          - var_system_crypto_policy=fips_stig
-+          - enable_dracut_fips_module
-+      status: automated
-+
-+    - id: RHEL-09-671015
-+      levels:
-+          - medium
-+      title: RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
-+      rules:
-+          - accounts_password_all_shadowed_sha512
-+      status: automated
-+
-+    - id: RHEL-09-671020
-+      levels:
-+          - medium
-+      title: RHEL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.
-+      rules:
-+          - configure_libreswan_crypto_policy
-+      status: automated
-+
-+    - id: RHEL-09-671025
-+      levels:
-+          - medium
-+      title: RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3
-+          approved cryptographic hashing algorithm for system authentication.
-+      rules:
-+          - set_password_hashing_algorithm_passwordauth
-+      status: automated
-+
-+    - id: RHEL-09-672015
-+      levels:
-+          - high
-+      title: RHEL 9 crypto policy files must match files shipped with the operating system.
-+      status: pending
-+
-+    - id: RHEL-09-672020
-+      levels:
-+          - medium
-+      title: RHEL 9 crypto policy must not be overridden.
-+      notes: Rules for this control are intentionally not implemented. Checking whether files under /etc/crypto-policies/back-ends/
-+          are symlinks is not an appropriate way to verify the consistency of the system's cryptographic settings.
-+          The suggested fix mentioned in the STIG does not fully satisfy its own requirements, as it also symlinks the nss.config file.
-+          Furthermore, running sudo 'update-crypto-policies --set FIPS' is not a reliable way to ensure FIPS compliance. Customers should
-+          refer to the official Red Hat Documentation and use the 'fips=1' kernel option during system installation to ensure the system is
-+          in FIPS mode.
-+          More information can be found at https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening
-+      status: pending
-+
-+    - id: RHEL-09-672025
-+      levels:
-+          - medium
-+      title: RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive
-+          orders, directives, policies, regulations, standards, and guidance for authentication to a
-+          cryptographic module.
-+      rules:
-+          - configure_kerberos_crypto_policy
-+      status: automated
-+
-+    - id: RHEL-09-672030
-+      levels:
-+          - high
-+      title: RHEL 9 must implement DOD-approved TLS encryption in the GnuTLS package.
-+      rules:
-+          - configure_crypto_policy
-+      status: automated
-+
-+    - id: RHEL-09-672050
-+      levels:
-+          - medium
-+      title: RHEL 9 must implement DOD-approved encryption in the bind package.
-+      rules:
-+          - configure_bind_crypto_policy
-+      status: automated
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_enhanced-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_enhanced-ks.cfg
-new file mode 100644
-index 000000000..0d07761b3
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_enhanced-ks.cfg
-@@ -0,0 +1,144 @@
-+# SCAP Security Guide ANSSI BP-028 (enhanced) profile kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-07-13
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g.
-+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g.
-+#   grub2-mkpasswd-pbkdf2
-+# to see how to create encrypted password form for different plaintext password
-+bootloader --append="audit=1 audit_backlog_limit=8192" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
-+# Ensure /usr Located On Separate Partition
-+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev"
-+# Ensure /opt Located On Separate Partition
-+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-+# Ensure /srv Located On Separate Partition
-+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+	content-type = scap-security-guide
-+	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_high-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_high-ks.cfg
-new file mode 100644
-index 000000000..d681f0c30
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_high-ks.cfg
-@@ -0,0 +1,148 @@
-+# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-07-13
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g.
-+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g.
-+#   grub2-mkpasswd-pbkdf2
-+# to see how to create encrypted password form for different plaintext password
-+bootloader --append="audit=1 audit_backlog_limit=8192" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
-+# Ensure /usr Located On Separate Partition
-+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev"
-+# Ensure /opt Located On Separate Partition
-+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-+# Ensure /srv Located On Separate Partition
-+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+	content-type = scap-security-guide
-+	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_intermediary-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_intermediary-ks.cfg
-new file mode 100644
-index 000000000..8c70d06dc
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_intermediary-ks.cfg
-@@ -0,0 +1,144 @@
-+# SCAP Security Guide ANSSI BP-028 (intermediary) profile kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-07-13
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g.
-+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g.
-+#   grub2-mkpasswd-pbkdf2
-+# to see how to create encrypted password form for different plaintext password
-+bootloader
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
-+# Ensure /usr Located On Separate Partition
-+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev"
-+# Ensure /opt Located On Separate Partition
-+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-+# Ensure /srv Located On Separate Partition
-+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+	content-type = scap-security-guide
-+	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_minimal-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_minimal-ks.cfg
-new file mode 100644
-index 000000000..b6b49dc1a
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_minimal-ks.cfg
-@@ -0,0 +1,108 @@
-+# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-07-13
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --bootproto dhcp
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g.
-+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g.
-+#   grub2-mkpasswd-pbkdf2
-+# to see how to create encrypted password form for different plaintext password
-+bootloader
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+autopart
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+	content-type = scap-security-guide
-+	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-bsi-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-bsi-ks.cfg
-new file mode 100644
-index 000000000..bcc3c9b78
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-bsi-ks.cfg
-@@ -0,0 +1,150 @@
-+# SCAP Security Guide BSI profile (SYS.1.1 and SYS.1.3) kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2025-07-28
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+network --onboot yes --device eth0 --bootproto dhcp
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+# since BSI is a local profile, we assume German Timezone
-+timezone --utc Europe/Berlin
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create
-+# encrypted password form for different plaintext password
-+bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=4272
-+# Ensure /usr Located On Separate Partition
-+# partition_for_usr
-+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev"
-+# Ensure /opt Located On Separate Partition
-+# partition_for_opt
-+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024
-+# Ensure /home Located On Separate Partition
-+# partition_for_home
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+# partition_for_tmp
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-+# Ensure /var/tmp Located On Separate Partition
-+# partition_for_var_tmp
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+# partition_for_var
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072
-+# Ensure /var/log Located On Separate Partition
-+# partition_for_var_log
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+	profile = xccdf_org.ssgproject.content_profile_bsi
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ccn_advanced-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ccn_advanced-ks.cfg
-new file mode 100644
-index 000000000..df4d86bc2
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-ccn_advanced-ks.cfg
-@@ -0,0 +1,137 @@
-+# SCAP Security Guide CCN profile (Advanced) kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2023-07-18
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation. To use a different one comment out
-+# the 'url' one below, update the selected choice with proper options & un-comment it.
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in.
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+
-+
-+# Set language to use during installation and default language on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the
-+# installer environment (optional):
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see
-+# how to create encrypted password form for different plaintext password.
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile may restrict root login.
-+# Add a user that can login and escalate privileges.
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing.
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create
-+# encrypted password form for different plaintext password.
-+bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger.
-+# Modify size of partitions appropriately to reflect actual machine's hardware.
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_ccn_advanced
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ccn_basic-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ccn_basic-ks.cfg
-new file mode 100644
-index 000000000..5ed7593cd
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-ccn_basic-ks.cfg
-@@ -0,0 +1,137 @@
-+# SCAP Security Guide CCN profile (Basic) kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2023-07-18
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation. To use a different one comment out
-+# the 'url' one below, update the selected choice with proper options & un-comment it.
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in.
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+
-+
-+# Set language to use during installation and default language on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the
-+# installer environment (optional):
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see
-+# how to create encrypted password form for different plaintext password.
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile may restrict root login.
-+# Add a user that can login and escalate privileges.
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing.
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create
-+# encrypted password form for different plaintext password.
-+bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger.
-+# Modify size of partitions appropriately to reflect actual machine's hardware.
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_ccn_basic
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ccn_intermediate-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ccn_intermediate-ks.cfg
-new file mode 100644
-index 000000000..6cad9710c
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-ccn_intermediate-ks.cfg
-@@ -0,0 +1,137 @@
-+# SCAP Security Guide CCN profile (Intermediate) kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2023-07-18
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation. To use a different one comment out
-+# the 'url' one below, update the selected choice with proper options & un-comment it.
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in.
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+
-+
-+# Set language to use during installation and default language on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the
-+# installer environment (optional):
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see
-+# how to create encrypted password form for different plaintext password.
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile may restrict root login.
-+# Add a user that can login and escalate privileges.
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing.
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create
-+# encrypted password form for different plaintext password.
-+bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger.
-+# Modify size of partitions appropriately to reflect actual machine's hardware.
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_ccn_intermediate
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis-ks.cfg
-new file mode 100644
-index 000000000..49b6682d6
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-cis-ks.cfg
-@@ -0,0 +1,141 @@
-+# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-08-12
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create
-+# encrypted password form for different plaintext password
-+bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_cis
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis_server_l1-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis_server_l1-ks.cfg
-new file mode 100644
-index 000000000..623bf6409
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-cis_server_l1-ks.cfg
-@@ -0,0 +1,141 @@
-+# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-08-12
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create
-+# encrypted password form for different plaintext password
-+bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_cis_server_l1
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l1-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l1-ks.cfg
-new file mode 100644
-index 000000000..eb1735ceb
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l1-ks.cfg
-@@ -0,0 +1,141 @@
-+# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-08-12
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create
-+# encrypted password form for different plaintext password
-+bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l2-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l2-ks.cfg
-new file mode 100644
-index 000000000..b6e9819da
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l2-ks.cfg
-@@ -0,0 +1,141 @@
-+# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-08-12
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create
-+# encrypted password form for different plaintext password
-+bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cui-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cui-ks.cfg
-new file mode 100644
-index 000000000..5c1ba4f72
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-cui-ks.cfg
-@@ -0,0 +1,139 @@
-+# SCAP Security Guide CUI profile kickstart for AlmaLinux OS 9
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --bootproto dhcp
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g.
-+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Refer to e.g.
-+#   grub2-mkpasswd-pbkdf2
-+# to see how to create encrypted password form for different plaintext password
-+bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+	content-type = scap-security-guide
-+	profile = xccdf_org.ssgproject.content_profile_cui
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-e8-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-e8-ks.cfg
-new file mode 100644
-index 000000000..8dc821eb7
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-e8-ks.cfg
-@@ -0,0 +1,120 @@
-+# SCAP Security Guide Essential Eight profile kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-07-13
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create
-+# encrypted password form for different plaintext password
-+bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+autopart
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_e8
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-hipaa-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-hipaa-ks.cfg
-new file mode 100644
-index 000000000..e2600c88d
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-hipaa-ks.cfg
-@@ -0,0 +1,120 @@
-+# SCAP Security Guide HIPAA profile kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-07-13
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create
-+# encrypted password form for different plaintext password
-+bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+autopart
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_hipaa
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ism_o-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ism_o-ks.cfg
-new file mode 100644
-index 000000000..682e47331
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-ism_o-ks.cfg
-@@ -0,0 +1,119 @@
-+# SCAP Security Guide ISM Official profile kickstart for AlmaLinux OS 9
-+# Version: 0.0.1
-+# Date: 2021-08-16
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+#
-+#
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+bootloader
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+autopart
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_ism_o
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ospp-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ospp-ks.cfg
-new file mode 100644
-index 000000000..adc551303
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-ospp-ks.cfg
-@@ -0,0 +1,139 @@
-+# SCAP Security Guide OSPP profile kickstart for AlmaLinux OS 9
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --bootproto dhcp
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g.
-+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Refer to e.g.
-+#   grub2-mkpasswd-pbkdf2
-+# to see how to create encrypted password form for different plaintext password
-+bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+	content-type = scap-security-guide
-+	profile = xccdf_org.ssgproject.content_profile_ospp
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-pci-dss-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-pci-dss-ks.cfg
-new file mode 100644
-index 000000000..abfae9cf8
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-pci-dss-ks.cfg
-@@ -0,0 +1,134 @@
-+# SCAP Security Guide PCI-DSS profile kickstart for AlmaLinux OS 9
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url	        the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g.
-+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g.
-+#   grub2-mkpasswd-pbkdf2
-+# to see how to create encrypted password form for different plaintext password
-+bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
-+# CCE-26557-9: Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# CCE-26435-8: Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-+# CCE-26639-5: Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-+# CCE-26215-4: Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev"
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_pci-dss
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-stig-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-stig-ks.cfg
-new file mode 100644
-index 000000000..f39e03108
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-stig-ks.cfg
-@@ -0,0 +1,140 @@
-+# SCAP Security Guide STIG profile kickstart for AlmaLinux OS 9
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --bootproto dhcp
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g.
-+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g.
-+#   grub2-mkpasswd-pbkdf2
-+# to see how to create encrypted password form for different plaintext password
-+bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec"
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+	content-type = scap-security-guide
-+	profile = xccdf_org.ssgproject.content_profile_stig
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/kickstart/ssg-almalinux9-stig_gui-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-stig_gui-ks.cfg
-new file mode 100644
-index 000000000..5a2d56823
---- /dev/null
-+++ b/products/almalinux9/kickstart/ssg-almalinux9-stig_gui-ks.cfg
-@@ -0,0 +1,144 @@
-+# SCAP Security Guide STIG with GUI profile kickstart for AlmaLinux OS 9
-+#
-+# Based on:
-+# https://pykickstart.readthedocs.io/en/latest/
-+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-+# For more information see the following documentation:
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url		the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server= --dir= [--opts=]
-+#
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard --vckeymap us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot	enable device at a boot time
-+# --device	device to be activated and / or configured with the network command
-+# --bootproto	method to obtain networking configuration for device (default dhcp)
-+# --noipv6	disable IPv6 on this device
-+network --onboot yes --bootproto dhcp
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g.
-+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled	reject incoming connections that are not in response to outbound requests
-+# --ssh		allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g.
-+#   grub2-mkpasswd-pbkdf2
-+# to see how to create encrypted password form for different plaintext password
-+bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec"
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#  
-+#  Important
-+#   Applying a security policy is not necessary on all systems. This screen should only be used
-+#   when a specific policy is mandated by your organization rules or government regulations.
-+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+#   Values can be optionally enclosed in single quotes (') or double quotes (").
-+#   
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon com_redhat_oscap
-+	content-type = scap-security-guide
-+	profile = xccdf_org.ssgproject.content_profile_stig_gui
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+
-+@Server with GUI
-+
-+%end
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/products/almalinux9/overlays/srg_support.xml b/products/almalinux9/overlays/srg_support.xml
-new file mode 100644
-index 000000000..ea7b5d445
---- /dev/null
-+++ b/products/almalinux9/overlays/srg_support.xml
-@@ -0,0 +1,173 @@
-+
-diff --git a/products/almalinux9/product.yml b/products/almalinux9/product.yml
-index 8249a6e62..5f90e0306 100644
---- a/products/almalinux9/product.yml
-+++ b/products/almalinux9/product.yml
-@@ -2,6 +2,10 @@ product: almalinux9
- full_name: AlmaLinux OS 9
- type: platform
- 
-+families:
-+  - rhel
-+  - rhel-like
-+
- major_version_ordinal: 9
- 
- benchmark_id: ALMALINUX-9
-@@ -14,6 +18,26 @@ pkg_manager: "dnf"
- 
- init_system: "systemd"
- 
-+# EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
-+
-+groups:
-+  dedicated_ssh_keyowner:
-+    name: ssh_keys
-+
-+sshd_distributed_config: "true"
-+bootable_containers_supported: "true"
-+
-+dconf_gdm_dir: "distro.d"
-+
-+faillock_path: "/var/log/faillock"
-+
-+# The fingerprints below are retrieved from https://almalinux.org/security/
-+pkg_release: "61e69f29"
-+pkg_version: "b86b3716"
-+
-+release_key_fingerprint: "BF18AC2876178908D6E71267D36CB86CB86B3716"
-+oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-9.xml.bz2"
-+
- cpes_root: "../../shared/applicability"
- cpes:
-   - almalinux9:
-@@ -21,12 +45,13 @@ cpes:
-       title: "AlmaLinux OS 9"
-       check_id: installed_OS_is_almalinux9
- 
--# See https://almalinux.org/security/
--release_key_fingerprint: "BF18AC2876178908D6E71267D36CB86CB86B3716"
--oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-9.xml.bz2"
--
--pkg_version: "b86b3716"
--pkg_release: "61e69f29"
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  login_defs: "shadow-utils"
- 
- reference_uris:
-   cis: 'https://www.cisecurity.org/benchmark/almalinuxos_linux/'
-+  ccn: 'https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html'
-+
-+
-+journald_conf_dir_path: /etc/systemd/journald.conf.d
-diff --git a/products/almalinux9/profiles/anssi_bp28_enhanced.profile b/products/almalinux9/profiles/anssi_bp28_enhanced.profile
-index 4112a28ce..be8722e31 100644
---- a/products/almalinux9/profiles/anssi_bp28_enhanced.profile
-+++ b/products/almalinux9/profiles/anssi_bp28_enhanced.profile
-@@ -1,8 +1,10 @@
-+---
- documentation_complete: true
- 
- metadata:
-     SMEs:
--        - sej7278
-+        - marcusburghardt
-+        - yuumasato
- 
- title: 'ANSSI-BP-028 (enhanced)'
- 
-@@ -22,6 +24,8 @@ selections:
-     - anssi:all:enhanced
-     - var_password_hashing_algorithm=SHA512
-     - var_password_pam_unix_rounds=65536
-+    - var_mount_option_proc_hidepid=invisible
-+    # Following rules once had a prodtype incompatible with the rhel9 product
-     - '!partition_for_opt'
-     - '!accounts_passwords_pam_tally2_deny_root'
-     - '!install_PAE_kernel_on_x86-32'
-@@ -45,25 +49,35 @@ selections:
-     - '!cracklib_accounts_password_pam_minlen'
-     - '!cracklib_accounts_password_pam_dcredit'
-     - '!ensure_oracle_gpgkey_installed'
--    - '!ensure_redhat_gpgkey_installed'
-+    - ensure_almalinux_gpgkey_installed
-     - '!package_kea_removed'
-+    - '!audit_rules_file_deletion_events_renameat2'
-+    - '!audit_rules_dac_modification_fchmodat2'
-+    - '!ldap_client_tls_cacertpath'
-+    # RHEL9 unified the paths for grub2 files. These rules are selected in control file by R5 and R29.
-     - '!file_groupowner_efi_grub2_cfg'
-     - '!file_owner_efi_grub2_cfg'
-     - '!file_permissions_efi_grub2_cfg'
-     - '!file_groupowner_efi_user_cfg'
-     - '!file_owner_efi_user_cfg'
-     - '!file_permissions_efi_user_cfg'
--    - '!audit_rules_file_deletion_events_renameat2'
--    - '!audit_rules_dac_modification_fchmodat2'
--    - '!audit_rules_mac_modification_etc_selinux'
--    - '!no_nis_in_nsswitch'
--    - '!service_chronyd_enabled'
--    - '!ldap_client_start_tls'
--    - '!ldap_client_tls_cacertpath'
--
-+    - '!grub2_uefi_password'
-     # disable R45: Enable AppArmor security profiles
-     - '!apparmor_configured'
-     - '!all_apparmor_profiles_enforced'
-     - '!grub2_enable_apparmor'
-     - '!package_apparmor_installed'
-     - '!package_pam_apparmor_installed'
-+    - '!package_rsh-server_removed'
-+    - '!package_rsh_removed'
-+    - '!package_xinetd_removed'
-+    - '!package_ypbind_removed'
-+    - '!package_ypserv_removed'
-+
-+    # Following rules are not applicable to RHEL
-+    - '!package_talk_removed'
-+    - '!package_talk-server_removed'
-+    - '!audit_rules_mac_modification_etc_selinux'
-+    - '!no_nis_in_nsswitch'
-+    - '!service_chronyd_enabled'
-+    - '!ldap_client_start_tls'
-diff --git a/products/almalinux9/profiles/anssi_bp28_high.profile b/products/almalinux9/profiles/anssi_bp28_high.profile
-index 1ae101f1b..c677e5a0f 100644
---- a/products/almalinux9/profiles/anssi_bp28_high.profile
-+++ b/products/almalinux9/profiles/anssi_bp28_high.profile
-@@ -1,8 +1,10 @@
-+---
- documentation_complete: true
- 
- metadata:
-     SMEs:
--        - sej7278
-+        - marcusburghardt
-+        - yuumasato
- 
- title: 'ANSSI-BP-028 (high)'
- 
-@@ -22,8 +24,10 @@ selections:
-     - anssi:all:high
-     - var_password_hashing_algorithm=SHA512
-     - var_password_pam_unix_rounds=65536
-+    - var_mount_option_proc_hidepid=invisible
-     # the following rule renders UEFI systems unbootable
-     - '!sebool_secure_mode_insmod'
-+    # Following rules once had a prodtype incompatible with the rhel9 product
-     - '!partition_for_opt'
-     - '!accounts_passwords_pam_tally2_deny_root'
-     - '!install_PAE_kernel_on_x86-32'
-@@ -48,18 +52,36 @@ selections:
-     - '!cracklib_accounts_password_pam_minlen'
-     - '!cracklib_accounts_password_pam_dcredit'
-     - '!ensure_oracle_gpgkey_installed'
--    - '!ensure_redhat_gpgkey_installed'
-+    - ensure_almalinux_gpgkey_installed
-     - '!package_kea_removed'
-     - '!audit_rules_file_deletion_events_renameat2'
-     - '!audit_rules_dac_modification_fchmodat2'
--    - '!ldap_client_tls_cacertpath'
--    - '!ldap_client_start_tls'
--    - '!service_chronyd_enabled'
-     # disable R45: Enable AppArmor security profiles
-     - '!apparmor_configured'
-     - '!all_apparmor_profiles_enforced'
-     - '!grub2_enable_apparmor'
-     - '!package_apparmor_installed'
-     - '!package_pam_apparmor_installed'
-+    - '!package_rsh-server_removed'
-+    - '!package_rsh_removed'
-+    - '!package_xinetd_removed'
-+    - '!package_ypbind_removed'
-+    - '!package_ypserv_removed'
-+
-+    # RHEL9 unified the paths for grub2 files. These rules are selected in control file by R5 and R29.
-+    - '!file_groupowner_efi_grub2_cfg'
-+    - '!file_owner_efi_grub2_cfg'
-+    - '!file_permissions_efi_grub2_cfg'
-+    - '!file_groupowner_efi_user_cfg'
-+    - '!file_owner_efi_user_cfg'
-+    - '!file_permissions_efi_user_cfg'
-+    - '!grub2_uefi_password'
-+
-+    # Following rules are not applicable to RHEL
-+    - '!package_talk_removed'
-+    - '!package_talk-server_removed'
-     - '!audit_rules_mac_modification_etc_selinux'
-     - '!no_nis_in_nsswitch'
-+    - '!service_chronyd_enabled'
-+    - '!ldap_client_start_tls'
-+    - '!ldap_client_tls_cacertpath'
-diff --git a/products/almalinux9/profiles/anssi_bp28_intermediary.profile b/products/almalinux9/profiles/anssi_bp28_intermediary.profile
-index d54771bfc..43a21afba 100644
---- a/products/almalinux9/profiles/anssi_bp28_intermediary.profile
-+++ b/products/almalinux9/profiles/anssi_bp28_intermediary.profile
-@@ -1,8 +1,10 @@
-+---
- documentation_complete: true
- 
- metadata:
-     SMEs:
--        - sej7278
-+        - marcusburghardt
-+        - yuumasato
- 
- title: 'ANSSI-BP-028 (intermediary)'
- 
-@@ -19,27 +21,42 @@ description: |-
-     https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
- 
- selections:
--  - anssi:all:intermediary
--  - var_password_hashing_algorithm=SHA512
--  - var_password_pam_unix_rounds=65536
--  - '!partition_for_opt'
--  - '!cracklib_accounts_password_pam_minlen'
--  - '!accounts_passwords_pam_tally2_deny_root'
--  - '!accounts_passwords_pam_tally2'
--  - '!cracklib_accounts_password_pam_ucredit'
--  - '!cracklib_accounts_password_pam_dcredit'
--  - '!cracklib_accounts_password_pam_lcredit'
--  - '!partition_for_usr'
--  - '!partition_for_boot'
--  - '!cracklib_accounts_password_pam_ocredit'
--  - '!enable_pam_namespace'
--  - '!accounts_passwords_pam_tally2_unlock_time'
--  - '!sudo_add_umask'
--  - '!sudo_add_ignore_dot'
--  - '!sudo_add_env_reset'
--  - '!ensure_oracle_gpgkey_installed'
--  - '!ensure_redhat_gpgkey_installed'
--  - '!package_kea_removed'
--  - '!ldap_client_tls_cacertpath'
--  - '!ldap_client_start_tls'
--  - '!no_nis_in_nsswitch'
-+    - anssi:all:intermediary
-+    - var_password_hashing_algorithm=SHA512
-+    - var_password_pam_unix_rounds=65536
-+    - var_mount_option_proc_hidepid=invisible
-+    # Following rules once had a prodtype incompatible with the rhel9 product
-+    - '!partition_for_opt'
-+    - '!cracklib_accounts_password_pam_minlen'
-+    - '!accounts_passwords_pam_tally2_deny_root'
-+    - '!accounts_passwords_pam_tally2'
-+    - '!cracklib_accounts_password_pam_ucredit'
-+    - '!cracklib_accounts_password_pam_dcredit'
-+    - '!cracklib_accounts_password_pam_lcredit'
-+    - '!partition_for_usr'
-+    - '!partition_for_boot'
-+    - '!cracklib_accounts_password_pam_ocredit'
-+    - '!enable_pam_namespace'
-+    - '!accounts_passwords_pam_tally2_unlock_time'
-+    - '!sudo_add_umask'
-+    - '!sudo_add_ignore_dot'
-+    - '!sudo_add_env_reset'
-+    - '!ensure_oracle_gpgkey_installed'
-+    - ensure_almalinux_gpgkey_installed
-+    - '!package_kea_removed'
-+    - '!package_rsh-server_removed'
-+    - '!package_rsh_removed'
-+    - '!package_xinetd_removed'
-+    - '!package_ypbind_removed'
-+    - '!package_ypserv_removed'
-+
-+    # RHEL9 unified the paths for grub2 files. These rules are selected in control file by R5.
-+    - '!grub2_uefi_password'
-+
-+    # Following rules are not applicable to RHEL
-+    - '!package_talk_removed'
-+    - '!package_talk-server_removed'
-+    - '!audit_rules_mac_modification_etc_selinux'
-+    - '!no_nis_in_nsswitch'
-+    - '!ldap_client_start_tls'
-+    - '!ldap_client_tls_cacertpath'
-diff --git a/products/almalinux9/profiles/anssi_bp28_minimal.profile b/products/almalinux9/profiles/anssi_bp28_minimal.profile
-index e9bb292de..6a72f0087 100644
---- a/products/almalinux9/profiles/anssi_bp28_minimal.profile
-+++ b/products/almalinux9/profiles/anssi_bp28_minimal.profile
-@@ -1,8 +1,10 @@
-+---
- documentation_complete: true
- 
- metadata:
-     SMEs:
--        - sej7278
-+        - marcusburghardt
-+        - yuumasato
- 
- title: 'ANSSI-BP-028 (minimal)'
- 
-@@ -19,17 +21,29 @@ description: |-
-     https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
- 
- selections:
--  - anssi:all:minimal
--  - var_password_hashing_algorithm=SHA512
--  - var_password_pam_unix_rounds=65536
--  - '!cracklib_accounts_password_pam_minlen'
--  - '!accounts_passwords_pam_tally2_deny_root'
--  - '!accounts_passwords_pam_tally2'
--  - '!cracklib_accounts_password_pam_ucredit'
--  - '!cracklib_accounts_password_pam_dcredit'
--  - '!cracklib_accounts_password_pam_lcredit'
--  - '!cracklib_accounts_password_pam_ocredit'
--  - '!accounts_passwords_pam_tally2_unlock_time'
--  - '!ensure_oracle_gpgkey_installed'
--  - '!ensure_redhat_gpgkey_installed'
--  - '!package_kea_removed'
-+    - anssi:all:minimal
-+    - var_password_hashing_algorithm=SHA512
-+    - var_password_pam_unix_rounds=65536
-+    - var_mount_option_proc_hidepid=invisible
-+    # Following rules once had a prodtype incompatible with the rhel9 product
-+    - '!cracklib_accounts_password_pam_minlen'
-+    - '!accounts_passwords_pam_tally2_deny_root'
-+    - '!accounts_passwords_pam_tally2'
-+    - '!cracklib_accounts_password_pam_ucredit'
-+    - '!cracklib_accounts_password_pam_dcredit'
-+    - '!cracklib_accounts_password_pam_lcredit'
-+    - '!cracklib_accounts_password_pam_ocredit'
-+    - '!accounts_passwords_pam_tally2_unlock_time'
-+    - '!ensure_oracle_gpgkey_installed'
-+    - ensure_almalinux_gpgkey_installed
-+    - '!package_kea_removed'
-+    - '!package_rsh-server_removed'
-+    - '!package_rsh_removed'
-+    - '!package_xinetd_removed'
-+    - '!package_ypbind_removed'
-+    - '!package_ypserv_removed'
-+
-+    # Following rules are not applicable to RHEL
-+    - '!package_talk_removed'
-+    - '!package_talk-server_removed'
-+    - '!audit_rules_mac_modification_etc_selinux'
-diff --git a/products/almalinux9/profiles/bsi.profile b/products/almalinux9/profiles/bsi.profile
-new file mode 100644
-index 000000000..f2f530ff8
---- /dev/null
-+++ b/products/almalinux9/profiles/bsi.profile
-@@ -0,0 +1,28 @@
-+documentation_complete: true
-+
-+title: 'BSI SYS.1.1 and SYS.1.3'
-+
-+reference: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
-+
-+metadata:
-+    SMEs:
-+        - sluetze
-+    version: 2022
-+
-+description: |-
-+    This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz
-+    Basic-Protection.
-+
-+    This baseline implements OS-Level configuration requirements from the following
-+    sources:
-+
-+    - Building-Block SYS.1.1 General Server
-+    - Building-Block SYS.1.3 Linux Server
-+
-+selections:
-+    - bsi_sys_1_1_rhel9:all
-+    - bsi_sys_1_3_rhel9:all
-+
-+    # BSI APP.4.4.A4
-+    - var_selinux_policy_name=targeted
-+    - var_selinux_state=enforcing
-diff --git a/products/almalinux9/profiles/ccn_advanced.profile b/products/almalinux9/profiles/ccn_advanced.profile
-new file mode 100644
-index 000000000..a15d96660
---- /dev/null
-+++ b/products/almalinux9/profiles/ccn_advanced.profile
-@@ -0,0 +1,20 @@
-+---
-+documentation_complete: true
-+
-+metadata:
-+    SMEs:
-+        - marcusburghardt
-+
-+reference: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html
-+
-+title: 'Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Advanced'
-+
-+description: |-
-+    This profile defines a baseline that aligns with the "Advanced" configuration of the
-+    CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.
-+
-+    The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic,
-+    intermediate, and advanced levels.
-+
-+selections:
-+    - ccn_rhel9:all:advanced
-diff --git a/products/almalinux9/profiles/ccn_basic.profile b/products/almalinux9/profiles/ccn_basic.profile
-new file mode 100644
-index 000000000..2a6602fbe
---- /dev/null
-+++ b/products/almalinux9/profiles/ccn_basic.profile
-@@ -0,0 +1,20 @@
-+---
-+documentation_complete: true
-+
-+metadata:
-+    SMEs:
-+        - marcusburghardt
-+
-+reference: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html
-+
-+title: 'Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Basic'
-+
-+description: |-
-+    This profile defines a baseline that aligns with the "Basic" configuration of the
-+    CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.
-+
-+    The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic,
-+    intermediate, and advanced levels.
-+
-+selections:
-+    - ccn_rhel9:all:basic
-diff --git a/products/almalinux9/profiles/ccn_intermediate.profile b/products/almalinux9/profiles/ccn_intermediate.profile
-new file mode 100644
-index 000000000..076edd5c7
---- /dev/null
-+++ b/products/almalinux9/profiles/ccn_intermediate.profile
-@@ -0,0 +1,20 @@
-+---
-+documentation_complete: true
-+
-+metadata:
-+    SMEs:
-+        - marcusburghardt
-+
-+reference: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html
-+
-+title: 'Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Intermediate'
-+
-+description: |-
-+    This profile defines a baseline that aligns with the "Intermediate" configuration of the
-+    CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.
-+
-+    The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic,
-+    intermediate, and advanced levels.
-+
-+selections:
-+    - ccn_rhel9:all:intermediate
-diff --git a/products/almalinux9/profiles/cis.profile b/products/almalinux9/profiles/cis.profile
-index f0e6cc24f..9bd16a85a 100644
---- a/products/almalinux9/profiles/cis.profile
-+++ b/products/almalinux9/profiles/cis.profile
-@@ -1,9 +1,12 @@
-+---
- documentation_complete: true
- 
- metadata:
-     version: 2.0.0
-     SMEs:
--        - sej7278
-+        - marcusburghardt
-+        - mab879
-+        - vojtapolasek
- 
- reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
- 
-@@ -11,14 +14,15 @@ title: 'CIS AlmaLinux OS 9 Benchmark for Level 2 - Server'
- 
- description: |-
-     This profile defines a baseline that aligns to the "Level 2 - Server"
--    configuration from the Center for Internet Security® AlmaLinux OS 9 
--    Benchmark™, v2.0.0, released 2024-06-20.
-+    configuration from the Center for Internet Security® 
-+    AlmaLinux OS 9 Benchmark™, v2.0.0, released 2024-06-24.
- 
-     This profile includes Center for Internet Security®
-     AlmaLinux OS 9 CIS Benchmarks™ content.
- 
- selections:
--    - cis_almalinux9:all:l2_server
-+    - cis_rhel9:all:l2_server
-+    # Following rules once had a prodtype incompatible with the rhel9 product
-     - '!file_ownership_home_directories'
-     - '!group_unique_name'
-     - '!file_owner_at_allow'
-diff --git a/products/almalinux9/profiles/cis_server_l1.profile b/products/almalinux9/profiles/cis_server_l1.profile
-index 4f49074be..be7d1e33c 100644
---- a/products/almalinux9/profiles/cis_server_l1.profile
-+++ b/products/almalinux9/profiles/cis_server_l1.profile
-@@ -1,9 +1,12 @@
-+---
- documentation_complete: true
- 
- metadata:
-     version: 2.0.0
-     SMEs:
--        - sej7278
-+        - marcusburghardt
-+        - mab879
-+        - vojtapolasek
- 
- reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
- 
-@@ -11,14 +14,15 @@ title: 'CIS AlmaLinux OS 9 Benchmark for Level 1 - Server'
- 
- description: |-
-     This profile defines a baseline that aligns to the "Level 1 - Server"
--    configuration from the Center for Internet Security® AlmaLinux OS 9 
--    Benchmark™, v2.0.0, released 2024-06-20.
-+    configuration from the Center for Internet Security® 
-+    AlmaLinux OS 9 Benchmark™, v2.0.0, released 2024-06-24.
- 
-     This profile includes Center for Internet Security®
-     AlmaLinux OS 9 CIS Benchmarks™ content.
- 
- selections:
--    - cis_almalinux9:all:l1_server
-+    - cis_rhel9:all:l1_server
-+    # Following rules once had a prodtype incompatible with the rhel9 product
-     - '!file_ownership_home_directories'
-     - '!group_unique_name'
-     - '!file_owner_at_allow'
-diff --git a/products/almalinux9/profiles/cis_workstation_l1.profile b/products/almalinux9/profiles/cis_workstation_l1.profile
-index 60caa95de..a6f562159 100644
---- a/products/almalinux9/profiles/cis_workstation_l1.profile
-+++ b/products/almalinux9/profiles/cis_workstation_l1.profile
-@@ -1,9 +1,12 @@
-+---
- documentation_complete: true
- 
- metadata:
-     version: 2.0.0
-     SMEs:
--        - sej7278
-+        - marcusburghardt
-+        - mab879
-+        - vojtapolasek
- 
- reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
- 
-@@ -11,14 +14,15 @@ title: 'CIS AlmaLinux OS 9 Benchmark for Level 1 - Workstation'
- 
- description: |-
-     This profile defines a baseline that aligns to the "Level 1 - Workstation"
--    configuration from the Center for Internet Security® AlmaLinux OS 9 
--    Benchmark™, v2.0.0, released 2024-06-20.
-+    configuration from the Center for Internet Security® 
-+    AlmaLinux OS 9 Benchmark™, v2.0.0, released 2024-06-24.
- 
-     This profile includes Center for Internet Security®
-     AlmaLinux OS 9 CIS Benchmarks™ content.
- 
- selections:
--    - cis_almalinux9:all:l1_workstation
-+    - cis_rhel9:all:l1_workstation
-+    # Following rules once had a prodtype incompatible with the rhel9 product
-     - '!file_ownership_home_directories'
-     - '!group_unique_name'
-     - '!file_owner_at_allow'
-diff --git a/products/almalinux9/profiles/cis_workstation_l2.profile b/products/almalinux9/profiles/cis_workstation_l2.profile
-index cf3039764..733473fb4 100644
---- a/products/almalinux9/profiles/cis_workstation_l2.profile
-+++ b/products/almalinux9/profiles/cis_workstation_l2.profile
-@@ -1,9 +1,12 @@
-+---
- documentation_complete: true
- 
- metadata:
-     version: 2.0.0
-     SMEs:
--        - sej7278
-+        - marcusburghardt
-+        - mab879
-+        - vojtapolasek
- 
- reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
- 
-@@ -11,14 +14,15 @@ title: 'CIS AlmaLinux OS 9 Benchmark for Level 2 - Workstation'
- 
- description: |-
-     This profile defines a baseline that aligns to the "Level 2 - Workstation"
--    configuration from the Center for Internet Security® AlmaLinux OS 9 
--    Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
-+    configuration from the Center for Internet Security® 
-+    AlmaLinux OS 9 Benchmark™, v2.0.0, released 2024-06-24.
- 
-     This profile includes Center for Internet Security®
-     AlmaLinux OS 9 CIS Benchmarks™ content.
- 
- selections:
--    - cis_almalinux9:all:l2_workstation
-+    - cis_rhel9:all:l2_workstation
-+    # Following rules once had a prodtype incompatible with the rhel9 product
-     - '!file_ownership_home_directories'
-     - '!group_unique_name'
-     - '!file_owner_at_allow'
-diff --git a/products/almalinux9/profiles/cui.profile b/products/almalinux9/profiles/cui.profile
-new file mode 100644
-index 000000000..12ea003df
---- /dev/null
-+++ b/products/almalinux9/profiles/cui.profile
-@@ -0,0 +1,34 @@
-+---
-+documentation_complete: true
-+
-+metadata:
-+    version: TBD
-+    SMEs:
-+        - ggbecker
-+
-+title: 'DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
-+
-+description: |-
-+    From NIST 800-171, Section 2.2:
-+    Security requirements for protecting the confidentiality of CUI in nonfederal
-+    information systems and organizations have a well-defined structure that
-+    consists of:
-+
-+    (i) a basic security requirements section;
-+    (ii) a derived security requirements section.
-+
-+    The basic security requirements are obtained from FIPS Publication 200, which
-+    provides the high-level and fundamental security requirements for federal
-+    information and information systems. The derived security requirements, which
-+    supplement the basic security requirements, are taken from the security controls
-+    in NIST Special Publication 800-53.
-+
-+    This profile configures AlmaLinux OS 9 to the NIST Special
-+    Publication 800-53 controls identified for securing Controlled Unclassified
-+    Information (CUI)."
-+
-+extends: ospp
-+
-+selections:
-+    - inactivity_timeout_value=10_minutes
-+    - var_system_crypto_policy=fips
-diff --git a/products/almalinux9/profiles/default.profile b/products/almalinux9/profiles/default.profile
-new file mode 100644
-index 000000000..1408f22ed
---- /dev/null
-+++ b/products/almalinux9/profiles/default.profile
-@@ -0,0 +1,587 @@
-+---
-+documentation_complete: true
-+
-+hidden: true
-+
-+title: Default Profile for AlmaLinux OS 9
-+
-+description: |-
-+    This profile contains all the rules that once belonged to the
-+    rhel9 product via 'prodtype'. This profile won't
-+    be rendered into an XCCDF Profile entity, nor it will select any
-+    of these rules by default. The only purpose of this profile
-+    is to keep a rule in the product's XCCDF Benchmark.
-+
-+selections:
-+    - sebool_nfsd_anon_write
-+    - sebool_squid_connect_any
-+    - sebool_polipo_connect_all_unreserved
-+    - audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write
-+    - auditd_data_disk_full_action
-+    - mount_option_var_tmp_bind
-+    - sebool_selinuxuser_use_ssh_chroot
-+    - sebool_condor_tcp_network_connect
-+    - sebool_xserver_object_manager
-+    - mount_option_home_grpquota
-+    - sebool_mpd_enable_homedirs
-+    - sebool_logadm_exec_content
-+    - auditd_audispd_encrypt_sent_records
-+    - audit_rules_unsuccessful_file_modification_openat_rule_order
-+    - sebool_logwatch_can_network_connect_mail
-+    - sebool_mpd_use_nfs
-+    - sebool_virt_use_sanlock
-+    - kernel_module_vfat_disabled
-+    - sebool_xguest_use_bluetooth
-+    - sebool_puppetagent_manage_all_files
-+    - sshd_use_strong_rng
-+    - grub2_uefi_admin_username
-+    - grub2_uefi_password
-+    - sebool_staff_use_svirt
-+    - audit_rules_successful_file_modification_lsetxattr
-+    - sebool_daemons_enable_cluster_mode
-+    - package_krb5-workstation_removed
-+    - package_samba-common_installed
-+    - sebool_httpd_enable_cgi
-+    - accounts_passwords_pam_faillock_silent
-+    - xwindows_remove_packages
-+    - sebool_httpd_can_network_memcache
-+    - sebool_git_system_use_nfs
-+    - sudoers_no_root_target
-+    - sebool_httpd_can_connect_zabbix
-+    - sebool_samba_portmapper
-+    - audit_rules_etc_shadow_open
-+    - sebool_httpd_graceful_shutdown
-+    - sebool_ftpd_use_fusefs
-+    - service_cups_disabled
-+    - sebool_selinuxuser_ping
-+    - sebool_unconfined_chrome_sandbox_transition
-+    - dconf_gnome_screensaver_lock_locked
-+    - package_ntpdate_removed
-+    - package_avahi_removed
-+    - package_cups_removed
-+    - file_groupowner_efi_user_cfg
-+    - set_loopback_traffic
-+    - ntpd_specify_multiple_servers
-+    - sebool_gitosis_can_sendmail
-+    - audit_rules_unsuccessful_file_modification_renameat
-+    - sebool_pcp_read_generic_logs
-+    - sebool_httpd_run_ipa
-+    - sebool_selinuxuser_share_music
-+    - file_groupowner_var_log_syslog
-+    - service_netfs_disabled
-+    - sebool_dbadm_manage_user_files
-+    - sebool_smbd_anon_write
-+    - auditd_audispd_configure_remote_server
-+    - service_ypserv_disabled
-+    - sebool_nagios_run_sudo
-+    - sebool_dbadm_exec_content
-+    - package_ntp_installed
-+    - package_cron_installed
-+    - dconf_gnome_screensaver_idle_activation_locked
-+    - audit_rules_successful_file_modification_unlinkat
-+    - package_audit-audispd-plugins_installed
-+    - sebool_xserver_clients_write_xshm
-+    - sebool_xdm_exec_bootloader
-+    - sebool_httpd_serve_cobbler_files
-+    - sebool_use_ecryptfs_home_dirs
-+    - sebool_container_connect_any
-+    - sebool_sge_domain_can_network_connect
-+    - sebool_staff_exec_content
-+    - file_permissions_home_dirs
-+    - audit_rules_privileged_commands_newgidmap
-+    - sebool_ssh_chroot_rw_homedirs
-+    - sebool_virt_use_xserver
-+    - sebool_mozilla_plugin_use_spice
-+    - sebool_tmpreaper_use_nfs
-+    - sebool_httpd_can_connect_ldap
-+    - sudoers_default_includedir
-+    - sebool_mmap_low_allowed
-+    - sebool_glance_use_fusefs
-+    - sebool_httpd_dontaudit_search_dirs
-+    - sebool_named_tcp_bind_http_port
-+    - auditd_audispd_network_failure_action
-+    - sebool_wine_mmap_zero_ignore
-+    - sebool_cluster_use_execmem
-+    - audit_rules_privileged_commands_usernetctl
-+    - dconf_gnome_disable_user_admin
-+    - service_rlogin_disabled
-+    - sebool_ftpd_use_nfs
-+    - sebool_httpd_use_fusefs
-+    - service_iptables_enabled
-+    - sebool_tor_bind_all_unreserved_ports
-+    - sebool_virt_sandbox_use_all_caps
-+    - sebool_httpd_use_openstack
-+    - sebool_icecast_use_any_tcp_ports
-+    - audit_rules_unsuccessful_file_modification_rename
-+    - sebool_openshift_use_nfs
-+    - sebool_mailman_use_fusefs
-+    - sebool_nfs_export_all_rw
-+    - sebool_httpd_dbus_avahi
-+    - mount_option_smb_client_signing
-+    - audit_rules_successful_file_modification_open_o_trunc_write
-+    - sebool_mplayer_execstack
-+    - sebool_virt_sandbox_use_mknod
-+    - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order
-+    - package_pam_pwquality_installed
-+    - sebool_fcron_crond
-+    - sebool_httpd_read_user_content
-+    - sebool_samba_domain_controller
-+    - service_sshd_disabled
-+    - zipl_page_poison_argument
-+    - file_owner_efi_user_cfg
-+    - sebool_cobbler_anon_write
-+    - audit_rules_successful_file_modification_openat_o_trunc_write
-+    - audit_rules_successful_file_modification_removexattr
-+    - sebool_xdm_write_home
-+    - sebool_httpd_mod_auth_pam
-+    - audit_rules_successful_file_modification_fchownat
-+    - service_httpd_disabled
-+    - package_nfs-utils_removed
-+    - sebool_pppd_for_user
-+    - sebool_rsync_export_all_ro
-+    - audit_rules_successful_file_modification_open_o_creat
-+    - install_hids
-+    - sebool_authlogin_radius
-+    - sebool_swift_can_network
-+    - audit_rules_file_deletion_events
-+    - sshd_disable_pubkey_auth
-+    - sebool_tor_can_network_relay
-+    - sebool_virt_use_samba
-+    - sebool_spamassassin_can_network
-+    - package_syslogng_installed
-+    - sebool_selinuxuser_postgresql_connect_enabled
-+    - sebool_virt_sandbox_use_sys_admin
-+    - sebool_irssi_use_full_network
-+    - sebool_sysadm_exec_content
-+    - sebool_polipo_use_cifs
-+    - sebool_samba_load_libgfapi
-+    - package_rpcbind_removed
-+    - sebool_samba_run_unconfined
-+    - sebool_webadm_manage_user_files
-+    - sebool_zoneminder_run_sudo
-+    - sebool_ftpd_anon_write
-+    - sebool_rsync_anon_write
-+    - mount_option_proc_hidepid
-+    - sebool_nfs_export_all_ro
-+    - audit_rules_unsuccessful_file_modification_chown
-+    - sebool_selinuxuser_udp_server
-+    - sebool_cups_execmem
-+    - service_ntpdate_disabled
-+    - sebool_httpd_execmem
-+    - sebool_httpd_sys_script_anon_write
-+    - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write
-+    - sebool_ftpd_use_cifs
-+    - service_atd_disabled
-+    - audit_rules_etc_shadow_open_by_handle_at
-+    - sebool_mysql_connect_any
-+    - audit_rules_privileged_commands_pt_chown
-+    - sebool_httpd_can_sendmail
-+    - sebool_prosody_bind_http_port
-+    - sebool_httpd_use_sasl
-+    - sebool_tftp_home_dir
-+    - sebool_gssd_read_tmp
-+    - kernel_module_uvcvideo_disabled
-+    - sebool_squid_use_tproxy
-+    - sebool_httpd_ssi_exec
-+    - sebool_use_lpd_server
-+    - audit_rules_successful_file_modification_open_by_handle_at_o_creat
-+    - sebool_unconfined_login
-+    - account_use_centralized_automated_auth
-+    - file_groupowner_efi_grub2_cfg
-+    - sebool_xdm_bind_vnc_tcp_port
-+    - sebool_deny_ptrace
-+    - sebool_postgresql_selinux_transmit_client_label
-+    - sysctl_net_ipv6_conf_all_disable_ipv6
-+    - sebool_smartmon_3ware
-+    - dconf_gnome_login_retries
-+    - audit_rules_unsuccessful_file_modification_setxattr
-+    - sudo_vdsm_nopasswd
-+    - sebool_global_ssp
-+    - service_smb_disabled
-+    - sebool_virt_rw_qemu_ga_data
-+    - sebool_selinuxuser_tcp_server
-+    - package_inetutils-telnetd_removed
-+    - audit_rules_successful_file_modification_openat
-+    - audit_rules_unsuccessful_file_modification_fchmod
-+    - service_ntpd_enabled
-+    - file_permissions_httpd_server_conf_files
-+    - sebool_httpd_use_gpg
-+    - sebool_spamd_enable_home_dirs
-+    - package_openldap-servers_removed
-+    - avahi_disable_publishing
-+    - audit_rules_successful_file_modification_fchmod
-+    - sebool_fenced_can_network_connect
-+    - sebool_virt_use_nfs
-+    - sebool_lsmd_plugin_connect_any
-+    - account_passwords_pam_faillock_dir
-+    - sebool_authlogin_yubikey
-+    - sebool_authlogin_nsswitch_use_ldap
-+    - dconf_gnome_disable_geolocation
-+    - sebool_httpd_run_preupgrade
-+    - sebool_httpd_use_cifs
-+    - sebool_telepathy_tcp_connect_generic_network_ports
-+    - zipl_slub_debug_argument
-+    - sebool_entropyd_use_audio
-+    - grub2_kernel_trust_cpu_rng
-+    - sebool_httpd_enable_ftp_server
-+    - sebool_postgresql_selinux_users_ddl
-+    - package_ypbind_removed
-+    - xwindows_runlevel_target
-+    - package_talk-server_removed
-+    - kernel_module_ipv6_option_disabled
-+    - sebool_cobbler_use_nfs
-+    - sebool_mozilla_plugin_can_network_connect
-+    - sebool_ftpd_full_access
-+    - sebool_mcelog_foreground
-+    - sebool_xguest_exec_content
-+    - sebool_daemons_dump_core
-+    - audit_rules_successful_file_modification_renameat
-+    - service_rngd_enabled
-+    - kernel_module_cfg80211_disabled
-+    - sebool_git_cgi_use_cifs
-+    - sebool_virt_sandbox_use_netlink
-+    - enable_dconf_user_profile
-+    - service_dhcpd_disabled
-+    - kernel_module_jffs2_disabled
-+    - sebool_openvpn_run_unconfined
-+    - sebool_gluster_anon_write
-+    - audit_rules_successful_file_modification_open
-+    - sebool_secure_mode_insmod
-+    - sebool_nscd_use_shm
-+    - sebool_ksmtuned_use_cifs
-+    - sebool_nagios_run_pnp4nagios
-+    - sebool_selinuxuser_direct_dri_enabled
-+    - sebool_haproxy_connect_any
-+    - audit_rules_etc_shadow_openat
-+    - sebool_pppd_can_insmod
-+    - sebool_glance_api_can_network
-+    - accounts_passwords_pam_faillock_enforce_local
-+    - sebool_mozilla_plugin_use_bluejeans
-+    - sebool_mozilla_read_content
-+    - sebool_virt_use_usb
-+    - sebool_virt_use_execmem
-+    - sebool_virt_read_qemu_ga_data
-+    - service_vsftpd_disabled
-+    - ssh_private_keys_have_passcode
-+    - sebool_user_exec_content
-+    - sebool_gluster_export_all_ro
-+    - sebool_mcelog_server
-+    - sebool_mount_anyfile
-+    - sebool_sge_use_nfs
-+    - sebool_daemons_use_tty
-+    - sebool_mcelog_client
-+    - sebool_rsync_client
-+    - sebool_privoxy_connect_any
-+    - postfix_client_configure_relayhost
-+    - sebool_httpd_builtin_scripting
-+    - etc_system_fips_exists
-+    - iptables_sshd_disabled
-+    - grub2_ipv6_disable_argument
-+    - dconf_gnome_disable_thumbnailers
-+    - sebool_varnishd_connect_any
-+    - kernel_module_hfsplus_disabled
-+    - audit_rules_for_ospp
-+    - package_rsh_removed
-+    - dconf_gnome_enable_smartcard_auth
-+    - service_oddjobd_disabled
-+    - service_postfix_enabled
-+    - package_openssh-server_removed
-+    - sebool_httpd_can_connect_mythtv
-+    - audit_rules_successful_file_modification_lchown
-+    - sebool_tftp_anon_write
-+    - sebool_cobbler_can_network_connect
-+    - sebool_samba_export_all_ro
-+    - service_cron_enabled
-+    - file_permissions_efi_user_cfg
-+    - service_rhnsd_disabled
-+    - audit_rules_successful_file_modification_unlink
-+    - no_all_squash_exports
-+    - sebool_use_samba_home_dirs
-+    - audit_rules_etc_gshadow_openat
-+    - service_ufw_enabled
-+    - harden_sshd_macs_openssh_conf_crypto_policy
-+    - dir_permissions_binary_dirs
-+    - sebool_xend_run_blktap
-+    - dconf_gnome_disable_wifi_notification
-+    - package_nis_removed
-+    - service_xinetd_disabled
-+    - audit_rules_etc_passwd_open
-+    - dhcp_client_restrict_options
-+    - sebool_openvpn_can_network_connect
-+    - kernel_module_freevxfs_disabled
-+    - account_emergency_expire_date
-+    - sebool_unconfined_mozilla_plugin_transition
-+    - audit_rules_unsuccessful_file_modification_lremovexattr
-+    - file_permissions_var_log_syslog
-+    - sebool_git_cgi_enable_homedirs
-+    - audit_rules_etc_passwd_open_by_handle_at
-+    - audit_rules_privileged_commands_at
-+    - sebool_virt_use_fusefs
-+    - kernel_module_iwlmvm_disabled
-+    - service_ntp_enabled
-+    - file_owner_var_log_syslog
-+    - service_ip6tables_enabled
-+    - sebool_logging_syslogd_run_nagios_plugins
-+    - sebool_mozilla_plugin_use_gps
-+    - service_slapd_disabled
-+    - audit_rules_unsuccessful_file_modification_open_o_trunc_write
-+    - sebool_ftpd_connect_all_unreserved
-+    - configure_user_data_backups
-+    - dir_ownership_binary_dirs
-+    - sebool_mcelog_exec_scripts
-+    - sysctl_net_ipv4_tcp_invalid_ratelimit
-+    - sebool_xserver_execmem
-+    - sysctl_net_ipv6_conf_default_disable_ipv6
-+    - sebool_cron_userdomain_transition
-+    - sebool_collectd_tcp_network_connect
-+    - sebool_httpd_enable_homedirs
-+    - sebool_httpd_unified
-+    - audit_rules_privileged_commands_newuidmap
-+    - sebool_zabbix_can_network
-+    - audit_rules_unsuccessful_file_modification_chmod
-+    - sebool_gpg_web_anon_write
-+    - fapolicyd_prevent_home_folder_access
-+    - no_legacy_plus_entries_etc_passwd
-+    - sebool_sanlock_use_nfs
-+    - sebool_racoon_read_shadow
-+    - audit_rules_successful_file_modification_fsetxattr
-+    - audit_rules_successful_file_modification_fremovexattr
-+    - package_krb5-server_removed
-+    - file_permissions_httpd_server_conf_d_files
-+    - audit_rules_successful_file_modification_rename
-+    - sebool_guest_exec_content
-+    - kernel_module_rds_disabled
-+    - sebool_selinuxuser_mysql_connect_enabled
-+    - sebool_antivirus_use_jit
-+    - sebool_ksmtuned_use_nfs
-+    - service_qpidd_disabled
-+    - audit_rules_successful_file_modification_setxattr
-+    - sebool_polipo_session_bind_all_unreserved_ports
-+    - sebool_secure_mode_policyload
-+    - sebool_webadm_read_user_files
-+    - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat
-+    - audit_rules_unsuccessful_file_modification_fsetxattr
-+    - kernel_module_hfs_disabled
-+    - sebool_git_session_users
-+    - sebool_exim_manage_user_files
-+    - configure_gnutls_tls_crypto_policy
-+    - sshd_enable_gssapi_auth
-+    - sebool_minidlna_read_generic_user_content
-+    - audit_rules_etc_group_openat
-+    - sebool_httpd_can_network_connect_cobbler
-+    - auditd_data_disk_error_action
-+    - audit_rules_unsuccessful_file_modification_fchownat
-+    - sebool_openvpn_enable_homedirs
-+    - zipl_enable_selinux
-+    - audit_rules_unsuccessful_file_modification_open_o_creat
-+    - kernel_config_ipv6
-+    - audit_rules_successful_file_modification_chown
-+    - audit_rules_successful_file_modification_fchmodat
-+    - sebool_dhcpc_exec_iptables
-+    - file_permissions_efi_grub2_cfg
-+    - audit_rules_unsuccessful_file_modification_removexattr
-+    - sebool_telepathy_connect_all_ports
-+    - sebool_postgresql_can_rsync
-+    - audit_rules_unsuccessful_file_modification_openat_o_trunc_write
-+    - rpm_verify_permissions
-+    - package_telnetd_removed
-+    - sebool_httpd_setrlimit
-+    - harden_sshd_macs_opensshserver_conf_crypto_policy
-+    - service_dovecot_disabled
-+    - service_cockpit_disabled
-+    - no_legacy_plus_entries_etc_group
-+    - mount_option_boot_noauto
-+    - sebool_git_cgi_use_nfs
-+    - sebool_git_system_use_cifs
-+    - sebool_httpd_use_nfs
-+    - audit_rules_unsuccessful_file_modification_lchown
-+    - dconf_gnome_disable_wifi_create
-+    - audit_rules_successful_file_modification_fchown
-+    - sebool_git_system_enable_homedirs
-+    - sebool_httpd_can_check_spam
-+    - sebool_mpd_use_cifs
-+    - sebool_xen_use_nfs
-+    - sebool_samba_enable_home_dirs
-+    - service_named_disabled
-+    - service_syslogng_enabled
-+    - sebool_sanlock_use_fusefs
-+    - account_passwords_pam_faillock_audit
-+    - sebool_ssh_keysign
-+    - sebool_zebra_write_config
-+    - auditd_data_retention_num_logs
-+    - sebool_kerberos_enabled
-+    - sebool_irc_use_any_tcp_ports
-+    - package_xinetd_removed
-+    - audit_rules_etc_gshadow_open_by_handle_at
-+    - sebool_samba_export_all_rw
-+    - audit_rules_successful_file_modification_truncate
-+    - dhcp_server_minimize_served_info
-+    - file_permissions_httpd_server_modules_files
-+    - audit_rules_successful_file_modification_open_by_handle_at
-+    - sebool_tmpreaper_use_samba
-+    - sebool_xdm_sysadm_login
-+    - sebool_samba_create_home_dirs
-+    - sebool_login_console_enabled
-+    - sebool_secadm_exec_content
-+    - audit_rules_successful_file_modification_chmod
-+    - sebool_nis_enabled
-+    - sebool_cvs_read_shadow
-+    - audit_rules_unsuccessful_file_modification_lsetxattr
-+    - sebool_xend_run_qemu
-+    - sebool_virt_use_comm
-+    - installed_OS_is_FIPS_certified
-+    - sebool_httpd_can_network_connect
-+    - sebool_virt_sandbox_use_audit
-+    - sshd_disable_root_password_login
-+    - package_telnetd-ssl_removed
-+    - sebool_puppetmaster_use_db
-+    - audit_rules_successful_file_modification_ftruncate
-+    - fapolicy_default_deny
-+    - dconf_gnome_disable_power_settings
-+    - sebool_mozilla_plugin_bind_unreserved_ports
-+    - package_MFEhiplsm_installed
-+    - sebool_fenced_can_ssh
-+    - sebool_glance_use_execmem
-+    - audit_rules_etc_passwd_openat
-+    - sebool_rsync_full_access
-+    - snmpd_no_rwusers
-+    - mount_option_home_usrquota
-+    - sebool_logging_syslogd_can_sendmail
-+    - sebool_ftpd_use_passive_mode
-+    - sebool_cluster_can_network_connect
-+    - sebool_cdrecord_read_content
-+    - sebool_antivirus_can_scan_system
-+    - rsyslog_logging_configured
-+    - sebool_httpd_manage_ipa
-+    - sebool_samba_share_nfs
-+    - sebool_domain_kernel_load_modules
-+    - package_389-ds-base_removed
-+    - sebool_logging_syslogd_use_tty
-+    - audit_rules_etc_group_open
-+    - sebool_secure_mode
-+    - set_iptables_default_rule_forward
-+    - service_rdisc_disabled
-+    - zipl_vsyscall_argument
-+    - audit_rules_unsuccessful_file_modification_openat_o_creat
-+    - sebool_awstats_purge_apache_log_files
-+    - sebool_httpd_tmp_exec
-+    - package_postfix_installed
-+    - sebool_sanlock_use_samba
-+    - force_opensc_card_drivers
-+    - audit_rules_successful_file_modification_creat
-+    - sebool_domain_fd_use
-+    - package_avahi-autoipd_removed
-+    - sebool_httpd_can_connect_ftp
-+    - sebool_httpd_anon_write
-+    - sebool_dhcpd_use_ldap
-+    - coreos_enable_selinux_kernel_argument
-+    - sebool_postgresql_selinux_unconfined_dbadm
-+    - kernel_disable_entropy_contribution_for_solid_state_drives
-+    - sebool_use_fusefs_home_dirs
-+    - audit_rules_successful_file_modification_lremovexattr
-+    - sebool_virt_transition_userdomain
-+    - package_freeradius_removed
-+    - file_owner_efi_grub2_cfg
-+    - sebool_httpd_tty_comm
-+    - sebool_dbadm_read_user_files
-+    - audit_rules_unsuccessful_file_modification_unlink
-+    - auditd_audispd_disk_full_action
-+    - sebool_exim_read_user_files
-+    - ftp_limit_users
-+    - sebool_zarafa_setrlimit
-+    - kernel_module_mac80211_disabled
-+    - sebool_kdumpgui_run_bootloader
-+    - rsyslog_accept_remote_messages_tcp
-+    - sebool_httpd_verify_dns
-+    - accounts_password_pam_enforce_local
-+    - usbguard_allow_hub
-+    - sebool_polipo_use_nfs
-+    - sebool_exim_can_connect_db
-+    - sebool_unprivuser_use_svirt
-+    - sebool_httpd_run_stickshift
-+    - set_ipv6_loopback_traffic
-+    - ftp_configure_firewall
-+    - sebool_cron_can_relabel
-+    - audit_rules_unsuccessful_file_modification_fremovexattr
-+    - sebool_httpd_dbus_sssd
-+    - sebool_xguest_connect_network
-+    - package_geolite2-country_removed
-+    - audit_rules_etc_group_open_by_handle_at
-+    - sebool_daemons_use_tcp_wrapper
-+    - sebool_use_nfs_home_dirs
-+    - sshd_set_keepalive_0
-+    - sebool_conman_can_network
-+    - sebool_logrotate_use_nfs
-+    - audit_rules_unsuccessful_file_modification_fchown
-+    - sebool_httpd_can_network_connect_db
-+    - sebool_gluster_export_all_rw
-+    - sebool_named_write_master_zones
-+    - sebool_postfix_local_write_mail_spool
-+    - sebool_xguest_mount_media
-+    - sebool_selinuxuser_rw_noexattrfile
-+    - sebool_cron_system_cronjob_use_shares
-+    - sebool_virt_use_rawip
-+    - sebool_pcp_bind_all_unreserved_ports
-+    - audit_rules_etc_gshadow_open
-+    - sebool_saslauthd_read_shadow
-+    - sebool_mock_enable_homedirs
-+    - ntpd_specify_remote_server
-+    - selinux_user_login_roles
-+    - audit_rules_successful_file_modification_openat_o_creat
-+    - kernel_module_iwlwifi_disabled
-+    - sebool_zoneminder_anon_write
-+    - sshd_enable_x11_forwarding
-+    - dconf_gnome_screensaver_user_info
-+    - sshd_disable_rhosts_rsa
-+    - sebool_neutron_can_network
-+    - sebool_ftpd_connect_db
-+    - sebool_httpd_mod_auth_ntlm_winbind
-+    - sebool_samba_share_fusefs
-+    - harden_ssh_client_crypto_policy
-+    - sebool_cobbler_use_cifs
-+    - sebool_httpd_can_network_relay
-+    - package_geolite2-city_removed
-+    - set_iptables_default_rule
-+    - sebool_piranha_lvs_can_network_connect
-+    - usbguard_allow_hid
-+    - package_talk_removed
-+    - no_legacy_plus_entries_etc_shadow
-+    - sebool_git_session_bind_all_unreserved_ports
-+    - rsyslog_accept_remote_messages_udp
-+    - sebool_boinc_execmem
-+    - audit_rules_unsuccessful_file_modification_unlinkat
-+    - sebool_fips_mode
-+    - audit_rules_unsuccessful_file_modification_open_rule_order
-+    - audit_rules_unsuccessful_file_modification_fchmodat
-+    - sebool_polipo_session_users
-+    - sebool_cluster_manage_all_files
-+    - configure_firewalld_ports
-+    - journald_forward_to_syslog
-+    - rsyslog_filecreatemode
-+    - set_nftables_table
-+    - sshd_use_approved_ciphers
-+    - configure_bashrc_exec_tmux
-+    - agent_mfetpd_running
-+    - package_mcafeetp_installed
-+    - configure_bashrc_tmux
-+    - configure_tmux_lock_after_time
-+    - configure_tmux_lock_command
-+    - configure_tmux_lock_keybinding
-+    - mount_option_krb_sec_remote_filesystems
-+    - no_tmux_in_shells
-+    - package_tmux_installed
-+    - set_password_hashing_min_rounds_logindefs
-+    - sshd_use_priv_separation
-+    - tftpd_uses_secure_mode
-+    - file_permissions_etc_audit_rulesd
-+    - configure_openssl_tls_crypto_policy
-+    - configure_openssl_crypto_policy
-+    - audit_rules_login_events
-+    - audit_rules_usergroup_modification
-+    - audit_rules_unsuccessful_file_modification
-+    - audit_rules_session_events
-+    - kerberos_disable_no_keytab
-+    - package_ypserv_removed
-+    - package_quagga_removed
-+    - package_rsh-server_removed
-+    - sshd_use_strong_macs
-diff --git a/products/almalinux9/profiles/e8.profile b/products/almalinux9/profiles/e8.profile
-new file mode 100644
-index 000000000..6dc6d1975
---- /dev/null
-+++ b/products/almalinux9/profiles/e8.profile
-@@ -0,0 +1,32 @@
-+---
-+documentation_complete: true
-+
-+metadata:
-+    SMEs:
-+        - shaneboulden
-+        - tjbutt58
-+
-+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
-+
-+title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
-+
-+description: |-
-+    This profile contains configuration checks for AlmaLinux OS 9
-+    that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
-+
-+    A copy of the Essential Eight in Linux Environments guide can be found at the
-+    ACSC website:
-+
-+    https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
-+
-+selections:
-+    - e8:all
-+    - '!package_ypbind_removed'
-+    - '!package_rsh-server_removed'
-+    - '!package_rsh_removed'
-+    - package_rear_installed
-+    - package_audit_installed
-+
-+    # Following rules are not applicable to RHEL
-+    - '!package_talk_removed'
-+    - '!package_talk-server_removed'
-diff --git a/products/almalinux9/profiles/hipaa.profile b/products/almalinux9/profiles/hipaa.profile
-index 9bfea9819..5cc5968e1 100644
---- a/products/almalinux9/profiles/hipaa.profile
-+++ b/products/almalinux9/profiles/hipaa.profile
-@@ -1,8 +1,9 @@
-+---
- documentation_complete: true
- 
- metadata:
-     SMEs:
--        - sej7278
-+        - jjaswanson4
- 
- reference: https://www.hhs.gov/hipaa/for-professionals/index.html
- 
-@@ -18,144 +19,74 @@ description: |-
- 
-     This profile configures AlmaLinux OS 9 to the HIPAA Security
-     Rule identified for securing of electronic protected health information.
--    Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).   
-+    Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
- 
- selections:
--    - grub2_password
--    - grub2_uefi_password
--    - file_groupowner_grub2_cfg
--    - file_owner_grub2_cfg
--    - grub2_disable_interactive_boot
--    - no_direct_root_logins
--    - no_empty_passwords
--    - require_singleuser_auth
--    - restrict_serial_port_logins
--    - securetty_root_login_console_only
--    - service_debug-shell_disabled
--    - disable_ctrlaltdel_reboot
--    - disable_ctrlaltdel_burstaction
--    - dconf_db_up_to_date
--    - dconf_gnome_remote_access_credential_prompt
--    - dconf_gnome_remote_access_encryption
--    - sshd_use_directory_configuration
--    - sshd_disable_empty_passwords
--    - sshd_disable_root_login
--    - libreswan_approved_tunnels
--    - no_rsh_trust_files
--    - package_talk_removed
--    - package_talk-server_removed
--    - package_telnet_removed
--    - package_telnet-server_removed
--    - package_cron_installed
--    - service_crond_enabled
--    - service_telnet_disabled
--    - use_kerberos_security_all_exports
--    - var_authselect_profile=sssd
--    - enable_authselect
--    - disable_host_auth
--    - sshd_allow_only_protocol2
--    - sshd_disable_compression
--    - sshd_disable_gssapi_auth
--    - sshd_disable_kerb_auth
--    - sshd_do_not_permit_user_env
--    - sshd_enable_strictmodes
--    - sshd_enable_warning_banner
--    - var_sshd_set_keepalive=1
--    - encrypt_partitions
-+    - hipaa:all
-     - var_system_crypto_policy=fips
--    - configure_crypto_policy
--    - configure_ssh_crypto_policy
--    - var_selinux_policy_name=targeted
--    - var_selinux_state=enforcing
--    - grub2_enable_selinux
--    - sebool_selinuxuser_execheap
--    - sebool_selinuxuser_execmod
--    - sebool_selinuxuser_execstack
--    - selinux_confinement_of_daemons
--    - selinux_policytype
--    - selinux_state
--    - service_kdump_disabled
--    - sysctl_fs_suid_dumpable
--    - sysctl_kernel_dmesg_restrict
--    - sysctl_kernel_exec_shield
--    - sysctl_kernel_randomize_va_space
--    - rpm_verify_hashes
--    - rpm_verify_permissions
--    - ensure_almalinux_gpgkey_installed
--    - ensure_gpgcheck_globally_activated
--    - ensure_gpgcheck_never_disabled
--    - ensure_gpgcheck_local_packages
--    - grub2_audit_argument
--    - service_auditd_enabled
--    - audit_rules_privileged_commands_sudo
--    - audit_rules_privileged_commands_su
--    - audit_rules_immutable
--    - kernel_module_usb-storage_disabled
--    - service_autofs_disabled
--    - auditd_audispd_syslog_plugin_activated
--    - rsyslog_remote_loghost
--    - auditd_data_retention_flush
--    - audit_rules_dac_modification_chmod
--    - audit_rules_dac_modification_chown
--    - audit_rules_dac_modification_fchmodat
--    - audit_rules_dac_modification_fchmod
--    - audit_rules_dac_modification_fchownat
--    - audit_rules_dac_modification_fchown
--    - audit_rules_dac_modification_fremovexattr
--    - audit_rules_dac_modification_fsetxattr
--    - audit_rules_dac_modification_lchown
--    - audit_rules_dac_modification_lremovexattr
--    - audit_rules_dac_modification_lsetxattr
--    - audit_rules_dac_modification_removexattr
--    - audit_rules_dac_modification_setxattr
--    - audit_rules_execution_chcon
--    - audit_rules_execution_restorecon
--    - audit_rules_execution_semanage
--    - audit_rules_execution_setsebool
--    - audit_rules_file_deletion_events_renameat
--    - audit_rules_file_deletion_events_rename
--    - audit_rules_file_deletion_events_rmdir
--    - audit_rules_file_deletion_events_unlinkat
--    - audit_rules_file_deletion_events_unlink
--    - audit_rules_kernel_module_loading_delete
--    - audit_rules_kernel_module_loading_init
--    - audit_rules_login_events_faillock
--    - audit_rules_login_events_lastlog
--    - audit_rules_login_events_tallylog
--    - audit_rules_mac_modification
--    - audit_rules_media_export
--    - audit_rules_networkconfig_modification
--    - audit_rules_privileged_commands_chage
--    - audit_rules_privileged_commands_chsh
--    - audit_rules_privileged_commands_crontab
--    - audit_rules_privileged_commands_gpasswd
--    - audit_rules_privileged_commands_newgrp
--    - audit_rules_privileged_commands_pam_timestamp_check
--    - audit_rules_privileged_commands_passwd
--    - audit_rules_privileged_commands_postdrop
--    - audit_rules_privileged_commands_postqueue
--    - audit_rules_privileged_commands_ssh_keysign
--    - audit_rules_privileged_commands_sudoedit
--    - audit_rules_privileged_commands_umount
--    - audit_rules_privileged_commands_unix_chkpwd
--    - audit_rules_privileged_commands_userhelper
--    - audit_rules_session_events
--    - audit_rules_sysadmin_actions
--    - audit_rules_system_shutdown
--    - var_audit_failure_mode=panic
--    - audit_rules_time_adjtimex
--    - audit_rules_time_clock_settime
--    - audit_rules_time_settimeofday
--    - audit_rules_time_stime
--    - audit_rules_time_watch_localtime
--    - audit_rules_unsuccessful_file_modification_creat
--    - audit_rules_unsuccessful_file_modification_ftruncate
--    - audit_rules_unsuccessful_file_modification_openat
--    - audit_rules_unsuccessful_file_modification_open_by_handle_at
--    - audit_rules_unsuccessful_file_modification_open
--    - audit_rules_unsuccessful_file_modification_truncate
--    - audit_rules_usergroup_modification_group
--    - audit_rules_usergroup_modification_gshadow
--    - audit_rules_usergroup_modification_opasswd
--    - audit_rules_usergroup_modification_passwd
--    - audit_rules_usergroup_modification_shadow
-+    - no_rsh_trust_files
-+    - "!audit_rules_dac_modification_fchmodat2"
-+    - "!audit_rules_file_deletion_events_renameat2"
-+    - "!audit_rules_kernel_module_loading_finit"
-+    - "!audit_rules_mac_modification_usr_share"
-+    - "!audit_rules_privileged_commands_unix2_chkpwd"
-+    - "!audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat"
-+    - "!audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write"
-+    - "!audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order"
-+    - "!audit_rules_unsuccessful_file_modification_open_o_creat"
-+    - "!audit_rules_unsuccessful_file_modification_open_o_trunc_write"
-+    - "!audit_rules_unsuccessful_file_modification_open_rule_order"
-+    - "!audit_rules_unsuccessful_file_modification_openat_o_creat"
-+    - "!audit_rules_unsuccessful_file_modification_openat_o_trunc_write"
-+    - "!audit_rules_unsuccessful_file_modification_openat_rule_order"
-+    - "!audit_rules_unsuccessful_file_modification_rename"
-+    - "!audit_rules_unsuccessful_file_modification_renameat"
-+    - "!audit_rules_unsuccessful_file_modification_unlink"
-+    - "!audit_rules_unsuccessful_file_modification_unlinkat"
-+    - "!auditd_data_retention_action_mail_acct"
-+    - "!auditd_data_retention_admin_space_left_action"
-+    - "!auditd_data_retention_max_log_file_action"
-+    - "!auditd_data_retention_max_log_file_action_stig"
-+    - "!auditd_data_retention_space_left_action"
-+    - "!coreos_audit_option"
-+    - "!coreos_disable_interactive_boot"
-+    - "!coreos_enable_selinux_kernel_argument"
-+    - "!coreos_nousb_kernel_argument"
-+    - "!ensure_fedora_gpgkey_installed"
-+    - "!ensure_gpgcheck_repo_metadata"
-+    - "!ensure_suse_gpgkey_installed"
-+    - "!file_groupowner_user_cfg"
-+    - "!file_owner_user_cfg"
-+    - "!file_permissions_grub2_cfg"
-+    - "!file_permissions_user_cfg"
-+    - "!grub2_admin_username"
-+    - "!grub2_uefi_admin_username"
-+    - "!grub2_uefi_password"
-+    - "!package_audit-audispd-plugins_installed"
-+    - "!package_audit_installed"
-+    - "!package_rsh-server_removed"
-+    - "!package_rsh_removed"
-+    - "!package_rsyslog_installed"
-+    - "!package_talk-server_removed"
-+    - "!package_talk_removed"
-+    - "!package_tcp_wrappers_removed"
-+    - "!package_xinetd_removed"
-+    - "!package_ypbind_removed"
-+    - "!package_ypserv_removed"
-+    - "!partition_for_var_log_audit"
-+    - "!require_emergency_target_auth"
-+    - "!service_cron_enabled"
-+    - "!service_rexec_disabled"
-+    - "!service_rlogin_disabled"
-+    - "!service_rsh_disabled"
-+    - "!service_rsyslog_enabled"
-+    - "!service_xinetd_disabled"
-+    - "!service_ypbind_disabled"
-+    - "!service_zebra_disabled"
-+    - "!sshd_disable_rhosts_rsa"
-+    - "!sshd_disable_user_known_hosts"
-+    - "!sshd_set_keepalive"
-+    - "!sshd_set_keepalive_0"
-+    - "!sshd_use_approved_ciphers"
-+    - "!sshd_use_approved_macs"
-+    - "!sshd_use_priv_separation"
-diff --git a/products/almalinux9/profiles/ism_o.profile b/products/almalinux9/profiles/ism_o.profile
-new file mode 100644
-index 000000000..098fb1c74
---- /dev/null
-+++ b/products/almalinux9/profiles/ism_o.profile
-@@ -0,0 +1,81 @@
-+---
-+documentation_complete: true
-+
-+metadata:
-+    SMEs:
-+        - shaneboulden
-+        - wcushen
-+        - eliseelk
-+        - sashperso
-+        - anjuskantha
-+
-+reference: https://www.cyber.gov.au/ism
-+
-+title: 'Australian Cyber Security Centre (ACSC) ISM Official'
-+
-+description: |-
-+    This profile contains configuration checks for AlmaLinux OS 9
-+    that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
-+    with the applicability marking of OFFICIAL.
-+
-+    The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
-+    AlmaLinux OS security controls with the ISM, which can be used to select controls
-+    specific to an organisation's security posture and risk profile.
-+
-+    A copy of the ISM can be found at the ACSC website:
-+
-+    https://www.cyber.gov.au/ism
-+
-+extends: e8
-+
-+selections:
-+    - ism_o:all
-+    - '!accounts_password_pam_ocredit'
-+    - '!audit_rules_unsuccessful_file_modification_truncate'
-+    - '!set_password_hashing_algorithm_systemauth'
-+    - '!network_ipv6_static_address'
-+    - '!audit_rules_unsuccessful_file_modification_ftruncate'
-+    - '!kerberos_disable_no_keytab'
-+    - '!audit_access_success_aarch64'
-+    - '!audit_rules_unsuccessful_file_modification_creat'
-+    - '!sebool_kerberos_enabled'
-+    - '!force_opensc_card_drivers'
-+    - '!package_subscription-manager_installed'
-+    - '!system_booted_in_fips_mode'
-+    - '!accounts_password_pam_minclass'
-+    - '!dnf-automatic_apply_updates'
-+    - '!set_password_hashing_algorithm_passwordauth'
-+    - '!chronyd_or_ntpd_specify_multiple_servers'
-+    - '!sebool_authlogin_radius'
-+    - '!configure_kerberos_crypto_policy'
-+    - '!set_password_hashing_algorithm_libuserconf'
-+    - '!audit_rules_unsuccessful_file_modification_openat'
-+    - '!sssd_enable_smartcards'
-+    - '!openssl_use_strong_entropy'
-+    - '!accounts_password_pam_ucredit'
-+    - '!service_chronyd_or_ntpd_enabled'
-+    - '!package_opensc_installed'
-+    - '!accounts_password_pam_lcredit'
-+    - '!enable_ldap_client'
-+    - '!package_libdnf-plugin-subscription-manager_installed'
-+    - '!sebool_authlogin_nsswitch_use_ldap'
-+    - '!chronyd_configure_pool_and_server'
-+    - '!set_password_hashing_algorithm_logindefs'
-+    - '!service_pcscd_enabled'
-+    - '!accounts_passwords_pam_tally2_unlock_time'
-+    - '!package_pcsc-lite-ccid_installed'
-+    - '!package_pcsc-lite_installed'
-+    - '!audit_rules_unsuccessful_file_modification_open'
-+    - '!configure_opensc_card_drivers'
-+    - '!audit_access_success_ppc64le'
-+    - '!accounts_password_pam_dcredit'
-+    - '!accounts_passwords_pam_tally2_deny_root'
-+    - '!audit_access_failed_ppc64le'
-+    - '!audit_access_failed_aarch64'
-+    - '!secure_boot_enabled'
-+    - '!audit_rules_unsuccessful_file_modification_open_by_handle_at'
-+    - '!accounts_password_minlen_login_defs'
-+    - '!package_ypbind_removed'
-+    - '!package_ypbind_removed'
-+    - '!package_xinetd_removed'
-+    - '!service_xinetd_disabled'
-diff --git a/products/almalinux9/profiles/ospp.profile b/products/almalinux9/profiles/ospp.profile
-new file mode 100644
-index 000000000..d09ce5be7
---- /dev/null
-+++ b/products/almalinux9/profiles/ospp.profile
-@@ -0,0 +1,27 @@
-+---
-+documentation_complete: true
-+
-+metadata:
-+    version: 4.3
-+    SMEs:
-+        - ggbecker
-+        - matusmarhefka
-+
-+reference: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=469&id=469
-+
-+title: 'Protection Profile for General Purpose Operating Systems'
-+
-+description: |-
-+    This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance
-+    documentation for Target of Evaluation based on Protection Profile for
-+    General Purpose Operating Systems (OSPP) version 4.3 and Functional
-+    Package for SSH version 1.0.
-+
-+    Where appropriate, CNSSI 1253 or DoD-specific values are used for
-+    configuration, based on Configuration Annex to the OSPP.
-+
-+selections:
-+    - ospp:all
-+    - enable_authselect
-+    - var_authselect_profile=minimal
-+    - '!package_dnf-plugin-subscription-manager_installed'
-diff --git a/products/almalinux9/profiles/pci-dss.profile b/products/almalinux9/profiles/pci-dss.profile
-index 6f933a6a2..f4ca7a148 100644
---- a/products/almalinux9/profiles/pci-dss.profile
-+++ b/products/almalinux9/profiles/pci-dss.profile
-@@ -1,13 +1,16 @@
-+---
- documentation_complete: true
- 
- metadata:
-     version: '4.0.1'
-     SMEs:
--        - sej7278
-+        - marcusburghardt
-+        - mab879
-+        - vojtapolasek
- 
- reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
- 
--title: 'PCI-DSS v4.0.1 Control Baseline for AlmaLinux OS 9'
-+title: 'PCI-DSS v4.0.1 Control Baseline for Red Hat Enterprise Linux 9'
- 
- description: |-
-     Payment Card Industry - Data Security Standard (PCI-DSS) is a set of
-@@ -15,19 +18,18 @@ description: |-
-     data, with the goal of preventing data breaches and protecting sensitive
-     financial information.
- 
--    This profile ensures AlmaLinux OS 9 is configured in alignment
-+    This profile ensures Red Hat Enterprise Linux 9 is configured in alignment
-     with PCI-DSS v4.0.1 requirements.
- 
- selections:
-     - pcidss_4:all
--    # audit-audispd-plugins package does not exist in AlmaLinux OS 9
-+    # audit-audispd-plugins package does not exist in RHEL 9
-     # use only package_audispd-plugins_installed
-     - '!package_audit-audispd-plugins_installed'
-     # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
-     # https://github.com/ComplianceAsCode/content/issues/11285
-     - '!rpm_verify_permissions'
--    # these rules do not apply to AlmaLinux but they have to keep the prodtype for historical reasons
--    # most of these packages are no longer available in EL9 distributions
-+    # these rules do not apply to RHEL but they have to keep the prodtype for historical reasons
-     - '!package_audit-audispd-plugins_installed'
-     - '!service_ntp_enabled'
-     - '!ntpd_specify_remote_server'
-@@ -42,7 +44,7 @@ selections:
-     - '!package_xinetd_removed'
-     - '!package_rsh_removed'
-     - '!package_rsh-server_removed'
--    # Following rules once had a prodtype incompatible with the almalinux9 product
-+    # Following rules once had a prodtype incompatible with the rhel9 product
-     - '!service_chronyd_or_ntpd_enabled'
-     - '!install_PAE_kernel_on_x86-32'
-     - '!mask_nonessential_services'
-@@ -60,7 +62,7 @@ selections:
-     - '!sshd_use_approved_ciphers'
-     - '!accounts_passwords_pam_tally2'
-     - '!ensure_suse_gpgkey_installed'
--    - '!ensure_redhat_gpgkey_installed'
-+    - ensure_almalinux_gpgkey_installed
-     - '!gnome_gdm_disable_unattended_automatic_login'
-     - '!accounts_passwords_pam_tally2_unlock_time'
-     - '!cracklib_accounts_password_pam_minlen'
-@@ -69,4 +71,5 @@ selections:
-     - '!ensure_shadow_group_empty'
-     - '!service_timesyncd_enabled'
-     - '!audit_rules_file_deletion_events_renameat2'
-+    - '!audit_rules_mac_modification_etc_selinux'
-     - '!audit_rules_dac_modification_fchmodat2'
-diff --git a/products/almalinux9/profiles/standard.profile b/products/almalinux9/profiles/standard.profile
-deleted file mode 100644
-index 65b8739c2..000000000
---- a/products/almalinux9/profiles/standard.profile
-+++ /dev/null
-@@ -1,16 +0,0 @@
--documentation_complete: false
--
--title: 'Standard System Security Profile for AlmaLinux OS 9'
--
--description: |-
--    This profile contains rules to ensure standard security baseline
--    of an AlmaLinux OS 9 system. Regardless of your system's workload
--    all of these checks should pass.
--
--selections:
--    - sshd_disable_root_login
--    - ensure_almalinux_gpgkey_installed
--    - ensure_gpgcheck_globally_activated
--    - ensure_gpgcheck_never_disabled
--    - rpm_verify_permissions
--    - security_patches_up_to_date
-diff --git a/products/almalinux9/profiles/stig.profile b/products/almalinux9/profiles/stig.profile
-new file mode 100644
-index 000000000..e7a50ba81
---- /dev/null
-+++ b/products/almalinux9/profiles/stig.profile
-@@ -0,0 +1,31 @@
-+---
-+documentation_complete: true
-+
-+metadata:
-+    version: V2R5
-+    SMEs:
-+        - mab879
-+        - ggbecker
-+
-+reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
-+
-+title: 'DISA STIG for Red Hat Enterprise Linux 9'
-+
-+description: |-
-+    This profile contains configuration checks that align to the
-+    DISA STIG for Red Hat Enterprise Linux 9 V2R5.
-+
-+    In addition to being applicable to Red Hat Enterprise Linux 9, this
-+    configuration baseline is applicable to the operating system tier of
-+    Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
-+
-+    - Red Hat Enterprise Linux Server
-+    - Red Hat Enterprise Linux Workstation and Desktop
-+    - Red Hat Enterprise Linux for HPC
-+    - Red Hat Storage
-+    - Red Hat Containers with a Red Hat Enterprise Linux 9 image
-+
-+selections:
-+    - stig_rhel9:all
-+  # Following rules once had a prodtype incompatible with the rhel9 product
-+    - '!audit_rules_immutable_login_uids'
-diff --git a/products/almalinux9/profiles/stig_gui.profile b/products/almalinux9/profiles/stig_gui.profile
-new file mode 100644
-index 000000000..a72416eb6
---- /dev/null
-+++ b/products/almalinux9/profiles/stig_gui.profile
-@@ -0,0 +1,47 @@
-+---
-+documentation_complete: true
-+
-+metadata:
-+    version: V2R5
-+    SMEs:
-+        - mab879
-+        - ggbecker
-+
-+reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
-+
-+title: 'DISA STIG with GUI for Red Hat Enterprise Linux 9'
-+
-+description: |-
-+    This profile contains configuration checks that align to the
-+    DISA STIG for Red Hat Enterprise Linux 9 V2R5.
-+
-+    In addition to being applicable to Red Hat Enterprise Linux 9, this
-+    configuration baseline is applicable to the operating system tier of
-+    Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
-+
-+    - Red Hat Enterprise Linux Server
-+    - Red Hat Enterprise Linux Workstation and Desktop
-+    - Red Hat Enterprise Linux for HPC
-+    - Red Hat Storage
-+    - Red Hat Containers with a Red Hat Enterprise Linux 9 image
-+
-+    Warning: The installation and use of a Graphical User Interface (GUI)
-+    increases your attack vector and decreases your overall security posture. If
-+    your Information Systems Security Officer (ISSO) lacks a documented operational
-+    requirement for a graphical user interface, please consider using the
-+    standard DISA STIG for Red Hat Enterprise Linux 9 profile.
-+
-+extends: stig
-+
-+selections:
-+    # RHEL-09-215070
-+    - '!xwindows_remove_packages'
-+
-+    # RHEL-09-211030
-+    - '!xwindows_runlevel_target'
-+
-+    # RHEL-09-215025
-+    - '!package_nfs-utils_removed'
-+
-+    # locking of idle sessions is handled by screensaver when GUI is present, the following rule is therefore redundant
-+    - '!logind_session_timeout'
-diff --git a/products/almalinux9/transforms/constants.xslt b/products/almalinux9/transforms/constants.xslt
-index 5b1f302d3..ef2de9c12 100644
---- a/products/almalinux9/transforms/constants.xslt
-+++ b/products/almalinux9/transforms/constants.xslt
-@@ -3,10 +3,11 @@
- 
- 
- AlmaLinux OS 9
--AlmaLinux 9
--ALMALINUX_9_STIG
-+AL9
-+AL_9_STIG
- almalinux9
- 
--https://workbench.cisecurity.org/files/5425/download/7650
-+https://www.cisecurity.org/benchmark/almalinuxos_linux/
-+
- 
- 
-diff --git a/products/almalinux9/transforms/xccdf-apply-overlay-stig.xslt b/products/almalinux9/transforms/xccdf-apply-overlay-stig.xslt
-index f2f1d725f..4789419b8 100644
---- a/products/almalinux9/transforms/xccdf-apply-overlay-stig.xslt
-+++ b/products/almalinux9/transforms/xccdf-apply-overlay-stig.xslt
-@@ -3,6 +3,6 @@
- 
- 
- 
--
-+
- 
- 
-diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-index b718ded26..7f42310de 100644
---- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-@@ -16,6 +16,7 @@
- 	multi_platform_ol
- 	multi_platform_rhcos
- 	multi_platform_rhel
-+multi_platform_almalinux
- 	multi_platform_rhv
- 	multi_platform_sle
-     multi_platform_slmicro
-diff --git a/shared/references/disa-stig-almalinux8-v2r4-xccdf-manual.xml b/shared/references/disa-stig-almalinux8-v2r4-xccdf-manual.xml
-new file mode 120000
-index 000000000..7b59256b3
---- /dev/null
-+++ b/shared/references/disa-stig-almalinux8-v2r4-xccdf-manual.xml
-@@ -0,0 +1 @@
-+disa-stig-rhel8-v2r4-xccdf-manual.xml
-\ No newline at end of file
-diff --git a/shared/references/disa-stig-almalinux8-v2r4-xccdf-scap.xml b/shared/references/disa-stig-almalinux8-v2r4-xccdf-scap.xml
-new file mode 120000
-index 000000000..20d17c72f
---- /dev/null
-+++ b/shared/references/disa-stig-almalinux8-v2r4-xccdf-scap.xml
-@@ -0,0 +1 @@
-+disa-stig-rhel8-v2r4-xccdf-scap.xml
-\ No newline at end of file
-diff --git a/shared/references/disa-stig-almalinux9-v2r5-xccdf-manual.xml b/shared/references/disa-stig-almalinux9-v2r5-xccdf-manual.xml
-new file mode 120000
-index 000000000..1efa56321
---- /dev/null
-+++ b/shared/references/disa-stig-almalinux9-v2r5-xccdf-manual.xml
-@@ -0,0 +1 @@
-+disa-stig-rhel9-v2r5-xccdf-manual.xml
-\ No newline at end of file
-diff --git a/shared/references/disa-stig-almalinux9-v2r5-xccdf-scap.xml b/shared/references/disa-stig-almalinux9-v2r5-xccdf-scap.xml
-new file mode 120000
-index 000000000..f3602d379
---- /dev/null
-+++ b/shared/references/disa-stig-almalinux9-v2r5-xccdf-scap.xml
-@@ -0,0 +1 @@
-+disa-stig-rhel9-v2r5-xccdf-scap.xml
-\ No newline at end of file
-diff --git a/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml b/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml
-index e83699662..1efabcf62 100644
---- a/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml
-+++ b/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml
-@@ -917,7 +917,7 @@ Check to see if an encrypted grub superusers password is set. On systems that us
- $ sudo grep -iw grub2_password /boot/grub2/user.cfg
- GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
- 
--If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL07-00-010491Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99143SV-108247CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
-+If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL07-00-010491Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99143SV-108247CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
- 
- Generate an encrypted grub2 password for the grub superusers account with the following command:
- 
-@@ -929,7 +929,7 @@ For systems that are running a version of Oracle Linux prior to 7.2, this is Not
- 
- Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:
- 
--$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
-+$ sudo grep -iw grub2_password /boot/efi/EFI/almalinux/user.cfg
- GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
- 
- If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>OL07-00-010500The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
-@@ -1809,7 +1809,7 @@ On BIOS-based machines, use the following command:
- 
- On UEFI-based machines, use the following command:
- 
--# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
-+# grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg
- 
- If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:
- 
-@@ -1840,7 +1840,7 @@ dracut-fips-033-360.el7_2.x86_64.rpm
- 
- If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command:
- 
--Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
-+Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/almalinux/grub.cfg" file on UEFI machines.
- 
- # grep fips /boot/grub2/grub.cfg
- /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet
-@@ -1912,23 +1912,23 @@ An example rule that includes the "sha512" rule follows:
- 
- If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>OL07-00-021700The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108367V-99263CCI-001813Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media.
- 
--Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
-+Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/almalinux/grub.cfg" file on UEFI machines.
- 
- Check for the existence of alternate boot loader configuration files with the following command:
- 
-      # find / -name grub.cfg
--     /boot/efi/EFI/redhat/grub.cfg
-+     /boot/efi/EFI/almalinux/grub.cfg
- 
--If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/redhat/", ask the system administrator (SA) if there is documentation signed by the information system security officer (ISSO) to approve the use of removable media as a boot loader. 
-+If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/almalinux/", ask the system administrator (SA) if there is documentation signed by the information system security officer (ISSO) to approve the use of removable media as a boot loader. 
- 
- List the number of menu entries defined in the grub configuration file with the following command (the number will vary between systems):
- 
--     # grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg
-+     # grep -cw menuentry /boot/efi/EFI/almalinux/grub.cfg
-      4
- 
- Check that the grub configuration file has the "set root" command for each menu entry with the following command ("set root" defines the disk and partition or directory where the kernel and GRUB 2 modules are stored):
- 
--     # grep 'set root' /boot/efi/EFI/redhat/grub.cfg
-+     # grep 'set root' /boot/efi/EFI/almalinux/grub.cfg
-      set root='hd0,gpt2'
-      set root='hd0,gpt2'
-      set root='hd0,gpt2'
-@@ -4453,12 +4453,12 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}
- 
- Generate a new grub.cfg file with the following command:
- 
--$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgFor systems that use BIOS, this is Not Applicable.
-+$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable.
- 
- For systems that are running a version of Oracle Linux prior to 7.2, this is Not Applicable.
- Verify that a unique name is set as the "superusers" account:
- 
--$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
-+$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg
- set superusers="[someuniquestringhere]"
- export superusers
- 
-diff --git a/shared/references/disa-stig-ol8-v2r5-xccdf-manual.xml b/shared/references/disa-stig-ol8-v2r5-xccdf-manual.xml
-index 1c9e7252b..2e2ca9e8f 100644
---- a/shared/references/disa-stig-ol8-v2r5-xccdf-manual.xml
-+++ b/shared/references/disa-stig-ol8-v2r5-xccdf-manual.xml
-@@ -425,7 +425,7 @@ SHA_CRYPT_MIN_ROUNDS 100000SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010140OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file. 
-+If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the value for either is below "100000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-010140OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/almalinux/user.cfg" file. 
-  
- Generate an encrypted grub2 password for the grub superusers account with the following command: 
-  
-@@ -435,7 +435,7 @@ Confirm password:For systems that use BIOS, this is Not Applicable.
-+$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable.
- 
- Verify that a unique name is set as the "superusers" account:
- 
--$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
-+$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg
- set superusers="[someuniqueUserNamehere]"
- export superusers
- 
-diff --git a/shared/references/disa-stig-ol8-v2r5-xccdf-scap.xml b/shared/references/disa-stig-ol8-v2r5-xccdf-scap.xml
-index 3737b411a..c2f91b544 100644
---- a/shared/references/disa-stig-ol8-v2r5-xccdf-scap.xml
-+++ b/shared/references/disa-stig-ol8-v2r5-xccdf-scap.xml
-@@ -3378,7 +3378,7 @@ SHA_CRYPT_MIN_ROUNDS 100000
-           
-           
-           CCI-000213
--          Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file. 
-+          Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/almalinux/user.cfg" file. 
-  
- Generate an encrypted grub2 password for the grub superusers account with the following command: 
-  
-@@ -12588,8 +12588,8 @@ The "logind" service must be restarted for the changes to take effect. To restar
-             
-           
-           
--            
--            
-+            
-+            
-           
-         
-         
-@@ -20282,11 +20282,11 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-         
-           
-         
--        
-+        
-           
-           
-         
--        
-+        
-           
-           
-         
-@@ -22168,12 +22168,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-           1
-         
-         
--          /boot/efi/EFI/redhat/grub.cfg
-+          /boot/efi/EFI/almalinux/grub.cfg
-           ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$
-           1
-         
-         
--          /boot/efi/EFI/redhat/user.cfg
-+          /boot/efi/EFI/almalinux/user.cfg
-           ^\s*GRUB2_PASSWORD=(\S+)\b
-           1
-         
-diff --git a/shared/references/disa-stig-rhel8-v2r4-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v2r4-xccdf-manual.xml
-index ea46d8343..ae0897b61 100644
---- a/shared/references/disa-stig-rhel8-v2r4-xccdf-manual.xml
-+++ b/shared/references/disa-stig-rhel8-v2r4-xccdf-manual.xml
-@@ -370,7 +370,7 @@ SHA_CRYPT_MIN_ROUNDS 100000SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
-+If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "100000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
- 
- Generate an encrypted grub2 password for the grub superusers account with the following command:
- 
-@@ -380,7 +380,7 @@ Confirm password:For systems that use BIOS, this is Not Applicable.
-+$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable.
- 
- Verify that a unique name is set as the "superusers" account:
- 
--$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
-+$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg
- set superusers="[someuniquestringhere]"
- export superusers
- 
-diff --git a/shared/references/disa-stig-rhel8-v2r4-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v2r4-xccdf-scap.xml
-index d03d69ff0..006ef4f40 100644
---- a/shared/references/disa-stig-rhel8-v2r4-xccdf-scap.xml
-+++ b/shared/references/disa-stig-rhel8-v2r4-xccdf-scap.xml
-@@ -3123,7 +3123,7 @@ SHA_CRYPT_MIN_ROUNDS 100000
-           
-           
-           CCI-000213
--          Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
-+          Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
- 
- Generate an encrypted grub2 password for the grub superusers account with the following command:
- 
-@@ -12049,8 +12049,8 @@ $ sudo systemctl restart systemd-logind
-             
-           
-           
--            
--            
-+            
-+            
-           
-         
-         
-@@ -19662,11 +19662,11 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s
-         
-           
-         
--        
-+        
-           
-           
-         
--        
-+        
-           
-           
-         
-@@ -21551,12 +21551,12 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s
-           1
-         
-         
--          /boot/efi/EFI/redhat/grub.cfg
-+          /boot/efi/EFI/almalinux/grub.cfg
-           ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$
-           1
-         
-         
--          /boot/efi/EFI/redhat/user.cfg
-+          /boot/efi/EFI/almalinux/user.cfg
-           ^\s*GRUB2_PASSWORD=(\S+)\b
-           1
-         
-diff --git a/shared/references/disa-stig-rhel9-v2r5-xccdf-scap.xml b/shared/references/disa-stig-rhel9-v2r5-xccdf-scap.xml
-index d53f4ab46..a0566942e 100644
---- a/shared/references/disa-stig-rhel9-v2r5-xccdf-scap.xml
-+++ b/shared/references/disa-stig-rhel9-v2r5-xccdf-scap.xml
-@@ -20489,6 +20489,7 @@ include "/etc/crypto-policies/back-ends/bind.config";
-             RHEL-09-211010 - RHEL 9 must be a vendor-supported release.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
- 
-@@ -20503,6 +20504,7 @@ Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise
-             RHEL-09-211030 - The graphical display manager must not be the default target on RHEL 9 unless approved.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.
-           
-@@ -20515,6 +20517,7 @@ Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise
-             RHEL-09-211035 - RHEL 9 must enable the hardware random number generator entropy gatherer service.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.  
- 
-@@ -20529,6 +20532,7 @@ The rngd service feeds random data from hardware device to kernel random device.
-             RHEL-09-211040 - RHEL 9 systemd-journald service must be enabled.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.
-           
-@@ -20541,6 +20545,7 @@ The rngd service feeds random data from hardware device to kernel random device.
-             RHEL-09-211045 - The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
- 
-@@ -20555,6 +20560,7 @@ Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
-             RHEL-09-211050 - The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
- 
-@@ -20569,6 +20575,7 @@ Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
-             RHEL-09-211055 - RHEL 9 debug-shell systemd service must be disabled.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
- 
-@@ -20583,6 +20590,7 @@ Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
-             RHEL-09-212010 - RHEL 9 must require a boot loader superuser password.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
- 
-@@ -20597,6 +20605,7 @@ Password protection on the boot loader configuration ensures users with physical
-             RHEL-09-212015 - RHEL 9 must disable the ability of systemd to spawn an interactive boot process.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.
-           
-@@ -20609,6 +20618,7 @@ Password protection on the boot loader configuration ensures users with physical
-             RHEL-09-212025 - RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "root" group is a highly privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
-           
-@@ -20621,6 +20631,7 @@ Password protection on the boot loader configuration ensures users with physical
-             RHEL-09-212030 - RHEL 9 /boot/grub2/grub.cfg file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The " /boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.
-           
-@@ -20633,6 +20644,7 @@ Password protection on the boot loader configuration ensures users with physical
-             RHEL-09-212035 - RHEL 9 must disable virtual system calls.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual system calls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense.
- 
-@@ -20649,6 +20661,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
-             RHEL-09-212040 - RHEL 9 must clear the page allocator to prevent use-after-free attacks.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
- 
-@@ -20663,6 +20676,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
-             RHEL-09-212045 - RHEL 9 must clear memory when it is freed to prevent use-after-free attacks.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.
- 
-@@ -20685,6 +20699,7 @@ Satisfies: SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068
-             RHEL-09-212050 - RHEL 9 must enable mitigations against processor-based vulnerabilities.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).
- 
-@@ -20699,6 +20714,7 @@ Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049
-             RHEL-09-212055 - RHEL 9 must enable auditing of processes that start prior to the audit daemon.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -20715,6 +20731,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-213010 - RHEL 9 must restrict access to the kernel message buffer.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
- 
-@@ -20735,6 +20752,7 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
-             RHEL-09-213015 - RHEL 9 must prevent kernel profiling by nonprivileged users.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.
- 
-@@ -20755,6 +20773,7 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
-             RHEL-09-213020 - RHEL 9 must prevent the loading of a new kernel for later execution.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
- 
-@@ -20771,6 +20790,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153
-             RHEL-09-213025 - RHEL 9 must restrict exposed kernel pointer addresses access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with "0".
- 
-@@ -20785,6 +20805,7 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPO
-             RHEL-09-213030 - RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
- 
-@@ -20799,6 +20820,7 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
-             RHEL-09-213035 - RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
- 
-@@ -20813,6 +20835,7 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
-             RHEL-09-213040 - RHEL 9 must disable the kernel.core_pattern.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
-           
-@@ -20825,6 +20848,7 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
-             RHEL-09-213045 - RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Disabling Asynchronous Transfer Mode (ATM) protects the system against exploitation of any flaws in its implementation.
-           
-@@ -20837,6 +20861,7 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
-             RHEL-09-213050 - RHEL 9 must be configured to disable the Controller Area Network kernel module.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation.
-           
-@@ -20849,6 +20874,7 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
-             RHEL-09-213055 - RHEL 9 must be configured to disable the FireWire kernel module.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Disabling firewire protects the system against exploitation of any flaws in its implementation.
-           
-@@ -20861,6 +20887,7 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
-             RHEL-09-213060 - RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
- 
-@@ -20877,6 +20904,7 @@ The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, d
-             RHEL-09-213065 - RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
- 
-@@ -20893,6 +20921,7 @@ The Transparent Inter Process Communication (TIPC) is a protocol that is special
-             RHEL-09-213070 - RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.
- 
-@@ -20907,6 +20936,7 @@ Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227
-             RHEL-09-213075 - RHEL 9 must disable access to network bpf system call from nonprivileged processes.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.
- 
-@@ -20921,6 +20951,7 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
-             RHEL-09-213080 - RHEL 9 must restrict usage of ptrace to descendant processes.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).
- 
-@@ -20935,6 +20966,7 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
-             RHEL-09-213085 - RHEL 9 must disable core dump backtraces.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems.
- 
-@@ -20949,6 +20981,7 @@ Enabling core dumps on production systems is not recommended; however, there may
-             RHEL-09-213090 - RHEL 9 must disable storing core dumps.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.
-           
-@@ -20961,6 +20994,7 @@ Enabling core dumps on production systems is not recommended; however, there may
-             RHEL-09-213095 - RHEL 9 must disable core dumps for all users.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
-           
-@@ -20973,6 +21007,7 @@ Enabling core dumps on production systems is not recommended; however, there may
-             RHEL-09-213100 - RHEL 9 must disable acquiring, saving, and processing core dumps.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
-           
-@@ -20985,6 +21020,7 @@ Enabling core dumps on production systems is not recommended; however, there may
-             RHEL-09-213105 - RHEL 9 must disable the use of user namespaces.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.
-           
-@@ -20997,6 +21033,7 @@ Enabling core dumps on production systems is not recommended; however, there may
-             RHEL-09-213115 - The kdump service on RHEL 9 must be disabled.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.
-           
-@@ -21009,6 +21046,7 @@ Enabling core dumps on production systems is not recommended; however, there may
-             RHEL-09-214015 - RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
- 
-@@ -21025,6 +21063,7 @@ Verifying the authenticity of software prior to installation validates the integ
-             RHEL-09-214020 - RHEL 9 must check the GPG signature of locally installed software packages before installation.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
- 
-@@ -21041,6 +21080,7 @@ Verifying the authenticity of software prior to installation validates the integ
-             RHEL-09-214025 - RHEL 9 must have GPG signature verification enabled for all software repositories.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
- 
-@@ -21057,6 +21097,7 @@ Verifying the authenticity of software prior to installation validates the integ
-             RHEL-09-214035 - RHEL 9 must remove all software components after updated versions have been installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.
-           
-@@ -21069,6 +21110,7 @@ Verifying the authenticity of software prior to installation validates the integ
-             RHEL-09-215010 - RHEL 9 subscription-manager package must be installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The Red Hat Subscription Manager application manages software subscriptions and software repositories for installed software products on the local system. It communicates with backend servers, such as the Red Hat Customer Portal or an on-premise instance of Subscription Asset Manager, to register the local system and grant access to software resources determined by the subscription entitlement.
-           
-@@ -21081,6 +21123,7 @@ Verifying the authenticity of software prior to installation validates the integ
-             RHEL-09-215015 - RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.
- 
-@@ -21097,6 +21140,7 @@ Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPO
-             RHEL-09-215020 - RHEL 9 must not have the sendmail package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead.
- 
-@@ -21111,6 +21155,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049
-             RHEL-09-215025 - RHEL 9 must not have the nfs-utils package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             "nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, "showmount" can display the clients that are mounted on that host.
-           
-@@ -21123,6 +21168,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049
-             RHEL-09-215030 - RHEL 9 must not have the ypserv package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The NIS service provides an unencrypted authentication service, which does not provide for the confidentiality and integrity of user passwords or the remote session.
- 
-@@ -21137,6 +21183,7 @@ Removing the "ypserv" package decreases the risk of the accidental (or intention
-             RHEL-09-215035 - RHEL 9 must not have the rsh-server package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of accidental (or intentional) activation of those services.
-           
-@@ -21149,6 +21196,7 @@ Removing the "ypserv" package decreases the risk of the accidental (or intention
-             RHEL-09-215040 - RHEL 9 must not have the telnet-server package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore, may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
- 
-@@ -21165,6 +21213,7 @@ Removing the "telnet-server" package decreases the risk of accidental (or intent
-             RHEL-09-215045 - RHEL 9 must not have the gssproxy package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
- 
-@@ -21183,6 +21232,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
-             RHEL-09-215050 - RHEL 9 must not have the iprutils package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
- 
-@@ -21201,6 +21251,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
-             RHEL-09-215055 - RHEL 9 must not have the tuned package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
- 
-@@ -21219,6 +21270,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
-             RHEL-09-215060 - RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
- 
-@@ -21233,6 +21285,7 @@ If TFTP is required for operational support (such as transmission of router conf
-             RHEL-09-215065 - RHEL 9 must not have the quagga package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platforms.
- 
-@@ -21247,6 +21300,7 @@ If there is no need to make the router software available, removing it provides
-             RHEL-09-215070 - A graphical display manager must not be installed on RHEL 9 unless approved.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.
-           
-@@ -21259,6 +21313,7 @@ If there is no need to make the router software available, removing it provides
-             RHEL-09-215075 - RHEL 9 must have the openssl-pkcs11 package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD CAC with DOD-approved PKI is an example of multifactor authentication.
- 
-@@ -21273,6 +21328,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO
-             RHEL-09-215080 - RHEL 9 must have the gnutls-utils package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools.
-           
-@@ -21285,6 +21341,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO
-             RHEL-09-215085 - RHEL 9 must have the nss-tools package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database.
-           
-@@ -21297,6 +21354,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO
-             RHEL-09-215090 - RHEL 9 must have the rng-tools package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             "rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.
-           
-@@ -21309,6 +21367,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO
-             RHEL-09-215095 - RHEL 9 must have the s-nail package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.
-           
-@@ -21321,6 +21380,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO
-             RHEL-09-231010 - A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
-           
-@@ -21333,6 +21393,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO
-             RHEL-09-231015 - RHEL 9 must use a separate file system for /tmp.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.
-           
-@@ -21345,6 +21406,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO
-             RHEL-09-231020 - RHEL 9 must use a separate file system for /var.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories installed by other software packages.
-           
-@@ -21357,6 +21419,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO
-             RHEL-09-231025 - RHEL 9 must use a separate file system for /var/log.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
-           
-@@ -21369,6 +21432,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO
-             RHEL-09-231030 - RHEL 9 must use a separate file system for the system audit data path.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files, and helps ensure that auditing cannot be halted due to the partition running out of space.
- 
-@@ -21383,6 +21447,7 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227
-             RHEL-09-231035 - RHEL 9 must use a separate file system for /var/tmp.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.
-           
-@@ -21395,6 +21460,7 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227
-             RHEL-09-231040 - RHEL 9 file system automount function must be disabled unless required.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
- 
-@@ -21409,6 +21475,7 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO
-             RHEL-09-231045 - RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21423,6 +21490,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231050 - RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21437,6 +21505,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
-             RHEL-09-231055 - RHEL 9 must prevent code from being executed on file systems that contain user home directories.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21449,6 +21518,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
-             RHEL-09-231065 - RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21461,6 +21531,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
-             RHEL-09-231070 - RHEL 9  must prevent code from being executed on file systems that are imported via Network File System (NFS).
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21473,6 +21544,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
-             RHEL-09-231075 - RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21485,6 +21557,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
-             RHEL-09-231095 - RHEL 9 must mount /boot with the nodev option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.
-           
-@@ -21497,6 +21570,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
-             RHEL-09-231100 - RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21511,6 +21585,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
-             RHEL-09-231105 - RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21525,6 +21600,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
-             RHEL-09-231110 - RHEL 9 must mount /dev/shm with the nodev option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21539,6 +21615,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231115 - RHEL 9 must mount /dev/shm with the noexec option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21551,6 +21628,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231120 - RHEL 9 must mount /dev/shm with the nosuid option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21563,6 +21641,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231125 - RHEL 9 must mount /tmp with the nodev option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21577,6 +21656,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231130 - RHEL 9 must mount /tmp with the noexec option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21589,6 +21669,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231135 - RHEL 9 must mount /tmp with the nosuid option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21601,6 +21682,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231140 - RHEL 9 must mount /var with the nodev option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21615,6 +21697,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231145 - RHEL 9 must mount /var/log with the nodev option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21629,6 +21712,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231150 - RHEL 9 must mount /var/log with the noexec option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21641,6 +21725,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231155 - RHEL 9 must mount /var/log with the nosuid option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21653,6 +21738,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231160 - RHEL 9 must mount /var/log/audit with the nodev option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21667,6 +21753,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231165 - RHEL 9 must mount /var/log/audit with the noexec option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21679,6 +21766,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231170 - RHEL 9 must mount /var/log/audit with the nosuid option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21691,6 +21779,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231175 - RHEL 9 must mount /var/tmp with the nodev option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21705,6 +21794,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231180 - RHEL 9 must mount /var/tmp with the noexec option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21717,6 +21807,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231185 - RHEL 9 must mount /var/tmp with the nosuid option.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
-           
-@@ -21729,6 +21820,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-231195 - RHEL 9 must disable mounting of cramfs.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
- 
-@@ -21745,6 +21837,7 @@ Compressed ROM/RAM file system (or cramfs) is a read-only file system designed f
-             RHEL-09-231200 - RHEL 9 must prevent special devices on non-root local partitions.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
- 
-@@ -21759,6 +21852,7 @@ The only legitimate location for device files is the "/dev" directory located on
-             RHEL-09-232010 - RHEL 9 system commands must have mode 755 or less permissive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
- 
-@@ -21773,6 +21867,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a
-             RHEL-09-232015 - RHEL 9 library directories must have mode 755 or less permissive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
- 
-@@ -21787,6 +21882,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a
-             RHEL-09-232020 - RHEL 9 library files must have mode 755 or less permissive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
- 
-@@ -21801,6 +21897,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a
-             RHEL-09-232025 - RHEL 9 /var/log directory must have mode 0755 or less permissive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
- 
-@@ -21815,6 +21912,7 @@ The structure and content of error messages must be carefully considered by the
-             RHEL-09-232030 - RHEL 9 /var/log/messages file must have mode 0640 or less permissive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
- 
-@@ -21829,6 +21927,7 @@ The structure and content of error messages must be carefully considered by the
-             RHEL-09-232035 - RHEL 9 audit tools must have a mode of 0755 or less permissive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
- 
-@@ -21845,6 +21944,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232045 - All RHEL 9 local initialization files must have mode 0740 or less permissive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
-           
-@@ -21857,6 +21957,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232050 - All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
-           
-@@ -21869,6 +21970,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232055 - RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-           
-@@ -21881,6 +21983,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232060 - RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-           
-@@ -21893,6 +21996,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232065 - RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
-           
-@@ -21905,6 +22009,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232070 - RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
-           
-@@ -21917,6 +22022,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232075 - RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
-           
-@@ -21929,6 +22035,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232080 - RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
-           
-@@ -21941,6 +22048,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232085 - RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
-           
-@@ -21953,6 +22061,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232090 - RHEL 9 /etc/group file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-           
-@@ -21965,6 +22074,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232095 - RHEL 9 /etc/group file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-           
-@@ -21977,6 +22087,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232100 - RHEL 9 /etc/group- file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-           
-@@ -21989,6 +22100,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232105 - RHEL 9 /etc/group- file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
-           
-@@ -22001,6 +22113,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232110 - RHEL 9 /etc/gshadow file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
-           
-@@ -22013,6 +22126,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232115 - RHEL 9 /etc/gshadow file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
-           
-@@ -22025,6 +22139,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232120 - RHEL 9 /etc/gshadow- file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
-           
-@@ -22037,6 +22152,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232125 - RHEL 9 /etc/gshadow- file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
-           
-@@ -22049,6 +22165,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232130 - RHEL 9 /etc/passwd file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
-           
-@@ -22061,6 +22178,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232135 - RHEL 9 /etc/passwd file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
-           
-@@ -22073,6 +22191,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232140 - RHEL 9 /etc/passwd- file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
-           
-@@ -22085,6 +22204,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232145 - RHEL 9 /etc/passwd- file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
-           
-@@ -22097,6 +22217,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232150 - RHEL 9 /etc/shadow file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.
-           
-@@ -22109,6 +22230,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232155 - RHEL 9 /etc/shadow file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.
-           
-@@ -22121,6 +22243,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232160 - RHEL 9 /etc/shadow- file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
-           
-@@ -22133,6 +22256,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232165 - RHEL 9 /etc/shadow- file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
-           
-@@ -22145,6 +22269,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232170 - RHEL 9 /var/log directory must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
- 
-@@ -22159,6 +22284,7 @@ The structure and content of error messages must be carefully considered by the
-             RHEL-09-232175 - RHEL 9 /var/log directory must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
- 
-@@ -22173,6 +22299,7 @@ The structure and content of error messages must be carefully considered by the
-             RHEL-09-232180 - RHEL 9 /var/log/messages file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
- 
-@@ -22187,6 +22314,7 @@ The structure and content of error messages must be carefully considered by the
-             RHEL-09-232185 - RHEL 9 /var/log/messages file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
- 
-@@ -22201,6 +22329,7 @@ The structure and content of error messages must be carefully considered by the
-             RHEL-09-232190 - RHEL 9 system commands must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
- 
-@@ -22215,6 +22344,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a
-             RHEL-09-232195 - RHEL 9 system commands must be group-owned by root or a system account.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
- 
-@@ -22229,6 +22359,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a
-             RHEL-09-232200 - RHEL 9 library files must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
- 
-@@ -22243,6 +22374,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a
-             RHEL-09-232205 - RHEL 9 library files must be group-owned by root or a system account.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
- 
-@@ -22257,6 +22389,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a
-             RHEL-09-232210 - RHEL 9 library directories must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
- 
-@@ -22271,6 +22404,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a
-             RHEL-09-232215 - RHEL 9 library directories must be group-owned by root or a system account.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
- 
-@@ -22285,6 +22419,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a
-             RHEL-09-232220 - RHEL 9 audit tools must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
- 
-@@ -22301,6 +22436,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232225 - RHEL 9 audit tools must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
- 
-@@ -22317,6 +22453,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232230 - RHEL 9 cron configuration files directory must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
-           
-@@ -22329,6 +22466,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232235 - RHEL 9 cron configuration files directory must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
-           
-@@ -22341,6 +22479,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-232270 - RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.
-           
-@@ -22353,6 +22492,7 @@ Audit tools include, but are not limited to, vendor-provided and open source aud
-             RHEL-09-251010 - RHEL 9 must have the firewalld package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
- 
-@@ -22381,6 +22521,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPO
-             RHEL-09-251015 - The firewalld service on RHEL 9 must be active.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
- 
-@@ -22401,6 +22542,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPO
-             RHEL-09-251030 - RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
- 
-@@ -22415,6 +22557,7 @@ This requirement addresses the configuration of RHEL 9 to mitigate the impact of
-             RHEL-09-251040 - RHEL 9 network interfaces must not be in promiscuous mode.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.
- 
-@@ -22429,6 +22572,7 @@ If the system is being used to perform a network troubleshooting function, the u
-             RHEL-09-251045 - RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             When hardened, the extended Berkeley Packet Filter (BPF) just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".
-           
-@@ -22441,6 +22585,7 @@ If the system is being used to perform a network troubleshooting function, the u
-             RHEL-09-252010 - RHEL 9 must have the chrony package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
-           
-@@ -22453,6 +22598,7 @@ If the system is being used to perform a network troubleshooting function, the u
-             RHEL-09-252015 - RHEL 9 chronyd service must be enabled.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
- 
-@@ -22467,6 +22613,7 @@ Synchronizing internal information system clocks provides uniformity of time sta
-             RHEL-09-252025 - RHEL 9 must disable the chrony daemon from acting as a server.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
- 
-@@ -22481,6 +22628,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
-             RHEL-09-252030 - RHEL 9 must disable network management of the chrony daemon.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Not exposing the management interface of the chrony daemon on the network diminishes the attack space.
- 
-@@ -22495,6 +22643,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
-             RHEL-09-252035 - RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
-           
-@@ -22507,6 +22656,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
-             RHEL-09-252040 - RHEL 9 must configure a DNS processing mode set be Network Manager.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             In order to ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured.
-           
-@@ -22519,6 +22669,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
-             RHEL-09-252050 - RHEL 9 must be configured to prevent unrestricted mail relaying.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.
-           
-@@ -22531,6 +22682,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
-             RHEL-09-252060 - RHEL 9 must forward mail from postmaster to the root account using a postfix alias.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
- 
-@@ -22545,6 +22697,7 @@ Audit processing failures include software/hardware errors, failures in the audi
-             RHEL-09-252065 - RHEL 9 libreswan package must be installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
- 
-@@ -22559,6 +22712,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061
-             RHEL-09-252070 - There must be no shosts.equiv files on RHEL 9.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
-           
-@@ -22571,6 +22725,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061
-             RHEL-09-252075 - There must be no .shosts files on RHEL 9.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
-           
-@@ -22583,6 +22738,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061
-             RHEL-09-253010 - RHEL 9 must be configured to use TCP syncookies.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. 
- 
-@@ -22599,6 +22755,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPO
-             RHEL-09-253015 - RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
- 
-@@ -22613,6 +22770,7 @@ This feature of the IPv4 protocol has few legitimate uses. It should be disabled
-             RHEL-09-253020 - RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
- 
-@@ -22627,6 +22785,7 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It
-             RHEL-09-253025 - RHEL 9 must log IPv4 packets with impossible addresses.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
-           
-@@ -22639,6 +22798,7 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It
-             RHEL-09-253030 - RHEL 9 must log IPv4 packets with impossible addresses by default.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
-           
-@@ -22651,6 +22811,7 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It
-             RHEL-09-253035 - RHEL 9 must use reverse path filtering on all IPv4 interfaces.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
-           
-@@ -22663,6 +22824,7 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It
-             RHEL-09-253040 - RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
- 
-@@ -22677,6 +22839,7 @@ This feature of the IPv4 protocol has few legitimate uses. It must be disabled u
-             RHEL-09-253045 - RHEL 9 must not forward IPv4 source-routed packets by default.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
- 
-@@ -22691,6 +22854,7 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It
-             RHEL-09-253050 - RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
-           
-@@ -22703,6 +22867,7 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It
-             RHEL-09-253055 - RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
- 
-@@ -22717,6 +22882,7 @@ Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses mak
-             RHEL-09-253060 - RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
-           
-@@ -22729,6 +22895,7 @@ Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses mak
-             RHEL-09-253065 - RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
- 
-@@ -22743,6 +22910,7 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou
-             RHEL-09-253070 - RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
- 
-@@ -22757,6 +22925,7 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou
-             RHEL-09-253075 - RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.
-           
-@@ -22769,6 +22938,7 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou
-             RHEL-09-254010 - RHEL 9 must not accept router advertisements on all IPv6 interfaces.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             An illicit router advertisement message could result in a man-in-the-middle attack.
-           
-@@ -22781,6 +22951,7 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou
-             RHEL-09-254015 - RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             An illicit ICMP redirect message could result in a man-in-the-middle attack.
-           
-@@ -22793,6 +22964,7 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou
-             RHEL-09-254020 - RHEL 9 must not forward IPv6 source-routed packets.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
-           
-@@ -22805,6 +22977,7 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou
-             RHEL-09-254025 - RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
-           
-@@ -22817,6 +22990,7 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou
-             RHEL-09-254030 - RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             An illicit router advertisement message could result in a man-in-the-middle attack.
-           
-@@ -22829,6 +23003,7 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou
-             RHEL-09-254035 - RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
-           
-@@ -22841,6 +23016,7 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou
-             RHEL-09-254040 - RHEL 9 must not forward IPv6 source-routed packets by default.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
- 
-@@ -22855,6 +23031,7 @@ Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It
-             RHEL-09-255010 - All RHEL 9 networked systems must have SSH installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
- 
-@@ -22873,6 +23050,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO
-             RHEL-09-255015 - All RHEL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
- 
-@@ -22891,6 +23069,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO
-             RHEL-09-255020 - RHEL 9 must have the openssh-clients package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             This package includes utilities to make encrypted connections and transfer files securely to SSH servers.
-           
-@@ -22903,6 +23082,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO
-             RHEL-09-255025 - RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
- 
-@@ -22917,6 +23097,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
-             RHEL-09-255030 - RHEL 9 must log SSH connection attempts and failures to the server.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. "INFO" or "VERBOSE" level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
-           
-@@ -22929,6 +23110,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
-             RHEL-09-255035 - RHEL 9 SSHD must accept public key authentication.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD CAC with DOD-approved PKI is an example of multifactor authentication.
- 
-@@ -22943,6 +23125,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPO
-             RHEL-09-255040 - RHEL 9 SSHD must not allow blank passwords.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
- 
-@@ -22957,6 +23140,7 @@ Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPO
-             RHEL-09-255045 - RHEL 9 must not permit direct logons to the root account using remote access via SSH.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.
- 
-@@ -22973,6 +23157,7 @@ Satisfies: SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227
-             RHEL-09-255050 - RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             When UsePAM is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of IP, time, or other factors of the account is needed. Additionally, this ensures users can inherit certain environment variables on login or disallow access to the server.
-           
-@@ -22985,6 +23170,7 @@ Satisfies: SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227
-             RHEL-09-255065 - RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
- 
-@@ -23003,6 +23189,7 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuratio
-             RHEL-09-255075 - RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
- 
-@@ -23021,6 +23208,7 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuratio
-             RHEL-09-255080 - RHEL 9 must not allow a noncertificate trusted host SSH logon to the system.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
-           
-@@ -23033,6 +23221,7 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuratio
-             RHEL-09-255085 - RHEL 9 must not allow users to override SSH environment variables.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             SSH environment options potentially allow users to bypass access restriction in some configurations.
-           
-@@ -23045,6 +23234,7 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuratio
-             RHEL-09-255090 - RHEL 9 must force a frequent session key renegotiation for SSH connections to the server.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
- 
-@@ -23065,6 +23255,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000033-GPOS-00014, SRG-OS-000424-GPO
-             RHEL-09-255095 - RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
- 
-@@ -23083,6 +23274,7 @@ Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
-             RHEL-09-255100 - RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
- 
-@@ -23101,6 +23293,7 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO
-             RHEL-09-255105 - RHEL 9 SSH server configuration file must be group-owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
-           
-@@ -23113,6 +23306,7 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO
-             RHEL-09-255110 - RHEL 9 SSH server configuration file must be owned by root.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
-           
-@@ -23125,6 +23319,7 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO
-             RHEL-09-255120 - RHEL 9 SSH private host key files must have mode 0640 or less permissive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
-           
-@@ -23137,6 +23332,7 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO
-             RHEL-09-255125 - RHEL 9 SSH public host key files must have mode 0644 or less permissive.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
-           
-@@ -23149,6 +23345,7 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO
-             RHEL-09-255130 - RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
-           
-@@ -23161,6 +23358,7 @@ Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPO
-             RHEL-09-255135 - RHEL 9 SSH daemon must not allow GSSAPI authentication.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Generic Security Service Application Program Interface (GSSAPI) authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.
- 
-@@ -23175,6 +23373,7 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
-             RHEL-09-255140 - RHEL 9 SSH daemon must not allow Kerberos authentication.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.
- 
-@@ -23189,6 +23388,7 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
-             RHEL-09-255145 - RHEL 9 SSH daemon must not allow rhosts authentication.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
-           
-@@ -23201,6 +23401,7 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
-             RHEL-09-255150 - RHEL 9 SSH daemon must not allow known hosts authentication.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
-           
-@@ -23213,6 +23414,7 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
-             RHEL-09-255155 - RHEL 9 SSH daemon must disable remote X connections for interactive users.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address.  By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
-           
-@@ -23225,6 +23427,7 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
-             RHEL-09-255160 - RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
-           
-@@ -23237,6 +23440,7 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
-             RHEL-09-255165 - RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
-           
-@@ -23249,6 +23453,7 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
-             RHEL-09-255175 - RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the "DISPLAY" environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
-           
-@@ -23261,6 +23466,7 @@ Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
-             RHEL-09-271010 - RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
- 
-@@ -23277,6 +23483,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
-             RHEL-09-271015 - RHEL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
- 
-@@ -23293,6 +23500,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
-             RHEL-09-271020 - RHEL 9 must disable the graphical user interface automount function unless required.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
- 
-@@ -23307,6 +23515,7 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO
-             RHEL-09-271025 - RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A nonprivileged account is any operating system account with authorizations of a nonprivileged user.
- 
-@@ -23321,6 +23530,7 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO
-             RHEL-09-271035 - RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
- 
-@@ -23335,6 +23545,7 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO
-             RHEL-09-271040 - RHEL 9 must not allow unattended or automatic logon via the graphical user interface.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Failure to restrict system access to authenticated users negatively impacts operating system security.
-           
-@@ -23347,6 +23558,7 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO
-             RHEL-09-271045 - RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
- 
-@@ -23363,6 +23575,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
-             RHEL-09-271050 - RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
- 
-@@ -23379,6 +23592,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
-             RHEL-09-271060 - RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
- 
-@@ -23397,6 +23611,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
-             RHEL-09-271065 - RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate a session lock.
- 
-@@ -23411,6 +23626,7 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
-             RHEL-09-271070 - RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
- 
-@@ -23425,6 +23641,7 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
-             RHEL-09-271080 - RHEL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
-           
-@@ -23437,6 +23654,7 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
-             RHEL-09-271085 - RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
-           
-@@ -23449,6 +23667,7 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
-             RHEL-09-271095 - RHEL 9 must disable the ability of a user to restart the system from the login screen.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.
-           
-@@ -23461,6 +23680,7 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
-             RHEL-09-271100 - RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.
-           
-@@ -23473,6 +23693,7 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
-             RHEL-09-271110 - RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
-           
-@@ -23485,6 +23706,7 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
-             RHEL-09-271115 - RHEL 9 must disable the user list at logon for graphical user interfaces.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.
-           
-@@ -23497,6 +23719,7 @@ Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
-             RHEL-09-291010 - RHEL 9 must be configured to disable USB mass storage.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
- 
-@@ -23511,6 +23734,7 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO
-             RHEL-09-291015 - RHEL 9 must have the USBGuard package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
- 
-@@ -23525,6 +23749,7 @@ The system administrator (SA) must work with the site information system securit
-             RHEL-09-291020 - RHEL 9 must have the USBGuard package enabled.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
- 
-@@ -23539,6 +23764,7 @@ The system administrator (SA) must work with the site information system securit
-             RHEL-09-291025 - RHEL 9 must enable Linux audit logging for the USBGuard daemon.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -23567,6 +23793,7 @@ DOD has defined the list of events for which RHEL 9 will provide an audit record
-             RHEL-09-291035 - RHEL 9 Bluetooth must be disabled.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 9 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice and pointing devices, and near field communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 9 operating system.
- 
-@@ -23581,6 +23808,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118
-             RHEL-09-411010 - RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
- 
-@@ -23595,6 +23823,7 @@ Setting the password maximum age ensures users are required to periodically chan
-             RHEL-09-411015 - RHEL 9 user account passwords must have a 60-day maximum password lifetime restriction.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If RHEL 9 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 9 passwords could be compromised.
-           
-@@ -23607,6 +23836,7 @@ Setting the password maximum age ensures users are required to periodically chan
-             RHEL-09-411020 - All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
-           
-@@ -23619,6 +23849,7 @@ Setting the password maximum age ensures users are required to periodically chan
-             RHEL-09-411030 - RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
- 
-@@ -23633,6 +23864,7 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPO
-             RHEL-09-411035 - RHEL 9 system accounts must not have an interactive login shell.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
-           
-@@ -23645,6 +23877,7 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPO
-             RHEL-09-411045 - All RHEL 9 interactive users must have a primary group that exists.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If a user is assigned the Group Identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.
-           
-@@ -23657,6 +23890,7 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPO
-             RHEL-09-411050 - RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
- 
-@@ -23673,6 +23907,7 @@ Owners of inactive accounts will not notice if unauthorized access to their user
-             RHEL-09-411060 - All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
-           
-@@ -23685,6 +23920,7 @@ Owners of inactive accounts will not notice if unauthorized access to their user
-             RHEL-09-411075 - RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
- 
-@@ -23699,6 +23935,7 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-             RHEL-09-411080 - RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
- 
-@@ -23713,6 +23950,7 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-             RHEL-09-411085 - RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
- 
-@@ -23727,6 +23965,7 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-             RHEL-09-411090 - RHEL 9 must maintain an account lock until the locked account is released by an administrator.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
- 
-@@ -23741,6 +23980,7 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-             RHEL-09-411100 - The root account must be the only account having unrestricted access to RHEL 9 system.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
-           
-@@ -23753,6 +23993,7 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-             RHEL-09-411105 - RHEL 9 must ensure account lockouts persist.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Having lockouts persist across reboots ensures that account is only unlocked by an administrator. If the lockouts did not persist across reboots, an attacker could simply reboot the system to continue brute force attacks against the accounts on the system.
-           
-@@ -23765,6 +24006,7 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-             RHEL-09-411110 - RHEL 9 groups must have unique Group ID (GID).
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             To ensure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
-           
-@@ -23777,6 +24019,7 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
-             RHEL-09-412035 - RHEL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console.
- 
-@@ -23791,6 +24034,7 @@ Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010
-             RHEL-09-412040 - RHEL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks.
- 
-@@ -23805,6 +24049,7 @@ This requirement addresses concurrent sessions for information system accounts a
-             RHEL-09-412045 - RHEL 9 must log username information when unsuccessful logon attempts occur.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.
-           
-@@ -23817,6 +24062,7 @@ This requirement addresses concurrent sessions for information system accounts a
-             RHEL-09-412050 - RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Increasing the time between a failed authentication attempt and reprompting to enter credentials helps to slow a single-threaded brute force attack.
-           
-@@ -23829,6 +24075,7 @@ This requirement addresses concurrent sessions for information system accounts a
-             RHEL-09-412055 - RHEL 9 must define default permissions for the bash shell.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
- 
-@@ -23843,6 +24090,7 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227
-             RHEL-09-412060 - RHEL 9 must define default permissions for the c shell.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
- 
-@@ -23857,6 +24105,7 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227
-             RHEL-09-412065 - RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.
-           
-@@ -23869,6 +24118,7 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227
-             RHEL-09-412070 - RHEL 9 must define default permissions for the system default profile.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
- 
-@@ -23883,6 +24133,7 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227
-             RHEL-09-412075 - RHEL 9 must display the date and time of the last successful account logon upon logon.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
-           
-@@ -23895,6 +24146,7 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227
-             RHEL-09-412080 - RHEL 9 must terminate idle user sessions.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
-           
-@@ -23907,6 +24159,7 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227
-             RHEL-09-431010 - RHEL 9 must use a Linux Security Module configured to enforce limits on system services.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
- 
-@@ -23923,6 +24176,7 @@ Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068
-             RHEL-09-431015 - RHEL 9 must enable the SELinux targeted policy.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
- 
-@@ -23937,6 +24191,7 @@ Note: During the development or debugging of SELinux modules, it is common to te
-             RHEL-09-431025 - RHEL 9 must have policycoreutils package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
- 
-@@ -23953,6 +24208,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
-             RHEL-09-431030 - RHEL 9 policycoreutils-python-utils package must be installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The policycoreutils-python-utils package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat, and sandbox.
-           
-@@ -23965,6 +24221,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
-             RHEL-09-432010 - RHEL 9 must have the sudo package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             "sudo" is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.
-           
-@@ -23977,6 +24234,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
-             RHEL-09-432015 - RHEL 9 must require reauthentication when using the "sudo" command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without reauthentication, users may access resources or perform tasks for which they do not have authorization. 
- 
-@@ -23993,6 +24251,7 @@ If the value is set to an integer less than "0", the user's time stamp will not
-             RHEL-09-432020 - RHEL 9 must use the invoking user's password for privilege escalation when using "sudo".
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
-           
-@@ -24005,6 +24264,7 @@ If the value is set to an integer less than "0", the user's time stamp will not
-             RHEL-09-432025 - RHEL 9 must require users to reauthenticate for privilege escalation.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
- 
-@@ -24021,6 +24281,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
-             RHEL-09-432030 - RHEL 9 must restrict privilege elevation to authorized personnel.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.
-           
-@@ -24033,6 +24294,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
-             RHEL-09-432035 - RHEL 9 must restrict the use of the "su" command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice.
- 
-@@ -24047,6 +24309,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123
-             RHEL-09-433010 - RHEL 9 fapolicy module must be installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.
- 
-@@ -24069,6 +24332,7 @@ Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154
-             RHEL-09-433015 - RHEL 9 fapolicy module must be enabled.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.
- 
-@@ -24091,6 +24355,7 @@ Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154
-             RHEL-09-611010 - RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
- 
-@@ -24109,6 +24374,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-             RHEL-09-611025 - RHEL 9 must not allow blank or null passwords.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
-           
-@@ -24122,6 +24388,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-             RHEL-09-611040 - RHEL 9 must ensure the password complexity module is enabled in the password-auth file.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.
- 
-@@ -24136,6 +24403,7 @@ Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPO
-             RHEL-09-611045 - RHEL 9 must ensure the password complexity module is enabled in the system-auth file.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.
-           
-@@ -24148,6 +24416,7 @@ Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPO
-             RHEL-09-611050 - RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
- 
-@@ -24164,6 +24433,7 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
-             RHEL-09-611055 - RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
- 
-@@ -24180,6 +24450,7 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
-             RHEL-09-611060 - RHEL 9 must enforce password complexity rules for the root account.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
- 
-@@ -24196,6 +24467,7 @@ Satisfies: SRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPO
-             RHEL-09-611065 - RHEL 9 must enforce password complexity by requiring that at least one lowercase character be used.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
- 
-@@ -24210,6 +24482,7 @@ Password complexity is one factor of several that determines how long it takes t
-             RHEL-09-611070 - RHEL 9 must enforce password complexity by requiring that at least one numeric character be used.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
- 
-@@ -24224,6 +24497,7 @@ Password complexity is one factor of several that determines how long it takes t
-             RHEL-09-611075 - RHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
- 
-@@ -24238,6 +24512,7 @@ Setting the minimum password age protects against users cycling back to a favori
-             RHEL-09-611080 - RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
-           
-@@ -24250,6 +24525,7 @@ Setting the minimum password age protects against users cycling back to a favori
-             RHEL-09-611085 - RHEL 9 must require users to provide a password for privilege escalation.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
- 
-@@ -24266,6 +24542,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
-             RHEL-09-611090 - RHEL 9 passwords must be created with a minimum of 15 characters.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
- 
-@@ -24286,6 +24563,7 @@ The DOD minimum password requirement is 15 characters.
-             RHEL-09-611100 - RHEL 9 must enforce password complexity by requiring that at least one special character be used.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. RHEL 9 utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf".
-           
-@@ -24298,6 +24576,7 @@ The DOD minimum password requirement is 15 characters.
-             RHEL-09-611105 - RHEL 9 must prevent the use of dictionary words for passwords.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If RHEL 9 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.
-           
-@@ -24310,6 +24589,7 @@ The DOD minimum password requirement is 15 characters.
-             RHEL-09-611110 - RHEL 9 must enforce password complexity by requiring that at least one uppercase character be used.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
-           
-@@ -24322,6 +24602,7 @@ The DOD minimum password requirement is 15 characters.
-             RHEL-09-611115 - RHEL 9 must require the change of at least eight characters when passwords are changed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks. 
- 
-@@ -24336,6 +24617,7 @@ Password complexity is one factor of several that determines how long it takes t
-             RHEL-09-611120 - RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
- 
-@@ -24350,6 +24632,7 @@ Password complexity is one factor of several that determines how long it takes t
-             RHEL-09-611125 - RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
- 
-@@ -24364,6 +24647,7 @@ Password complexity is one factor of several that determines how long it takes t
-             RHEL-09-611130 - RHEL 9 must require the change of at least four character classes when passwords are changed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
- 
-@@ -24378,6 +24662,7 @@ Password complexity is one factor of several that determines how long it takes t
-             RHEL-09-611135 - RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
- 
-@@ -24392,6 +24677,7 @@ This setting ensures user and group account administration utilities are configu
-             RHEL-09-611140 - RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
- 
-@@ -24406,6 +24692,7 @@ This setting ensures user and group account administration utilities are configu
-             RHEL-09-611145 - RHEL 9 must not be configured to bypass password requirements for privilege escalation.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
- 
-@@ -24420,6 +24707,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
-             RHEL-09-611155 - RHEL 9 must not have accounts configured with blank or null passwords.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
-           
-@@ -24432,6 +24720,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
-             RHEL-09-611160 - RHEL 9 must use the CAC smart card driver.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards.
- 
-@@ -24446,6 +24735,7 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPO
-             RHEL-09-611165 - RHEL 9 must enable certificate based smart card authentication.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication.
- 
-@@ -24460,6 +24750,7 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052
-             RHEL-09-611170 - RHEL 9 must implement certificate status checking for multifactor authentication.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
- 
-@@ -24478,6 +24769,7 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162
-             RHEL-09-611175 - RHEL 9 must have the pcsc-lite package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The pcsc-lite package must be installed if it is to be available for multifactor authentication using smart cards.
-           
-@@ -24490,6 +24782,7 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162
-             RHEL-09-611180 - The pcscd service on RHEL 9 must be active.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The information system ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
- 
-@@ -24504,6 +24797,7 @@ The daemon program for pcsc-lite and the MuscleCard framework is pcscd. It is a
-             RHEL-09-611185 - RHEL 9 must have the opensc package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
- 
-@@ -24520,6 +24814,7 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161
-             RHEL-09-611195 - RHEL 9 must require authentication to access emergency mode.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
- 
-@@ -24534,6 +24829,7 @@ This requirement prevents attackers with physical access from trivially bypassin
-             RHEL-09-611200 - RHEL 9 must require authentication to access single-user mode.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
- 
-@@ -24548,6 +24844,7 @@ This requirement prevents attackers with physical access from trivially bypassin
-             RHEL-09-631020 - RHEL 9 must prohibit the use of cached authenticators after one day.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
-           
-@@ -24560,6 +24857,7 @@ This requirement prevents attackers with physical access from trivially bypassin
-             RHEL-09-651025 - RHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
- 
-@@ -24580,6 +24878,7 @@ Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPO
-             RHEL-09-652010 - RHEL 9 must have the rsyslog package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             rsyslogd is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS, and DTLS protocols), to create a method to securely encrypt and offload auditing.
- 
-@@ -24594,6 +24893,7 @@ Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPO
-             RHEL-09-652015 - RHEL 9 must have the packages required for encrypting offloaded audit logs installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.
- 
-@@ -24608,6 +24908,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061
-             RHEL-09-652020 - The rsyslog service on RHEL 9 must be active.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The "rsyslog" service must be running to provide logging services, which are essential to system administration.
-           
-@@ -24620,6 +24921,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061
-             RHEL-09-652025 - RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service.
- 
-@@ -24634,6 +24936,7 @@ If the system is intended to be a log aggregation server, its use must be docume
-             RHEL-09-652030 - All RHEL 9 remote access methods must be monitored.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.
-           
-@@ -24646,6 +24949,7 @@ If the system is intended to be a log aggregation server, its use must be docume
-             RHEL-09-652040 - RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
- 
-@@ -24670,6 +24974,7 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
-             RHEL-09-652045 - RHEL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
- 
-@@ -24694,6 +24999,7 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
-             RHEL-09-652050 - RHEL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
- 
-@@ -24712,6 +25018,7 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
-             RHEL-09-652055 - RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
- 
-@@ -24738,6 +25045,7 @@ Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPO
-             RHEL-09-653010 - RHEL 9 audit package must be installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
- 
-@@ -24756,6 +25064,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO
-             RHEL-09-653015 - RHEL 9 audit service must be enabled.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the "auditd" service is active ensures audit records generated by the kernel are appropriately recorded.
- 
-@@ -24772,6 +25081,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO
-             RHEL-09-653020 - RHEL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
-           
-@@ -24784,6 +25094,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO
-             RHEL-09-653025 - RHEL 9 audit system must take appropriate action when the audit storage volume is full.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
-           
-@@ -24796,6 +25107,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO
-             RHEL-09-653030 - RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             To ensure RHEL 9 systems have a sufficient storage capacity in which to write the audit logs, RHEL 9 needs to be able to allocate audit record storage capacity.
- 
-@@ -24812,6 +25124,7 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133
-             RHEL-09-653035 - RHEL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
-           
-@@ -24824,6 +25137,7 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133
-             RHEL-09-653040 - RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
-           
-@@ -24836,6 +25150,7 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133
-             RHEL-09-653045 - RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.
-           
-@@ -24848,6 +25163,7 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133
-             RHEL-09-653050 - RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.
-           
-@@ -24860,6 +25176,7 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133
-             RHEL-09-653055 - RHEL 9 audit system must take appropriate action when the audit files have reached maximum size.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
-           
-@@ -24872,6 +25189,7 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133
-             RHEL-09-653060 - RHEL 9 must label all offloaded audit logs before sending them to the central log server.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.
- 
-@@ -24888,6 +25206,7 @@ Satisfies: SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPO
-             RHEL-09-653065 - RHEL 9 must take appropriate action when the internal event queue is full.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost.  Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
- 
-@@ -24904,6 +25223,7 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
-             RHEL-09-653070 - RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
- 
-@@ -24922,6 +25242,7 @@ Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134
-             RHEL-09-653075 - RHEL 9 audit system must audit local events.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
- 
-@@ -24938,6 +25259,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227
-             RHEL-09-653080 - RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
- 
-@@ -24952,6 +25274,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
-             RHEL-09-653085 - RHEL 9 audit log directory must be owned by root to prevent unauthorized read access.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
- 
-@@ -24966,6 +25289,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
-             RHEL-09-653090 - RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
- 
-@@ -24982,6 +25306,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
-             RHEL-09-653095 - RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.
-           
-@@ -24994,6 +25319,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
-             RHEL-09-653100 - RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
- 
-@@ -25012,6 +25338,7 @@ Satisfies: SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227
-             RHEL-09-653105 - RHEL 9 must write audit records to disk.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Audit data should be synchronously written to disk to ensure log integrity. This setting assures that all audit event data is written disk.
-           
-@@ -25024,6 +25351,7 @@ Satisfies: SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227
-             RHEL-09-653110 - RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-           
-@@ -25036,6 +25364,7 @@ Satisfies: SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227
-             RHEL-09-653120 - RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25056,6 +25385,7 @@ Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132
-             RHEL-09-653130 - RHEL 9 audispd-plugins package must be installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             "audispd-plugins" provides plugins for the real-time interface to the audit subsystem, "audispd". These plugins can do things like relay events to remote machines or analyze events for suspicious behavior.
-           
-@@ -25068,6 +25398,7 @@ Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132
-             RHEL-09-654010 - RHEL 9 must audit uses of the "execve" system call.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
- 
-@@ -25082,6 +25413,7 @@ Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127
-             RHEL-09-654015 - RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25102,6 +25434,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654020 - RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25122,6 +25455,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654025 - RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25142,6 +25476,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654030 - RHEL 9 must audit all uses of umount system calls.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25162,6 +25497,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPO
-             RHEL-09-654035 - RHEL 9 must audit all uses of the chacl command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25182,6 +25518,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654040 - RHEL 9 must audit all uses of the setfacl command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25202,6 +25539,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654045 - RHEL 9 must audit all uses of the chcon command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25222,6 +25560,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654050 - RHEL 9 must audit all uses of the semanage command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25242,6 +25581,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654055 - RHEL 9 must audit all uses of the setfiles command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25262,6 +25602,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654060 - RHEL 9 must audit all uses of the setsebool command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25282,6 +25623,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654065 - RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25302,6 +25644,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654070 - RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25322,6 +25665,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654075 - RHEL 9 must audit all uses of the delete_module system call.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25342,6 +25686,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654080 - RHEL 9 must audit all uses of the init_module and finit_module system calls.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25362,6 +25707,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654085 - RHEL 9 must audit all uses of the chage command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25382,6 +25728,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654090 - RHEL 9 must audit all uses of the chsh command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25402,6 +25749,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654095 - RHEL 9 must audit all uses of the crontab command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25422,6 +25770,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654100 - RHEL 9 must audit all uses of the gpasswd command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25442,6 +25791,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654105 - RHEL 9 must audit all uses of the kmod command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25462,6 +25812,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654110 - RHEL 9 must audit all uses of the newgrp command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25482,6 +25833,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654115 - RHEL 9 must audit all uses of the pam_timestamp_check command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25502,6 +25854,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654120 - RHEL 9 must audit all uses of the passwd command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25522,6 +25875,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654125 - RHEL 9 must audit all uses of the postdrop command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25542,6 +25896,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654130 - RHEL 9 must audit all uses of the postqueue command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25562,6 +25917,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654135 - RHEL 9 must audit all uses of the ssh-agent command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25582,6 +25938,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654140 - RHEL 9 must audit all uses of the ssh-keysign command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25602,6 +25959,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654145 - RHEL 9 must audit all uses of the su command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25622,6 +25980,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654150 - RHEL 9 must audit all uses of the sudo command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25642,6 +26001,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654155 - RHEL 9 must audit all uses of the sudoedit command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25662,6 +26022,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654160 - RHEL 9 must audit all uses of the unix_chkpwd command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25682,6 +26043,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654165 - RHEL 9 must audit all uses of the unix_update command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25702,6 +26064,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654170 - RHEL 9 must audit all uses of the userhelper command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25722,6 +26085,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654175 - RHEL 9 must audit all uses of the usermod command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25742,6 +26106,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654180 - RHEL 9 must audit all uses of the mount command.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25762,6 +26127,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654185 - Successful/unsuccessful uses of the init command in RHEL 9 must generate an audit record.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Misuse of the init command may cause availability issues for the system.
-           
-@@ -25774,6 +26140,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654190 - Successful/unsuccessful uses of the poweroff command in RHEL 9 must generate an audit record.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Misuse of the poweroff command may cause availability issues for the system.
-           
-@@ -25786,6 +26153,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654195 - Successful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Misuse of the reboot command may cause availability issues for the system.
-           
-@@ -25798,6 +26166,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654200 - Successful/unsuccessful uses of the shutdown command in RHEL 9 must generate an audit record.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Misuse of the shutdown command may cause availability issues for the system.
-           
-@@ -25810,6 +26179,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654205 - Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
- 
-@@ -25824,6 +26194,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPO
-             RHEL-09-654210 - Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
- 
-@@ -25838,6 +26209,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPO
-             RHEL-09-654215 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
- 
-@@ -25852,6 +26224,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
-             RHEL-09-654220 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
- 
-@@ -25866,6 +26239,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
-             RHEL-09-654225 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy.
- 
-@@ -25880,6 +26254,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
-             RHEL-09-654230 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
- 
-@@ -25894,6 +26269,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
-             RHEL-09-654235 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
- 
-@@ -25908,6 +26284,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
-             RHEL-09-654240 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
- 
-@@ -25922,6 +26299,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
-             RHEL-09-654245 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
- 
-@@ -25936,6 +26314,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO
-             RHEL-09-654250 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25950,6 +26329,7 @@ Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPO
-             RHEL-09-654255 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25964,6 +26344,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO
-             RHEL-09-654260 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -25978,6 +26359,7 @@ Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPO
-             RHEL-09-654265 - RHEL 9 must take appropriate action when a critical audit processing failure occurs.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
- 
-@@ -25994,6 +26376,7 @@ Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023
-             RHEL-09-654270 - RHEL 9 audit system must protect logon UIDs from unauthorized change.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.
- 
-@@ -26008,6 +26391,7 @@ Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPO
-             RHEL-09-654275 - RHEL 9 audit system must protect auditing rules from unauthorized change.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
- 
-@@ -26026,6 +26410,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
-             RHEL-09-672582300 - RHEL 9 must enable FIPS mode.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
- 
-@@ -26040,6 +26425,7 @@ Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPO
-             RHEL-09-671015 - RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             The system must use a strong hashing algorithm to store the password.
- 
-@@ -26056,6 +26442,7 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
-             RHEL-09-671020 - RHEL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.
-           
-@@ -26068,6 +26455,7 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
-             RHEL-09-671025 - RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and; therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.
- 
-@@ -26084,6 +26472,7 @@ FIPS 140-3 is the current standard for validating that mechanisms used to access
-             RHEL-09-672010 - RHEL 9 must have the crypto-policies package installed.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
- 
-@@ -26098,6 +26487,7 @@ Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPO
-             RHEL-09-672020 - RHEL 9 crypto policy must not be overridden.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
- 
-@@ -26112,6 +26502,7 @@ Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPO
-             RHEL-09-672050 - RHEL 9 must implement DOD-approved encryption in the bind package.
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
- 
-@@ -33331,6 +33722,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190
-             RHEL 9 is installed
-             
-               Red Hat Enterprise Linux 9
-+AlmaLinux OS 9
-             
-             
-             RHEL 9 is installed
-diff --git a/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh b/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
-index 17a1bd387..18b84aa2d 100644
---- a/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
-+++ b/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # This test only applies to platforms that check the pwquality.conf.d directory
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- # variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
- 
- truncate -s 0 /etc/security/pwquality.conf
-diff --git a/shared/templates/accounts_password/tests/correct_value_directory.pass.sh b/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
-index d10e78e8d..06a10a950 100644
---- a/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
-+++ b/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # This test only applies to platforms that check the pwquality.conf.d directory
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- # variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
- 
- # This test will ensure that OVAL also checks the configuration in
-diff --git a/shared/templates/audit_rules_kernel_module_loading/tests/missing_auid_filter.fail.sh b/shared/templates/audit_rules_kernel_module_loading/tests/missing_auid_filter.fail.sh
-index a4415d213..7ba758438 100644
---- a/shared/templates/audit_rules_kernel_module_loading/tests/missing_auid_filter.fail.sh
-+++ b/shared/templates/audit_rules_kernel_module_loading/tests/missing_auid_filter.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 7,Oracle Linux 8,multi_platform_rhel,multi_platform_ubuntu
-+# platform = Oracle Linux 7,Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu
- # packages = audit
- 
- rm -f /etc/audit/rules.d/*
-diff --git a/shared/templates/grub2_bootloader_argument/kickstart.template b/shared/templates/grub2_bootloader_argument/kickstart.template
-index c5051bcf7..846c0e661 100644
---- a/shared/templates/grub2_bootloader_argument/kickstart.template
-+++ b/shared/templates/grub2_bootloader_argument/kickstart.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # reboot = true
- # strategy = restrict
- # complexity = medium
-diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
-index f36c7d8bc..c465a15a3 100644
---- a/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
-+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# platform = multi_platform_fedora,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
- # packages = grub2,grubby
- 
- {{%- if ARG_VARIABLE %}}
-diff --git a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
-index c6d5b6b1b..20bcd171a 100644
---- a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
-+++ b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_fedora
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10,multi_platform_fedora
- # packages = grub2,grubby
- {{%- if ARG_VARIABLE %}}
- # variables = {{{ ARG_VARIABLE }}}=correct_value
-diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
-index 788f128b3..44fa8621e 100644
---- a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
-+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# platform = multi_platform_fedora,multi_platform_rhel
-+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
- # packages = grub2,grubby
- {{%- if ARG_VARIABLE %}}
- # variables = {{{ ARG_VARIABLE }}}=correct_value
-diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh
-index fc3db8ccd..a12bef4b2 100644
---- a/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh
-+++ b/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # packages = grub2-tools,grubby
- 
- # Adds argument from kernel command line in /etc/default/grub
-diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh
-index e51f669fd..00a74f76f 100644
---- a/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh
-+++ b/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # packages = grub2-tools,grubby
- 
- # Adds argument with a value from kernel command line in /etc/default/grub
-diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh
-index d5d39d91c..2a93954aa 100644
---- a/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh
-+++ b/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10
- # packages = grub2,grubby
- 
- # Ensure the kernel command line for each installed kernel in the bootloader
-diff --git a/shared/templates/kernel_module_disabled/kubernetes.template b/shared/templates/kernel_module_disabled/kubernetes.template
-index c77cebfbb..2820e9745 100644
---- a/shared/templates/kernel_module_disabled/kubernetes.template
-+++ b/shared/templates/kernel_module_disabled/kubernetes.template
-@@ -1,5 +1,5 @@
- ---
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
- # reboot = true
- # strategy = disable
- # complexity = low
-diff --git a/shared/templates/mount/blueprint.template b/shared/templates/mount/blueprint.template
-index 56617467d..3cdacd4db 100644
---- a/shared/templates/mount/blueprint.template
-+++ b/shared/templates/mount/blueprint.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- [[customizations.filesystem]]
- mountpoint = "{{{ MOUNTPOINT }}}"
-diff --git a/shared/templates/mount/kickstart.template b/shared/templates/mount/kickstart.template
-index fc2bdebd7..3c7833aa7 100644
---- a/shared/templates/mount/kickstart.template
-+++ b/shared/templates/mount/kickstart.template
-@@ -1,3 +1,3 @@
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- 
- logvol {{{ MOUNTPOINT }}} {{{ MIN_SIZE_MB }}}
-diff --git a/shared/templates/package_installed/bootc.template b/shared/templates/package_installed/bootc.template
-index ddac8ef40..86cb91791 100644
---- a/shared/templates/package_installed/bootc.template
-+++ b/shared/templates/package_installed/bootc.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # reboot = false
- # strategy = enable
- # complexity = low
-diff --git a/shared/templates/package_installed/kickstart.template b/shared/templates/package_installed/kickstart.template
-index be0fc1de8..8284a5711 100644
---- a/shared/templates/package_installed/kickstart.template
-+++ b/shared/templates/package_installed/kickstart.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # reboot = false
- # strategy = enable
- # complexity = low
-diff --git a/shared/templates/package_removed/bootc.template b/shared/templates/package_removed/bootc.template
-index eef498941..255ac57a1 100644
---- a/shared/templates/package_removed/bootc.template
-+++ b/shared/templates/package_removed/bootc.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # reboot = false
- # strategy = disable
- # complexity = low
-diff --git a/shared/templates/package_removed/kickstart.template b/shared/templates/package_removed/kickstart.template
-index 99f5e33b9..a0b930444 100644
---- a/shared/templates/package_removed/kickstart.template
-+++ b/shared/templates/package_removed/kickstart.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # reboot = false
- # strategy = disable
- # complexity = low
-diff --git a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
-index 805d70a75..75b375d26 100644
---- a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
-+++ b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect,pam
--# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
-+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
- 
- {{{ tests_init_faillock_vars("correct", prm_name=PRM_NAME, ext_variable=EXT_VARIABLE, variable_lower_bound=VARIABLE_LOWER_BOUND, variable_upper_bound=VARIABLE_UPPER_BOUND) }}}
- 
-diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
-index 3080e4f0c..587c1667e 100644
---- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
-+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Oracle Linux 8
- # remediation = none
- 
- {{{ tests_init_faillock_vars("correct", prm_name=PRM_NAME, ext_variable=EXT_VARIABLE, variable_lower_bound=VARIABLE_LOWER_BOUND, variable_upper_bound=VARIABLE_UPPER_BOUND) }}}
-diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
-index e3c52ec35..b535bdee6 100644
---- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
-+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Oracle Linux 8
- 
- {{{ tests_init_faillock_vars("correct", prm_name=PRM_NAME, ext_variable=EXT_VARIABLE, variable_lower_bound=VARIABLE_LOWER_BOUND, variable_upper_bound=VARIABLE_UPPER_BOUND) }}}
- 
-diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh
-index dedc929d5..9d693322e 100644
---- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh
-+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh
-@@ -1,7 +1,7 @@
- #!/bin/bash
- {{{ tests_init_faillock_vars("lenient_high", prm_name=PRM_NAME, ext_variable=EXT_VARIABLE, variable_lower_bound=VARIABLE_LOWER_BOUND, variable_upper_bound=VARIABLE_UPPER_BOUND) }}}
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Oracle Linux 8
- 
- 
- authselect select sssd --force
-diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh
-index 74bd19c40..c32bf0331 100644
---- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh
-+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh
-@@ -1,7 +1,7 @@
- #!/bin/bash
- {{{ tests_init_faillock_vars("lenient_low", prm_name=PRM_NAME, ext_variable=EXT_VARIABLE, variable_lower_bound=VARIABLE_LOWER_BOUND, variable_upper_bound=VARIABLE_UPPER_BOUND) }}}
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Oracle Linux 8
- 
- 
- authselect select sssd --force
-diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
-index a5d171fc3..d4aefe5fc 100644
---- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
-+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Oracle Linux 8
- # remediation = none
- 
- {{{ tests_init_faillock_vars("correct", prm_name=PRM_NAME, ext_variable=EXT_VARIABLE, variable_lower_bound=VARIABLE_LOWER_BOUND, variable_upper_bound=VARIABLE_UPPER_BOUND) }}}
-diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
-index 83ebf5402..e28271430 100644
---- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
-+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = authselect
--# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Oracle Linux 8
- 
- {{{ tests_init_faillock_vars("stricter", prm_name=PRM_NAME, ext_variable=EXT_VARIABLE, variable_lower_bound=VARIABLE_LOWER_BOUND, variable_upper_bound=VARIABLE_UPPER_BOUND) }}}
- 
-diff --git a/shared/templates/service_disabled/kickstart.template b/shared/templates/service_disabled/kickstart.template
-index d1e39ae29..7ecd5523e 100644
---- a/shared/templates/service_disabled/kickstart.template
-+++ b/shared/templates/service_disabled/kickstart.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # reboot = false
- # strategy = disable
- # complexity = low
-diff --git a/shared/templates/service_disabled/kubernetes.template b/shared/templates/service_disabled/kubernetes.template
-index 1ab456524..724e7b779 100644
---- a/shared/templates/service_disabled/kubernetes.template
-+++ b/shared/templates/service_disabled/kubernetes.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos,multi_platform_ubuntu
- # reboot = true
- # strategy = disable
- # complexity = low
-diff --git a/shared/templates/service_disabled_guard_var/bash.template b/shared/templates/service_disabled_guard_var/bash.template
-index 0afd3332d..62c4762e7 100644
---- a/shared/templates/service_disabled_guard_var/bash.template
-+++ b/shared/templates/service_disabled_guard_var/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
- # reboot = false
- # strategy = disable
- # complexity = low
-diff --git a/shared/templates/service_enabled/kickstart.template b/shared/templates/service_enabled/kickstart.template
-index 451af774a..27ac615a2 100644
---- a/shared/templates/service_enabled/kickstart.template
-+++ b/shared/templates/service_enabled/kickstart.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel,multi_platform_fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
- # reboot = false
- # strategy = disable
- # complexity = low
-diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
-index 3114b75fe..f9e94ea59 100644
---- a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
-+++ b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
- {{%- if XCCDF_VARIABLE %}}
- # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
- {{%- endif %}}
-diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
-index b05adb222..dde5dc9ca 100644
---- a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
-+++ b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
- 
- mkdir -p /etc/ssh/sshd_config.d
- touch /etc/ssh/sshd_config.d/nothing
-diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
-index d91244f7a..1a36b19e5 100644
---- a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
-+++ b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
- 
- 
- {{% if XCCDF_VARIABLE %}}
-diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
-index 15eb1d870..1da21075e 100644
---- a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
-+++ b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
- 
- {{% if XCCDF_VARIABLE %}}
- # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
-diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
-index c5f2c41e8..84fbd8696 100644
---- a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
-+++ b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,AlmaLinux OS 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
- 
- {{% if XCCDF_VARIABLE %}}
- # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
-diff --git a/shared/templates/zipl_bls_entries_option/ansible.template b/shared/templates/zipl_bls_entries_option/ansible.template
-index feb74e3c4..b82bc305a 100644
---- a/shared/templates/zipl_bls_entries_option/ansible.template
-+++ b/shared/templates/zipl_bls_entries_option/ansible.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- # reboot = true
- # strategy = configure
- # complexity = medium
-diff --git a/shared/templates/zipl_bls_entries_option/bash.template b/shared/templates/zipl_bls_entries_option/bash.template
-index e14d59dfc..1b236a130 100644
---- a/shared/templates/zipl_bls_entries_option/bash.template
-+++ b/shared/templates/zipl_bls_entries_option/bash.template
-@@ -1,4 +1,4 @@
--# platform = multi_platform_rhel
-+# platform = multi_platform_rhel,multi_platform_almalinux
- 
- # Correct BLS option using grubby, which is a thin wrapper around BLS operations
- grubby --update-kernel=ALL --args="{{{ ARG_NAME }}}={{{ ARG_VALUE }}}"
-diff --git a/tests/README.md b/tests/README.md
-index 8b439b7e0..a7017ad50 100644
---- a/tests/README.md
-+++ b/tests/README.md
-@@ -205,7 +205,7 @@ Using `platform` and `variables` metadata:
- 
- ```bash
- #!/bin/bash
--# platform = Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # variables = auth_enabled=yes,var_example_1=value_example
- 
- echo "KerberosAuthentication $auth_enabled" >> /etc/ssh/sshd_config
-diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml
-index edb6411e3..4d21c0495 100644
---- a/tests/data/product_stability/ol7.yml
-+++ b/tests/data/product_stability/ol7.yml
-@@ -37,7 +37,7 @@ groups:
-   dedicated_ssh_keyowner:
-     name: ssh_keys
- grub2_boot_path: /boot/grub2
--grub2_uefi_boot_path: /boot/efi/EFI/redhat
-+grub2_uefi_boot_path: /boot/efi/EFI/almalinux
- grub_helper_executable: grubby
- init_system: systemd
- login_defs_path: /etc/login.defs
-diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml
-index 609a20b12..db4046ad1 100644
---- a/tests/data/product_stability/ol8.yml
-+++ b/tests/data/product_stability/ol8.yml
-@@ -37,7 +37,7 @@ groups:
-   dedicated_ssh_keyowner:
-     name: ssh_keys
- grub2_boot_path: /boot/grub2
--grub2_uefi_boot_path: /boot/efi/EFI/redhat
-+grub2_uefi_boot_path: /boot/efi/EFI/almalinux
- grub_helper_executable: grubby
- init_system: systemd
- login_defs_path: /etc/login.defs
-diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml
-index 99dfa18bc..fe9fd40ef 100644
---- a/tests/data/product_stability/rhel8.yml
-+++ b/tests/data/product_stability/rhel8.yml
-@@ -89,7 +89,7 @@ groups:
-   dedicated_ssh_keyowner:
-     name: ssh_keys
- grub2_boot_path: /boot/grub2
--grub2_uefi_boot_path: /boot/efi/EFI/redhat
-+grub2_uefi_boot_path: /boot/efi/EFI/almalinux
- grub_helper_executable: grubby
- init_system: systemd
- journald_conf_dir_path: /etc/systemd/journald.conf.d
-diff --git a/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml b/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml
-index 849ab06f6..1a4927eec 100644
---- a/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml
-+++ b/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml
-@@ -368,7 +368,7 @@ $ sudo egrep "^SHA_CRYPT_" /etc/login.defs
- 
- If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding.
- 
--If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
-+If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
- 
- Generate an encrypted grub2 password for the grub superusers account with the following command:
- 
-@@ -378,7 +378,7 @@ Confirm password:For systems that use BIOS, this is Not Applicable.
-+$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable.
- 
- Verify that a unique name is set as the "superusers" account:
- 
--$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
-+$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg
- set superusers="[someuniquestringhere]"
- export superusers
- 
-diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
-index 10df2e2ad..4379d49a3 100644
---- a/tests/shared/grub2.sh
-+++ b/tests/shared/grub2.sh
-@@ -11,10 +11,10 @@ function set_grub_uefi_root {
- 		if grep VERSION /etc/os-release | grep -q '9\.'; then
- 			GRUB_CFG_ROOT=/boot/grub2
- 		else
--			GRUB_CFG_ROOT=/boot/efi/EFI/redhat
-+			GRUB_CFG_ROOT=/boot/efi/EFI/almalinux
- 		fi
- 	elif grep NAME /etc/os-release | grep -iq "Oracle"; then
--		GRUB_CFG_ROOT=/boot/efi/EFI/redhat
-+		GRUB_CFG_ROOT=/boot/efi/EFI/almalinux
- 	elif grep NAME /etc/os-release | grep -iq "Ubuntu"; then
- 		GRUB_CFG_ROOT=/boot/grub
- 	fi
-diff --git a/tests/unit/ssg-module/data/group_dir/rule_dir/bash/rhel.sh b/tests/unit/ssg-module/data/group_dir/rule_dir/bash/rhel.sh
-index 7ea036bf0..493a1c5e7 100644
---- a/tests/unit/ssg-module/data/group_dir/rule_dir/bash/rhel.sh
-+++ b/tests/unit/ssg-module/data/group_dir/rule_dir/bash/rhel.sh
-@@ -1,4 +1,4 @@
--# platform = Red Hat Enterprise Linux 9,multi_platform_fedora
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9,multi_platform_fedora
- # reboot = false
- # complexity = low
- # strategy = configure
-diff --git a/tests/unit/ssg-module/data/product.yml b/tests/unit/ssg-module/data/product.yml
-index 540ab0181..191dde4ec 100644
---- a/tests/unit/ssg-module/data/product.yml
-+++ b/tests/unit/ssg-module/data/product.yml
-@@ -25,7 +25,7 @@ aux_pkg_version: "5a6340b3"
- release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
- auxiliary_key_fingerprint: "7E4624258C406535D56D6F135054E4A45A6340B3"
- 
--grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
-+grub2_uefi_boot_path: "/boot/efi/EFI/almalinux"
- 
- cpes_root: "./applicability"
- cpes:
-diff --git a/tests/unit/ssg-module/test_build_sce_data/selinux_state/sce/shared.sh b/tests/unit/ssg-module/test_build_sce_data/selinux_state/sce/shared.sh
-index 030041eef..a20748b59 100644
---- a/tests/unit/ssg-module/test_build_sce_data/selinux_state/sce/shared.sh
-+++ b/tests/unit/ssg-module/test_build_sce_data/selinux_state/sce/shared.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # check-import = stdout
--# platform = Red Hat Enterprise Linux 9
-+# platform = Red Hat Enterprise Linux 9,AlmaLinux OS 9
- if [[ $(getenforce) == "Enforcing" ]] ; then
-     exit "$XCCDF_RESULT_PASS"
- fi
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_and_current_same_time.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_and_current_same_time.pass.sh
-index b607202c5..d2b01c32c 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_and_current_same_time.pass.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_and_current_same_time.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # packages = crypto-policies-scripts
- 
- # IMPORTANT: This is a false negative scenario.
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_newer_than_current.fail.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_newer_than_current.fail.sh
-index e5b598342..101078b7a 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_newer_than_current.fail.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/config_newer_than_current.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # packages = crypto-policies-scripts
- 
- update-crypto-policies --set "DEFAULT"
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_nss_config.fail.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_nss_config.fail.sh
-index 7be3c82f3..cf05f1ba7 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_nss_config.fail.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_nss_config.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_ospp
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy.fail.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy.fail.sh
-index 261dc3f96..d63342f09 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy.fail.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy_file.fail.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy_file.fail.sh
-index 356aa3ffe..bdf8b8a09 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy_file.fail.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/missing_policy_file.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_file.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_file.pass.sh
-index 06bd713dd..1bdd6314e 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_file.pass.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_file.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_ospp
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh
-index 56a081eca..46acd7a12 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/nss_config_as_symlink.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_ospp
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh
-index 10cb25593..fc624fa74 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_cis_l1.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_cis_server_l1,xccdf_org.ssgproject.content_profile_cis_workstation_l1
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh
-index a2107d146..6e036355c 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_nosha1_set.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_e8
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_set.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_set.pass.sh
-index b06e035fa..b984faa43 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_set.pass.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_default_set.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_standard
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh
-index 6679f94bd..d53ffd971 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_fips_ospp_set.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_ospp
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_future_cis_l2.pass.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_future_cis_l2.pass.sh
-index 116f6b676..5db20bcb9 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_future_cis_l2.pass.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/policy_future_cis_l2.pass.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_cis_workstation_l2
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/wrong_policy.fail.sh b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/wrong_policy.fail.sh
-index 9461c3ddd..738b04498 100644
---- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/wrong_policy.fail.sh
-+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/tests/wrong_policy.fail.sh
-@@ -1,5 +1,5 @@
- #!/bin/bash
--# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux OS 9
- # profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
- # packages = crypto-policies-scripts
- 
-diff --git a/tests/unit/ssg_test_suite/data/correct.pass.sh b/tests/unit/ssg_test_suite/data/correct.pass.sh
-index 5a2bc1005..c3dfe6dce 100644
---- a/tests/unit/ssg_test_suite/data/correct.pass.sh
-+++ b/tests/unit/ssg_test_suite/data/correct.pass.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # packages = sudo,authselect
--# platform = multi_platform_rhel,Fedora
-+# platform = multi_platform_rhel,multi_platform_almalinux,Fedora
- # profiles = xccdf_org.ssgproject.content_profile_cis
- # check = oval
- # remediation = none
-diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py
-index 537959b6a..c8a1835c8 100755
---- a/utils/ansible_playbook_to_role.py
-+++ b/utils/ansible_playbook_to_role.py
-@@ -66,6 +66,9 @@ PRODUCT_ALLOWLIST = set([
-     "rhel8",
-     "rhel9",
-     "rhel10",
-+    "almalinux8",
-+    "almalinux9",
-+    "almalinux10",
- ])
- 
- PROFILE_ALLOWLIST = set([
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index 230405d..ac2ab26 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -5,15 +5,18 @@
 # global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly
 
 Name:		scap-security-guide
-Version:	0.1.79
+Version:	0.1.80
 Release:	1%{?dist}.alma.1
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
 
+# AlmaLinux Source
+Source9001: add-almalinux9-support.sh
+
 # AlmaLinux Patch
-Patch1000: scap-security-guide-add-almalinux9-product.patch
+Patch1001: 1001-add-almalinux-to-ansible-product-whitelist.patch
 
 BuildArch:	noarch
 
@@ -59,6 +62,7 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
 
 %prep
 %autosetup -p1
+bash %{SOURCE9001}
 
 %define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF -DSSG_BUILD_DISA_DELTA_FILES:BOOL=OFF
 %define cmake_defines_specific %{nil}
@@ -103,9 +107,18 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 
 %changelog
-* Mon Dec 22 2025 Andrew Lukoshko  - 0.1.79-1.alma.1
+* Tue Mar 31 2026 Andrew Lukoshko  - 0.1.80-1.alma.1
 - Add AlmaLinux 9 support
 
+* Wed Mar 11 2026 Vojtech Polasek  - 0.1.80-1
+- Fix inconsistent and missing audit keys in some audit rules (RHEL-141394)
+- Modify shipped kickstart files so that the size of boot partition aligns with official recommended size (RHEL-145201)
+- Disable SHA-1 for the RPM component in RHEL 9 CIS profiles (RHEL-138448)
+- Use correct permissions and consider the log_group option in rules file_permissions_var_log_audit and directory_permissions_var_log_audit (RHEL-138549)
+- Rule configure_ssh_crypto_policy has been removed from RHEL 9 and RHEL 10 profiles. (RHEL-65737)
+- Rules of type sshd_use_strong_kex have been removed from RHEL CIS profiles in favor of system wide crypto policies usage. (RHEL-62941)
+- Rebase scap-security-guide to the latest upstream version 0.1.80 (RHEL-136121)
+
 * Mon Dec 15 2025 Jan Černý  - 0.1.79-1
 - Update to the latest upstream release (RHEL-135773)