diff --git a/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch b/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch new file mode 100644 index 0000000..97a5f1e --- /dev/null +++ b/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch @@ -0,0 +1,11207 @@ +From 215db1bbe08fdaf1139f563abf9515e8a15a6457 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 10 Jun 2021 19:36:47 +0200 +Subject: [PATCH 1/4] Added RHEL9 profiles that are based on RHEL8 profiles. + +Unsupported rules are commented out. +--- + .../profiles/anssi_bp28_enhanced.profile | 16 + + .../rhel9/profiles/anssi_bp28_high.profile | 15 + + .../profiles/anssi_bp28_intermediary.profile | 15 + + .../rhel9/profiles/anssi_bp28_minimal.profile | 16 + + rhel9/profiles/cis.profile | 1088 +++++++++++++++++ + rhel9/profiles/cjis.profile | 139 +++ + rhel9/profiles/cui.profile | 32 + + rhel9/profiles/e8.profile | 149 +++ + rhel9/profiles/hipaa.profile | 164 +++ + rhel9/profiles/ism_o.profile | 134 ++ + rhel9/profiles/ospp-mls.profile | 25 + + rhel9/profiles/ospp.profile | 444 +++++++ + rhel9/profiles/pci-dss.profile | 134 +- + rhel9/profiles/rht-ccp.profile | 100 ++ + rhel9/profiles/standard.profile | 67 + + rhel9/profiles/stig.profile | 1069 ++++++++++++++++ + rhel9/profiles/stig_gui.profile | 36 + + 17 files changed, 3640 insertions(+), 3 deletions(-) + create mode 100644 rhel9/profiles/anssi_bp28_enhanced.profile + create mode 100644 rhel9/profiles/anssi_bp28_high.profile + create mode 100644 rhel9/profiles/anssi_bp28_intermediary.profile + create mode 100644 rhel9/profiles/anssi_bp28_minimal.profile + create mode 100644 rhel9/profiles/cis.profile + create mode 100644 rhel9/profiles/cjis.profile + create mode 100644 rhel9/profiles/cui.profile + create mode 100644 rhel9/profiles/e8.profile + create mode 100644 rhel9/profiles/hipaa.profile + create mode 100644 rhel9/profiles/ism_o.profile + create mode 100644 rhel9/profiles/ospp-mls.profile + create mode 100644 rhel9/profiles/ospp.profile + create mode 100644 rhel9/profiles/rht-ccp.profile + create mode 100644 rhel9/profiles/standard.profile + create mode 100644 rhel9/profiles/stig.profile + create mode 100644 rhel9/profiles/stig_gui.profile + +diff --git a/rhel9/profiles/anssi_bp28_enhanced.profile b/rhel9/profiles/anssi_bp28_enhanced.profile +new file mode 100644 +index 00000000000..bbc11353f3b +--- /dev/null ++++ b/rhel9/profiles/anssi_bp28_enhanced.profile +@@ -0,0 +1,16 @@ ++documentation_complete: true ++ ++title: 'ANSSI-BP-028 (enhanced)' ++ ++description: |- ++ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ ++ ++selections: ++ - anssi:all:enhanced ++ - '!selinux_state' +diff --git a/rhel9/profiles/anssi_bp28_high.profile b/rhel9/profiles/anssi_bp28_high.profile +new file mode 100644 +index 00000000000..560460b55f7 +--- /dev/null ++++ b/rhel9/profiles/anssi_bp28_high.profile +@@ -0,0 +1,15 @@ ++documentation_complete: true ++ ++title: 'ANSSI-BP-028 (high)' ++ ++description: |- ++ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ ++ ++selections: ++ - anssi:all:high +diff --git a/rhel9/profiles/anssi_bp28_intermediary.profile b/rhel9/profiles/anssi_bp28_intermediary.profile +new file mode 100644 +index 00000000000..a5920316735 +--- /dev/null ++++ b/rhel9/profiles/anssi_bp28_intermediary.profile +@@ -0,0 +1,15 @@ ++documentation_complete: true ++ ++title: 'ANSSI-BP-028 (intermediary)' ++ ++description: |- ++ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ ++ ++selections: ++ - anssi:all:intermediary +diff --git a/rhel9/profiles/anssi_bp28_minimal.profile b/rhel9/profiles/anssi_bp28_minimal.profile +new file mode 100644 +index 00000000000..cef8394114d +--- /dev/null ++++ b/rhel9/profiles/anssi_bp28_minimal.profile +@@ -0,0 +1,16 @@ ++documentation_complete: true ++ ++title: 'ANSSI-BP-028 (minimal)' ++ ++description: |- ++ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ ++ ++selections: ++ - anssi:all:minimal ++ +diff --git a/rhel9/profiles/cis.profile b/rhel9/profiles/cis.profile +new file mode 100644 +index 00000000000..8939011ad1f +--- /dev/null ++++ b/rhel9/profiles/cis.profile +@@ -0,0 +1,1088 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.0 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark' ++ ++description: |- ++ This profile defines a baseline that aligns to the Center for Internet Security® ++ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ ++selections: ++ # Necessary for dconf rules ++# - dconf_db_up_to_date # not supported in RHEL9 ATM ++ ++ ### Partitioning ++ - mount_option_home_nodev ++ ++ ## 1.1 Filesystem Configuration ++ ++ ### 1.1.1 Disable unused filesystems ++ ++ #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) ++ - kernel_module_cramfs_disabled ++ ++ #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) ++ ++ ++ #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) ++ - kernel_module_squashfs_disabled ++ ++ #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) ++ - kernel_module_udf_disabled ++ ++ ### 1.1.2 Ensure /tmp is configured (Scored) ++ - partition_for_tmp ++ ++ ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) ++ - mount_option_tmp_nodev ++ ++ ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) ++ - mount_option_tmp_nosuid ++ ++ ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) ++ - mount_option_tmp_noexec ++ ++ ### 1.1.6 Ensure separate partition exists for /var (Scored) ++ - partition_for_var ++ ++ ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) ++ - partition_for_var_tmp ++ ++ ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) ++ - mount_option_var_tmp_nodev ++ ++ ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) ++ - mount_option_var_tmp_nosuid ++ ++ ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) ++ - mount_option_var_tmp_noexec ++ ++ ### 1.1.11 Ensure separate partition exists for /var/log (Scored) ++ - partition_for_var_log ++ ++ ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) ++ - partition_for_var_log_audit ++ ++ ### 1.1.13 Ensure separate partition exists for /home (Scored) ++ - partition_for_home ++ ++ ### 1.1.14 Ensure nodev option set on /home partition (Scored) ++ - mount_option_home_nodev ++ ++ ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) ++ - mount_option_dev_shm_nodev ++ ++ ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) ++ - mount_option_dev_shm_nosuid ++ ++ ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) ++ - mount_option_dev_shm_noexec ++ ++ ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) ++ - mount_option_nodev_removable_partitions ++ ++ ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) ++ - mount_option_nosuid_removable_partitions ++ ++ ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) ++ - mount_option_noexec_removable_partitions ++ ++ ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) ++ - dir_perms_world_writable_sticky_bits ++ ++ ### 1.1.22 Disable Automounting (Scored) ++ - service_autofs_disabled ++ ++ ### 1.1.23 Disable USB Storage (Scored) ++ - kernel_module_usb-storage_disabled ++ ++ ## 1.2 Configure Software Updates ++ ++ ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218 ++ ++ ### 1.2.2 Disable the rhnsd Daemon (Not Scored) ++ - service_rhnsd_disabled ++ ++ ### 1.2.3 Ensure GPG keys are configured (Not Scored) ++ - ensure_redhat_gpgkey_installed ++ ++ ### 1.2.4 Ensure gpgcheck is globally activated (Scored) ++ - ensure_gpgcheck_globally_activated ++ ++ ### 1.2.5 Ensure package manager repositories are configured (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219 ++ ++ ## 1.3 Configure sudo ++ ++ ### 1.3.1 Ensure sudo is installed (Scored) ++ - package_sudo_installed ++ ++ ### 1.3.2 Ensure sudo commands use pty (Scored) ++ - sudo_add_use_pty ++ ++ ### 1.3.3 Ensure sudo log file exists (Scored) ++ - sudo_custom_logfile ++ ++ ## 1.4 Filesystem Integrity Checking ++ ++ ### 1.4.1 Ensure AIDE is installed (Scored) ++ - package_aide_installed ++ ++ ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored) ++ - aide_periodic_cron_checking ++ ++ ## Secure Boot Settings ++ ++ ### 1.5.1 Ensure permissions on bootloader config are configured (Scored) ++ #### chown root:root /boot/grub2/grub.cfg ++ - file_owner_grub2_cfg ++ - file_groupowner_grub2_cfg ++ ++ #### chmod og-rwx /boot/grub2/grub.cfg ++ - file_permissions_grub2_cfg ++ ++ #### chown root:root /boot/grub2/grubenv ++ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 ++ ++ #### chmod og-rwx /boot/grub2/grubenv ++ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 ++ ++ ### 1.5.2 Ensure bootloader password is set (Scored) ++ - grub2_password ++ ++ ### 1.5.3 Ensure authentication required for single user mode (Scored) ++ #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue ++ - require_singleuser_auth ++ ++ #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency ++ - require_emergency_target_auth ++ ++ ## 1.6 Additional Process Hardening ++ ++ ### 1.6.1 Ensure core dumps are restricted (Scored) ++ #### * hard core 0 ++ - disable_users_coredumps ++ ++ #### fs.suid_dumpable = 0 ++ - sysctl_fs_suid_dumpable ++ ++ #### ProcessSizeMax=0 ++# - coredump_disable_backtraces ++ ++ #### Storage=none ++# - coredump_disable_storage ++ ++ ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled ++ - sysctl_kernel_randomize_va_space ++ ++ ## 1.7 Mandatory Access Control ++ ++ ### 1.7.1 Configure SELinux ++ ++ #### 1.7.1.1 Ensure SELinux is installed (Scored) ++ - package_libselinux_installed ++ ++ #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) ++ - grub2_enable_selinux ++ ++ #### 1.7.1.3 Ensure SELinux policy is configured (Scored) ++ - var_selinux_policy_name=targeted ++ - selinux_policytype ++ ++ #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored) ++ - var_selinux_state=enforcing ++ - selinux_state ++ ++ #### 1.7.1.5 Ensure no unconfied services exist (Scored) ++ - selinux_confinement_of_daemons ++ ++ #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) ++ - package_setroubleshoot_removed ++ ++ #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) ++ - package_mcstrans_removed ++ ++ ## Warning Banners ++ ++ ### 1.8.1 Command Line Warning Baners ++ ++ #### 1.8.1.1 Ensure message of the day is configured properly (Scored) ++ - banner_etc_motd ++ ++ #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored) ++ - banner_etc_issue ++ ++ #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225 ++ ++ #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) ++ # chmod u-x,go-wx /etc/motd ++ - file_permissions_etc_motd ++ ++ #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) ++ # chmod u-x,go-wx /etc/issue ++ - file_permissions_etc_issue ++ ++ #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) ++ # Previously addressed via 'rpm_verify_permissions' rule ++ ++ ### 1.8.2 Ensure GDM login banner is configured (Scored) ++ #### banner-message-enable=true ++# - dconf_gnome_banner_enabled # not supported in RHEL9 ATM ++ ++ #### banner-message-text='' ++# - dconf_gnome_login_banner_text # not supported in RHEL9 ATM ++ ++ ## 1.9 Ensure updates, patches, and additional security software are installed (Scored) ++ - security_patches_up_to_date ++ ++ ## 1.10 Ensure system-wide crypto policy is not legacy (Scored) ++ - var_system_crypto_policy=future ++ - configure_crypto_policy ++ ++ ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored) ++ # Previously addressed via 'configure_crypto_policy' rule ++ ++ # Services ++ ++ ## 2.1 inetd Services ++ ++ ### 2.1.1 Ensure xinetd is not installed (Scored) ++ - package_xinetd_removed ++ ++ ## 2.2 Special Purpose Services ++ ++ ### 2.2.1 Time Synchronization ++ ++ #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) ++ - package_chrony_installed ++ ++ #### 2.2.1.2 Ensure chrony is configured (Scored) ++ - service_chronyd_enabled ++ - chronyd_specify_remote_server ++ - chronyd_run_as_chrony_user ++ ++ ### 2.2.2 Ensure X Window System is not installed (Scored) ++ - package_xorg-x11-server-common_removed ++ - xwindows_runlevel_target ++ ++ ### 2.2.3 Ensure rsync service is not enabled (Scored) ++ - service_rsyncd_disabled ++ ++ ### 2.2.4 Ensure Avahi Server is not enabled (Scored) ++ - service_avahi-daemon_disabled ++ ++ ### 2.2.5 Ensure SNMP Server is not enabled (Scored) ++ - service_snmpd_disabled ++ ++ ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored) ++ - package_squid_removed ++ ++ ### 2.2.7 Ensure Samba is not enabled (Scored) ++ - service_smb_disabled ++ ++ ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) ++ - service_dovecot_disabled ++ ++ ### 2.2.9 Ensure HTTP server is not enabled (Scored) ++ - service_httpd_disabled ++ ++ ### 2.2.10 Ensure FTP Server is not enabled (Scored) ++ - service_vsftpd_disabled ++ ++ ### 2.2.11 Ensure DNS Server is not enabled (Scored) ++ - service_named_disabled ++ ++ ### 2.2.12 Ensure NFS is not enabled (Scored) ++ - service_nfs_disabled ++ ++ ### 2.2.13 Ensure RPC is not enabled (Scored) ++ - service_rpcbind_disabled ++ ++ ### 2.2.14 Ensure LDAP service is not enabled (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231 ++ ++ ### 2.2.15 Ensure DHCP Server is not enabled (Scored) ++ - service_dhcpd_disabled ++ ++ ### 2.2.16 Ensure CUPS is not enabled (Scored) ++ - service_cups_disabled ++ ++ ### 2.2.17 Ensure NIS Server is not enabled (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232 ++ ++ ### 2.2.18 Ensure mail transfer agent is configured for ++ ### local-only mode (Scored) ++ - postfix_network_listening_disabled ++ ++ ## 2.3 Service Clients ++ ++ ### 2.3.1 Ensure NIS Client is not installed (Scored) ++ - package_ypbind_removed ++ ++ ### 2.3.2 Ensure telnet client is not installed (Scored) ++ - package_telnet_removed ++ ++ ### Ensure LDAP client is not installed ++ - package_openldap-clients_removed ++ ++ # 3 Network Configuration ++ ++ ## 3.1 Network Parameters (Host Only) ++ ++ ### 3.1.1 Ensure IP forwarding is disabled (Scored) ++ #### net.ipv4.ip_forward = 0 ++ - sysctl_net_ipv4_ip_forward ++ ++ #### net.ipv6.conf.all.forwarding = 0 ++ - sysctl_net_ipv6_conf_all_forwarding ++ ++ ### 3.1.2 Ensure packet redirect sending is disabled (Scored) ++ #### net.ipv4.conf.all.send_redirects = 0 ++ - sysctl_net_ipv4_conf_all_send_redirects ++ ++ #### net.ipv4.conf.default.send_redirects = 0 ++ - sysctl_net_ipv4_conf_default_send_redirects ++ ++ ## 3.2 Network Parameters (Host and Router) ++ ++ ### 3.2.1 Ensure source routed packets are not accepted (Scored) ++ #### net.ipv4.conf.all.accept_source_route = 0 ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ ++ #### net.ipv4.conf.default.accept_source_route = 0 ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ ++ #### net.ipv6.conf.all.accept_source_route = 0 ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ ++ #### net.ipv6.conf.default.accept_source_route = 0 ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ ++ ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) ++ #### net.ipv4.conf.all.accept_redirects = 0 ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ ++ #### net.ipv4.conf.default.accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ ++ #### net.ipv6.conf.all.accept_redirects = 0 ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ ++ #### net.ipv6.conf.defaults.accept_redirects = 0 ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ ++ ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) ++ #### net.ipv4.conf.all.secure_redirects = 0 ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ ++ #### net.ipv4.cof.default.secure_redirects = 0 ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ ++ ### 3.2.4 Ensure suspicious packets are logged (Scored) ++ #### net.ipv4.conf.all.log_martians = 1 ++ - sysctl_net_ipv4_conf_all_log_martians ++ ++ #### net.ipv4.conf.default.log_martians = 1 ++ - sysctl_net_ipv4_conf_default_log_martians ++ ++ ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ ++ ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ ++ ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) ++ #### net.ipv4.conf.all.rp_filter = 1 ++ - sysctl_net_ipv4_conf_all_rp_filter ++ ++ #### net.ipv4.conf.default.rp_filter = 1 ++ - sysctl_net_ipv4_conf_default_rp_filter ++ ++ ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) ++ - sysctl_net_ipv4_tcp_syncookies ++ ++ ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) ++ #### net.ipv6.conf.all.accept_ra = 0 ++ - sysctl_net_ipv6_conf_all_accept_ra ++ ++ #### net.ipv6.conf.default.accept_ra = 0 ++ - sysctl_net_ipv6_conf_default_accept_ra ++ ++ ## 3.3 Uncommon Network Protocols ++ ++ ### 3.3.1 Ensure DCCP is disabled (Scored) ++ - kernel_module_dccp_disabled ++ ++ ### Ensure SCTP is disabled (Scored) ++ - kernel_module_sctp_disabled ++ ++ ### 3.3.3 Ensure RDS is disabled (Scored) ++ - kernel_module_rds_disabled ++ ++ ### 3.3.4 Ensure TIPC is disabled (Scored) ++ - kernel_module_tipc_disabled ++ ++ ## 3.4 Firewall Configuration ++ ++ ### 3.4.1 Ensure Firewall software is installed ++ ++ #### 3.4.1.1 Ensure a Firewall package is installed (Scored) ++ ##### firewalld ++ - package_firewalld_installed ++ ++ ##### nftables ++ #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237 ++ ++ ##### iptables ++ #- package_iptables_installed ++ ++ ### 3.4.2 Configure firewalld ++ ++ #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored) ++ - service_firewalld_enabled ++ ++ #### 3.4.2.2 Ensure iptables is not enabled (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238 ++ ++ #### 3.4.2.3 Ensure nftables is not enabled (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239 ++ ++ #### 3.4.2.4 Ensure default zone is set (Scored) ++ - set_firewalld_default_zone ++ ++ #### 3.4.2.5 Ensure network interfaces are assigned to ++ #### appropriate zone (Not Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240 ++ ++ #### 3.4.2.6 Ensure unnecessary services and ports are not ++ #### accepted (Not Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241 ++ ++ ### 3.4.3 Configure nftables ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242 ++ ++ #### 3.4.3.1 Ensure iptables are flushed (Not Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243 ++ ++ #### 3.4.3.2 Ensure a table exists (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244 ++ ++ #### 3.4.3.3 Ensure base chains exist (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245 ++ ++ #### 3.4.3.4 Ensure loopback traffic is configured (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246 ++ ++ #### 3.4.3.5 Ensure outbound and established connections are ++ #### configured (Not Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247 ++ ++ #### 3.4.3.6 Ensure default deny firewall policy (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248 ++ ++ #### 3.4.3.7 Ensure nftables service is enabled (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249 ++ ++ #### 3.4.3.8 Ensure nftables rules are permanent (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250 ++ ++ ### 3.4.4 Configure iptables ++ ++ #### 3.4.4.1 Configure IPv4 iptables ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251 ++ ++ ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252 ++ ++ ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253 ++ ++ ##### 3.4.4.1.3 Ensure outbound and established connections are ++ ##### configured (Not Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254 ++ ++ ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255 ++ ++ #### 3.4.4.2 Configure IPv6 ip6tables ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256 ++ ++ ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257 ++ ++ ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258 ++ ++ ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are ++ ##### configured (Not Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260 ++ ++ ## 3.5 Ensure wireless interfaces are disabled (Scored) ++ - wireless_disable_interfaces ++ ++ ## 3.6 Disable IPv6 (Not Scored) ++ - kernel_module_ipv6_option_disabled ++ ++ # Logging and Auditing ++ ++ ## 4.1 Configure System Accounting (auditd) ++ ++ ### 4.1.1 Ensure auditing is enabled ++ ++ #### 4.1.1.1 Ensure auditd is installed (Scored) ++ - package_audit_installed ++ ++ #### 4.1.1.2 Ensure auditd service is enabled (Scored) ++ - service_auditd_enabled ++ ++ #### 4.1.1.3 Ensure auditing for processes that start prior to audit ++ #### is enabled (Scored) ++ - grub2_audit_argument ++ ++ #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) ++ - grub2_audit_backlog_limit_argument ++ ++ ### 4.1.2 Configure Data Retention ++ ++ #### 4.1.2.1 Ensure audit log storage size is configured (Scored) ++ - auditd_data_retention_max_log_file ++ ++ #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) ++ - auditd_data_retention_max_log_file_action ++ ++ #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) ++ - var_auditd_space_left_action=email ++ - auditd_data_retention_space_left_action ++ ++ ##### action_mail_acct = root ++ - var_auditd_action_mail_acct=root ++ - auditd_data_retention_action_mail_acct ++ ++ ##### admin_space_left_action = halt ++ - var_auditd_admin_space_left_action=halt ++ - auditd_data_retention_admin_space_left_action ++ ++ ### 4.1.3 Ensure changes to system administration scope ++ ### (sudoers) is collected (Scored) ++ - audit_rules_sysadmin_actions ++ ++ ### 4.1.4 Ensure login and logout events are collected (Scored) ++ - audit_rules_login_events_faillock ++ - audit_rules_login_events_lastlog ++ ++ ### 4.1.5 Ensure session initiation information is collected (Scored) ++ - audit_rules_session_events ++ ++ ### 4.1.6 Ensure events that modify date and time information ++ ### are collected (Scored) ++ #### adjtimex ++ - audit_rules_time_adjtimex ++ ++ #### settimeofday ++ - audit_rules_time_settimeofday ++ ++ #### stime ++ - audit_rules_time_stime ++ ++ #### clock_settime ++ - audit_rules_time_clock_settime ++ ++ #### -w /etc/localtime -p wa ++ - audit_rules_time_watch_localtime ++ ++ ### 4.1.7 Ensure events that modify the system's Mandatory ++ ### Access Control are collected (Scored) ++ #### -w /etc/selinux/ -p wa ++ - audit_rules_mac_modification ++ ++ #### -w /usr/share/selinux/ -p wa ++ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 ++ ++ ### 4.1.8 Ensure events that modify the system's network ++ ### enironment are collected (Scored) ++ - audit_rules_networkconfig_modification ++ ++ ### 4.1.9 Ensure discretionary access control permission modification ++ ### events are collected (Scored) ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_setxattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_fremovexattr ++ ++ ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are ++ ### collected (Scored) ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_truncate ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ # Opinionated selection ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at ++ ++ ### 4.1.11 Ensure events that modify user/group information are ++ ### collected (Scored) ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_opasswd ++ ++ ### 4.1.12 Ensure successful file system mounts are collected (Scored) ++ - audit_rules_media_export ++ ++ ### 4.1.13 Ensure use of privileged commands is collected (Scored) ++ - audit_rules_privileged_commands ++ ++ ### 4.1.14 Ensure file deletion events by users are collected ++ ### (Scored) ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlinkat ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_renameat ++ # Opinionated selection ++ - audit_rules_file_deletion_events_rmdir ++ ++ ### 4.1.15 Ensure kernel module loading and unloading is collected ++ ### (Scored) ++ - audit_rules_kernel_module_loading ++ ++ ### 4.1.16 Ensure system administrator actions (sudolog) are ++ ### collected (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 ++ ++ ### 4.1.17 Ensure the audit configuration is immutable (Scored) ++ - audit_rules_immutable ++ ++ ## 4.2 Configure Logging ++ ++ ### 4.2.1 Configure rsyslog ++ ++ #### 4.2.1.1 Ensure rsyslog is installed (Scored) ++ - package_rsyslog_installed ++ ++ #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) ++ - service_rsyslog_enabled ++ ++ #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) ++ - rsyslog_files_permissions ++ ++ #### 4.2.1.4 Ensure logging is configured (Not Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 ++ ++ #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote ++ #### log host (Scored) ++ - rsyslog_remote_loghost ++ ++ #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on ++ #### designated log hosts (Not Scored) ++ - rsyslog_nolisten ++ ++ ### 4.2.2 Configure journald ++ ++ #### 4.2.2.1 Ensure journald is configured to send logs to ++ #### rsyslog (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 ++ ++ #### 4.2.2.2 Ensure journald is configured to compress large ++ #### log files (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 ++ ++ ++ #### 4.2.2.3 Ensure journald is configured to write logfiles to ++ #### persistent disk (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 ++ ++ ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 ++ ++ ## 4.3 Ensure logrotate is configured (Not Scored) ++ ++ # 5 Access, Authentication and Authorization ++ ++ ## 5.1 Configure cron ++ ++ ### 5.1.1 Ensure cron daemon is enabled (Scored) ++ - service_crond_enabled ++ ++ ++ ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) ++ # chown root:root /etc/crontab ++ - file_owner_crontab ++ - file_groupowner_crontab ++ # chmod og-rwx /etc/crontab ++ - file_permissions_crontab ++ ++ ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) ++ # chown root:root /etc/cron.hourly ++ - file_owner_cron_hourly ++ - file_groupowner_cron_hourly ++ # chmod og-rwx /etc/cron.hourly ++ - file_permissions_cron_hourly ++ ++ ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) ++ # chown root:root /etc/cron.daily ++ - file_owner_cron_daily ++ - file_groupowner_cron_daily ++ # chmod og-rwx /etc/cron.daily ++ - file_permissions_cron_daily ++ ++ ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) ++ # chown root:root /etc/cron.weekly ++ - file_owner_cron_weekly ++ - file_groupowner_cron_weekly ++ # chmod og-rwx /etc/cron.weekly ++ - file_permissions_cron_weekly ++ ++ ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) ++ # chown root:root /etc/cron.monthly ++ - file_owner_cron_monthly ++ - file_groupowner_cron_monthly ++ # chmod og-rwx /etc/cron.monthly ++ - file_permissions_cron_monthly ++ ++ ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) ++ # chown root:root /etc/cron.d ++ - file_owner_cron_d ++ - file_groupowner_cron_d ++ # chmod og-rwx /etc/cron.d ++ - file_permissions_cron_d ++ ++ ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) ++ ++ ++ ## 5.2 SSH Server Configuration ++ ++ ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) ++ # chown root:root /etc/ssh/sshd_config ++ - file_owner_sshd_config ++ - file_groupowner_sshd_config ++ ++ # chmod og-rwx /etc/ssh/sshd_config ++ - file_permissions_sshd_config ++ ++ ### 5.2.2 Ensure SSH access is limited (Scored) ++ ++ ++ ### 5.2.3 Ensure permissions on SSH private host key files are ++ ### configured (Scored) ++ # TO DO: The rule sets to 640, but benchmark wants 600 ++ - file_permissions_sshd_private_key ++ # TO DO: check owner of private keys in /etc/ssh is root:root ++ ++ ### 5.2.4 Ensure permissions on SSH public host key files are configured ++ ### (Scored) ++ - file_permissions_sshd_pub_key ++ # TO DO: check owner of pub keys in /etc/ssh is root:root ++ ++ ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored) ++ - sshd_set_loglevel_info ++ ++ ### 5.2.6 Ensure SSH X11 forward is disabled (Scored) ++ - sshd_disable_x11_forwarding ++ ++ ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) ++ - sshd_max_auth_tries_value=4 ++ - sshd_set_max_auth_tries ++ ++ ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) ++ - sshd_disable_rhosts ++ ++ ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored) ++ - disable_host_auth ++ ++ ### 5.2.10 Ensure SSH root login is disabled (Scored) ++ - sshd_disable_root_login ++ ++ ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) ++ - sshd_disable_empty_passwords ++ ++ ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) ++ - sshd_do_not_permit_user_env ++ ++ ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) ++ # ClientAliveInterval 300 ++ - sshd_idle_timeout_value=5_minutes ++ - sshd_set_idle_timeout ++ ++ # ClientAliveCountMax 0 ++ - var_sshd_set_keepalive=0 ++ ++ ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute ++ ### or less (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 ++ ++ ### 5.2.15 Ensure SSH warning banner is configured (Scored) ++ - sshd_enable_warning_banner ++ ++ ### 5.2.16 Ensure SSH PAM is enabled (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 ++ ++ ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) ++ - sshd_disable_tcp_forwarding ++ ++ ### 5.2.18 Ensure SSH MaxStarups is configured (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528 ++ ++ ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) ++ - sshd_set_max_sessions ++ - var_sshd_max_sessions=4 ++ ++ ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) ++ - configure_ssh_crypto_policy ++ ++ ## 5.3 Configure authselect ++ ++ ++ ### 5.3.1 Create custom authselectet profile (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 ++ ++ ### 5.3.2 Select authselect profile (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 ++ ++ ### 5.3.3 Ensure authselect includes with-faillock (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 ++ ++ ## 5.4 Configure PAM ++ ++ ### 5.4.1 Ensure password creation requirements are configured (Scored) ++ # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 ++ - accounts_password_pam_retry ++ - var_password_pam_minlen=14 ++ - accounts_password_pam_minlen ++ - var_password_pam_minclass=4 ++ - accounts_password_pam_minclass ++ ++ ### 5.4.2 Ensure lockout for failed password attempts is ++ ### configured (Scored) ++ - var_accounts_passwords_pam_faillock_unlock_time=900 ++ - var_accounts_passwords_pam_faillock_deny=5 ++ - accounts_passwords_pam_faillock_unlock_time ++ - accounts_passwords_pam_faillock_deny ++ ++ ### 5.4.3 Ensure password reuse is limited (Scored) ++ - var_password_pam_unix_remember=5 ++ - accounts_password_pam_unix_remember ++ ++ ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) ++ - set_password_hashing_algorithm_systemauth ++ ++ ## 5.5 User Accounts and Environment ++ ++ ### 5.5.1 Set Shadow Password Suite Parameters ++ ++ #### 5.5.1 Ensure password expiration is 365 days or less (Scored) ++ - var_accounts_maximum_age_login_defs=365 ++ - accounts_maximum_age_login_defs ++ ++ #### 5.5.1.2 Ensure minimum days between password changes is 7 ++ #### or more (Scored) ++ - var_accounts_minimum_age_login_defs=7 ++ - accounts_minimum_age_login_defs ++ ++ #### 5.5.1.3 Ensure password expiration warning days is ++ #### 7 or more (Scored) ++ - var_accounts_password_warn_age_login_defs=7 ++ - accounts_password_warn_age_login_defs ++ ++ #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) ++ # TODO: Rule doesn't check list of users ++ # https://github.com/ComplianceAsCode/content/issues/5536 ++ - var_account_disable_post_pw_expiration=30 ++ - account_disable_post_pw_expiration ++ ++ #### 5.5.1.5 Ensure all users last password change date is ++ #### in the past (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 ++ ++ ### 5.5.2 Ensure system accounts are secured (Scored) ++ - no_shelllogin_for_systemaccounts ++ ++ ### 5.5.3 Ensure default user shell timeout is 900 seconds ++ ### or less (Scored) ++ - var_accounts_tmout=15_min ++ - accounts_tmout ++ ++ ### 5.5.4 Ensure default group for the root account is ++ ### GID 0 (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 ++ ++ ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) ++ - var_accounts_user_umask=027 ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_profile ++ ++ ## 5.6 Ensure root login is restricted to system console (Not Scored) ++ - securetty_root_login_console_only ++ - no_direct_root_logins ++ ++ ## 5.7 Ensure access to the su command is restricted (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 ++ ++ # System Maintenance ++ ++ ## 6.1 System File Permissions ++ ++ ### 6.1.1 Audit system file permissions (Not Scored) ++ - rpm_verify_permissions ++ - rpm_verify_ownership ++ ++ ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) ++ # chown root:root /etc/passwd ++ - file_owner_etc_passwd ++ - file_groupowner_etc_passwd ++ ++ # chmod 644 /etc/passwd ++ - file_permissions_etc_passwd ++ ++ ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) ++ # chown root:root /etc/shadow ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ ++ # chmod o-rwx,g-wx /etc/shadow ++ - file_permissions_etc_shadow ++ ++ ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) ++ # chown root:root /etc/group ++ - file_owner_etc_group ++ - file_groupowner_etc_group ++ ++ # chmod 644 /etc/group ++ - file_permissions_etc_group ++ ++ ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) ++ # chown root:root /etc/gshadow ++ - file_owner_etc_gshadow ++ - file_groupowner_etc_gshadow ++ ++ # chmod o-rwx,g-rw /etc/gshadow ++ - file_permissions_etc_gshadow ++ ++ ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) ++ # chown root:root /etc/passwd- ++ - file_owner_backup_etc_passwd ++ - file_groupowner_backup_etc_passwd ++ ++ # chmod 644 /etc/passwd- ++ - file_permissions_backup_etc_passwd ++ ++ ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) ++ # chown root:root /etc/shadow- ++ - file_owner_backup_etc_shadow ++ - file_groupowner_backup_etc_shadow ++ ++ # chmod 0000 /etc/shadow- ++ - file_permissions_backup_etc_shadow ++ ++ ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) ++ # chown root:root /etc/group- ++ - file_owner_backup_etc_group ++ - file_groupowner_backup_etc_group ++ ++ # chmod 644 /etc/group- ++ - file_permissions_backup_etc_group ++ ++ ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) ++ # chown root:root /etc/gshadow- ++ - file_owner_backup_etc_gshadow ++ - file_groupowner_backup_etc_gshadow ++ ++ # chmod 0000 /etc/gshadow- ++ - file_permissions_backup_etc_gshadow ++ ++ ### 6.1.10 Ensure no world writable files exist (Scored) ++ - file_permissions_unauthorized_world_writable ++ ++ ### 6.1.11 Ensure no unowned files or directories exist (Scored) ++ - no_files_unowned_by_user ++ ++ ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) ++ - file_permissions_ungroupowned ++ ++ ### 6.1.13 Audit SUID executables (Not Scored) ++ - file_permissions_unauthorized_suid ++ ++ ### 6.1.14 Audit SGID executables (Not Scored) ++ - file_permissions_unauthorized_sgid ++ ++ ## 6.2 User and Group Settings ++ ++ ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) ++ - no_legacy_plus_entries_etc_passwd ++ ++ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) ++ - no_legacy_plus_entries_etc_shadow ++ ++ ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) ++ - no_legacy_plus_entries_etc_group ++ ++ ### 6.2.6 Ensure root is the only UID 0 account (Scored) ++ - accounts_no_uid_except_zero ++ ++ ### 6.2.7 Ensure users' home directories permissions are 750 ++ ### or more restrictive (Scored) ++ - file_permissions_home_dirs ++ ++ ### 6.2.8 Ensure users own their home directories (Scored) ++ # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 ++ - file_groupownership_home_directories ++ ++ ### 6.2.9 Ensure users' dot files are not group or world ++ ### writable (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 ++ ++ ### 6.2.10 Ensure no users have .forward files (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 ++ ++ ### 6.2.11 Ensure no users have .netrc files (Scored) ++ - no_netrc_files ++ ++ ### 6.2.12 Ensure users' .netrc Files are not group or ++ ### world accessible (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 ++ ++ ### 6.2.13 Ensure no users have .rhosts files (Scored) ++ - no_rsh_trust_files ++ ++ ### 6.2.14 Ensure all groups in /etc/passwd exist in ++ ### /etc/group (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 ++ ++ ### 6.2.15 Ensure no duplicate UIDs exist (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 ++ ++ ### 6.2.16 Ensure no duplicate GIDs exist (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 ++ ++ ### 6.2.17 Ensure no duplicate user names exist (Scored) ++ - account_unique_name ++ ++ ### 6.2.18 Ensure no duplicate group names exist (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 ++ ++ ### 6.2.19 Ensure shadow group is empty (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 ++ ++ ### 6.2.20 Ensure all users' home directories exist (Scored) ++ - accounts_user_interactive_home_directory_exists +diff --git a/rhel9/profiles/cjis.profile b/rhel9/profiles/cjis.profile +new file mode 100644 +index 00000000000..1fc531952b6 +--- /dev/null ++++ b/rhel9/profiles/cjis.profile +@@ -0,0 +1,139 @@ ++documentation_complete: true ++ ++metadata: ++ version: 5.4 ++ SMEs: ++ - carlosmmatos ++ ++reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center ++ ++title: 'Criminal Justice Information Services (CJIS) Security Policy' ++ ++description: |- ++ This profile is derived from FBI's CJIS v5.4 ++ Security Policy. A copy of this policy can be found at the CJIS Security ++ Policy Resource Center: ++ ++ https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center ++ ++selections: ++ - service_auditd_enabled ++ - grub2_audit_argument ++ - auditd_data_retention_num_logs ++ - auditd_data_retention_max_log_file ++ - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_space_left_action ++ - auditd_data_retention_admin_space_left_action ++ - auditd_data_retention_action_mail_acct ++ - auditd_audispd_syslog_plugin_activated ++ - audit_rules_time_adjtimex ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_time_clock_settime ++ - audit_rules_time_watch_localtime ++ - audit_rules_usergroup_modification ++ - audit_rules_networkconfig_modification ++ - file_permissions_var_log_audit ++ - file_ownership_var_log_audit ++ - audit_rules_mac_modification ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_fremovexattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_setxattr ++ - audit_rules_login_events ++ - audit_rules_session_events ++ - audit_rules_unsuccessful_file_modification ++ - audit_rules_privileged_commands ++ - audit_rules_media_export ++ - audit_rules_file_deletion_events ++ - audit_rules_sysadmin_actions ++ - audit_rules_kernel_module_loading ++ - audit_rules_immutable ++ - account_unique_name ++ - gid_passwd_group_same ++ - accounts_password_all_shadowed ++ - no_empty_passwords ++ - display_login_attempts ++ - var_accounts_password_minlen_login_defs=12 ++ - var_accounts_maximum_age_login_defs=90 ++ - var_password_pam_unix_remember=10 ++ - var_account_disable_post_pw_expiration=0 ++ - var_password_pam_minlen=12 ++ - var_accounts_minimum_age_login_defs=1 ++ - var_password_pam_difok=6 ++ - var_accounts_max_concurrent_login_sessions=3 ++ - account_disable_post_pw_expiration ++ - accounts_password_pam_minlen ++ - accounts_minimum_age_login_defs ++ - accounts_password_pam_difok ++ - accounts_max_concurrent_login_sessions ++ - set_password_hashing_algorithm_systemauth ++# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM ++# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_permissions_etc_shadow ++ - file_owner_etc_group ++ - file_groupowner_etc_group ++ - file_permissions_etc_group ++ - file_owner_etc_passwd ++ - file_groupowner_etc_passwd ++ - file_permissions_etc_passwd ++ - file_owner_grub2_cfg ++ - file_groupowner_grub2_cfg ++ - var_password_pam_retry=5 ++ - var_accounts_passwords_pam_faillock_deny=5 ++ - var_accounts_passwords_pam_faillock_unlock_time=600 ++# - dconf_db_up_to_date # not supported in RHEL9 ATM ++# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM ++# - dconf_gnome_screensaver_idle_activation_enabled # not supported in RHEL9 ATM ++# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM ++# - dconf_gnome_screensaver_mode_blank # not supported in RHEL9 ATM ++ - sshd_allow_only_protocol2 ++ - sshd_set_idle_timeout ++ - var_sshd_set_keepalive=0 ++ - disable_host_auth ++ - sshd_disable_root_login ++ - sshd_disable_empty_passwords ++ - sshd_enable_warning_banner ++ - sshd_do_not_permit_user_env ++ - var_system_crypto_policy=fips ++ - configure_crypto_policy ++ - configure_ssh_crypto_policy ++ - kernel_module_dccp_disabled ++ - kernel_module_sctp_disabled ++ - service_firewalld_enabled ++ - set_firewalld_default_zone ++# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM ++ - sshd_idle_timeout_value=30_minutes ++ - inactivity_timeout_value=30_minutes ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - var_password_pam_ocredit=1 ++ - var_password_pam_dcredit=1 ++ - var_password_pam_ucredit=1 ++ - var_password_pam_lcredit=1 ++ - package_aide_installed ++ - aide_build_database ++ - aide_periodic_cron_checking ++ - rpm_verify_permissions ++ - rpm_verify_hashes ++ - ensure_redhat_gpgkey_installed ++ - ensure_gpgcheck_globally_activated ++ - ensure_gpgcheck_never_disabled ++ - security_patches_up_to_date ++ - kernel_module_bluetooth_disabled +diff --git a/rhel9/profiles/cui.profile b/rhel9/profiles/cui.profile +new file mode 100644 +index 00000000000..bf6d9511c17 +--- /dev/null ++++ b/rhel9/profiles/cui.profile +@@ -0,0 +1,32 @@ ++documentation_complete: true ++ ++metadata: ++ version: TBD ++ SMEs: ++ - carlosmmatos ++ ++title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' ++ ++description: |- ++ From NIST 800-171, Section 2.2: ++ Security requirements for protecting the confidentiality of CUI in nonfederal ++ information systems and organizations have a well-defined structure that ++ consists of: ++ ++ (i) a basic security requirements section; ++ (ii) a derived security requirements section. ++ ++ The basic security requirements are obtained from FIPS Publication 200, which ++ provides the high-level and fundamental security requirements for federal ++ information and information systems. The derived security requirements, which ++ supplement the basic security requirements, are taken from the security controls ++ in NIST Special Publication 800-53. ++ ++ This profile configures Red Hat Enterprise Linux 8 to the NIST Special ++ Publication 800-53 controls identified for securing Controlled Unclassified ++ Information (CUI)." ++ ++extends: ospp ++ ++selections: ++ - inactivity_timeout_value=10_minutes +diff --git a/rhel9/profiles/e8.profile b/rhel9/profiles/e8.profile +new file mode 100644 +index 00000000000..30eb9c594ac +--- /dev/null ++++ b/rhel9/profiles/e8.profile +@@ -0,0 +1,149 @@ ++documentation_complete: true ++ ++metadata: ++ SMEs: ++ - shaneboulden ++ ++reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers ++ ++title: 'Australian Cyber Security Centre (ACSC) Essential Eight' ++ ++description: |- ++ This profile contains configuration checks for Red Hat Enterprise Linux 8 ++ that align to the Australian Cyber Security Centre (ACSC) Essential Eight. ++ ++ A copy of the Essential Eight in Linux Environments guide can be found at the ++ ACSC website: ++ ++ https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers ++ ++selections: ++ ++ ### Remove obsolete packages ++ - package_talk_removed ++ - package_talk-server_removed ++ - package_xinetd_removed ++ - service_xinetd_disabled ++ - package_ypbind_removed ++ - package_telnet_removed ++ - service_telnet_disabled ++ - package_telnet-server_removed ++ - package_rsh_removed ++ - package_rsh-server_removed ++ - service_zebra_disabled ++ - package_quagga_removed ++ - service_avahi-daemon_disabled ++ - package_squid_removed ++ - service_squid_disabled ++ ++ ### Software update ++ - ensure_redhat_gpgkey_installed ++ - ensure_gpgcheck_never_disabled ++ - ensure_gpgcheck_local_packages ++ - ensure_gpgcheck_globally_activated ++ - security_patches_up_to_date ++ - dnf-automatic_security_updates_only ++ ++ ### System security settings ++ - sysctl_kernel_randomize_va_space ++ - sysctl_kernel_exec_shield ++ - sysctl_kernel_kptr_restrict ++ - sysctl_kernel_dmesg_restrict ++ - sysctl_kernel_kexec_load_disabled ++ - sysctl_kernel_yama_ptrace_scope ++ - sysctl_kernel_unprivileged_bpf_disabled ++ - sysctl_net_core_bpf_jit_harden ++ ++ ### SELinux ++ - var_selinux_state=enforcing ++ - selinux_state ++ - var_selinux_policy_name=targeted ++ - selinux_policytype ++ ++ ### Filesystem integrity ++ - rpm_verify_hashes ++ - rpm_verify_permissions ++ - rpm_verify_ownership ++ - file_permissions_unauthorized_sgid ++ - file_permissions_unauthorized_suid ++ - file_permissions_unauthorized_world_writable ++ - dir_perms_world_writable_sticky_bits ++ - file_permissions_library_dirs ++ - file_ownership_binary_dirs ++ - file_permissions_binary_dirs ++ - file_ownership_library_dirs ++ ++ ### Passwords ++ - no_empty_passwords ++ ++ ### Partitioning ++ - mount_option_dev_shm_nodev ++ - mount_option_dev_shm_nosuid ++ - mount_option_dev_shm_noexec ++ ++ ### Network ++ - package_firewalld_installed ++ - service_firewalld_enabled ++ - network_sniffer_disabled ++ ++ ### Admin privileges ++ - accounts_no_uid_except_zero ++ - sudo_remove_nopasswd ++ - sudo_remove_no_authenticate ++ - sudo_require_authentication ++ ++ ### Audit ++ - package_rsyslog_installed ++ - service_rsyslog_enabled ++ - service_auditd_enabled ++ - var_auditd_flush=incremental_async ++ - auditd_data_retention_flush ++ - auditd_local_events ++ - auditd_write_logs ++ - auditd_log_format ++ - auditd_freq ++ - auditd_name_format ++ - audit_rules_login_events_tallylog ++ - audit_rules_login_events_faillock ++ - audit_rules_login_events_lastlog ++ - audit_rules_login_events ++ - audit_rules_time_adjtimex ++ - audit_rules_time_clock_settime ++ - audit_rules_time_watch_localtime ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_execution_restorecon ++ - audit_rules_execution_chcon ++ - audit_rules_execution_semanage ++ - audit_rules_execution_setsebool ++ - audit_rules_execution_setfiles ++ - audit_rules_execution_seunshare ++ - audit_rules_sysadmin_actions ++ - audit_rules_networkconfig_modification ++ - audit_rules_usergroup_modification ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_kernel_module_loading ++ ++ ### Secure access ++ - sshd_disable_root_login ++ - sshd_disable_gssapi_auth ++ - sshd_print_last_log ++ - sshd_do_not_permit_user_env ++ - sshd_disable_rhosts ++ - sshd_set_loglevel_info ++ - sshd_disable_empty_passwords ++ - sshd_disable_user_known_hosts ++ - sshd_enable_strictmodes ++ ++ # See also: https://www.cyber.gov.au/acsc/view-all-content/guidance/asd-approved-cryptographic-algorithms ++ - var_system_crypto_policy=default_nosha1 ++ - configure_crypto_policy ++ - configure_ssh_crypto_policy ++ ++ ### Application whitelisting ++ - package_fapolicyd_installed ++ - service_fapolicyd_enabled ++ ++ ### Backup ++ - package_rear_installed +diff --git a/rhel9/profiles/hipaa.profile b/rhel9/profiles/hipaa.profile +new file mode 100644 +index 00000000000..7919649d4d5 +--- /dev/null ++++ b/rhel9/profiles/hipaa.profile +@@ -0,0 +1,164 @@ ++documentation_complete: True ++ ++metadata: ++ SMEs: ++ - jjaswanson4 ++ - carlosmmatos ++ ++reference: https://www.hhs.gov/hipaa/for-professionals/index.html ++ ++title: 'Health Insurance Portability and Accountability Act (HIPAA)' ++ ++description: |- ++ The HIPAA Security Rule establishes U.S. national standards to protect individuals’ ++ electronic personal health information that is created, received, used, or ++ maintained by a covered entity. The Security Rule requires appropriate ++ administrative, physical and technical safeguards to ensure the ++ confidentiality, integrity, and security of electronic protected health ++ information. ++ ++ This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security ++ Rule identified for securing of electronic protected health information. ++ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). ++ ++selections: ++ - grub2_password ++# - grub2_uefi_password # not supported in RHEL9 ATM ++ - file_groupowner_grub2_cfg ++ - file_permissions_grub2_cfg ++ - file_owner_grub2_cfg ++# - grub2_disable_interactive_boot # not supported in RHEL9 ATM ++ - no_direct_root_logins ++ - no_empty_passwords ++ - require_singleuser_auth ++ - restrict_serial_port_logins ++ - securetty_root_login_console_only ++# - service_debug-shell_disabled # not supported in RHEL9 ATM ++# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM ++# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM ++# - dconf_db_up_to_date # not supported in RHEL9 ATM ++# - dconf_gnome_remote_access_credential_prompt # not supported in RHEL9 ATM ++# - dconf_gnome_remote_access_encryption # not supported in RHEL9 ATM ++ - sshd_disable_empty_passwords ++ - sshd_disable_root_login ++# - libreswan_approved_tunnels # not supported in RHEL9 ATM ++ - no_rsh_trust_files ++ - package_rsh-server_removed ++ - package_talk_removed ++ - package_talk-server_removed ++ - package_telnet_removed ++ - package_telnet-server_removed ++ - package_xinetd_removed ++ - service_crond_enabled ++# - service_rexec_disabled # not supported in RHEL9 ATM ++# - service_rlogin_disabled # not supported in RHEL9 ATM ++ - service_telnet_disabled ++ - service_xinetd_disabled ++ - service_zebra_disabled ++# - use_kerberos_security_all_exports # not supported in RHEL9 ATM ++ - disable_host_auth ++ - sshd_allow_only_protocol2 ++ - sshd_disable_compression ++ - sshd_disable_gssapi_auth ++ - sshd_disable_kerb_auth ++ - sshd_do_not_permit_user_env ++ - sshd_enable_strictmodes ++ - sshd_enable_warning_banner ++ - var_sshd_set_keepalive=0 ++ - encrypt_partitions ++ - var_system_crypto_policy=fips ++ - configure_crypto_policy ++ - configure_ssh_crypto_policy ++ - var_selinux_policy_name=targeted ++ - var_selinux_state=enforcing ++ - grub2_enable_selinux ++ - sebool_selinuxuser_execheap ++ - sebool_selinuxuser_execmod ++ - sebool_selinuxuser_execstack ++ - selinux_confinement_of_daemons ++ - selinux_policytype ++ - selinux_state ++ - service_kdump_disabled ++ - sysctl_fs_suid_dumpable ++ - sysctl_kernel_dmesg_restrict ++ - sysctl_kernel_exec_shield ++ - sysctl_kernel_randomize_va_space ++ - rpm_verify_hashes ++ - rpm_verify_permissions ++ - ensure_redhat_gpgkey_installed ++ - ensure_gpgcheck_globally_activated ++ - ensure_gpgcheck_never_disabled ++ - ensure_gpgcheck_local_packages ++ - grub2_audit_argument ++ - service_auditd_enabled ++ - audit_rules_privileged_commands_sudo ++ - audit_rules_privileged_commands_su ++ - audit_rules_immutable ++ - kernel_module_usb-storage_disabled ++ - service_autofs_disabled ++ - auditd_audispd_syslog_plugin_activated ++ - rsyslog_remote_loghost ++ - auditd_data_retention_flush ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fremovexattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_setxattr ++ - audit_rules_execution_chcon ++ - audit_rules_execution_restorecon ++ - audit_rules_execution_semanage ++ - audit_rules_execution_setsebool ++ - audit_rules_file_deletion_events_renameat ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_rmdir ++ - audit_rules_file_deletion_events_unlinkat ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_kernel_module_loading_delete ++ - audit_rules_kernel_module_loading_init ++ - audit_rules_login_events_faillock ++ - audit_rules_login_events_lastlog ++ - audit_rules_login_events_tallylog ++ - audit_rules_mac_modification ++ - audit_rules_media_export ++ - audit_rules_networkconfig_modification ++ - audit_rules_privileged_commands_chage ++ - audit_rules_privileged_commands_chsh ++ - audit_rules_privileged_commands_crontab ++ - audit_rules_privileged_commands_gpasswd ++ - audit_rules_privileged_commands_newgrp ++ - audit_rules_privileged_commands_pam_timestamp_check ++ - audit_rules_privileged_commands_passwd ++ - audit_rules_privileged_commands_postdrop ++ - audit_rules_privileged_commands_postqueue ++ - audit_rules_privileged_commands_ssh_keysign ++ - audit_rules_privileged_commands_sudoedit ++ - audit_rules_privileged_commands_umount ++ - audit_rules_privileged_commands_unix_chkpwd ++ - audit_rules_privileged_commands_userhelper ++ - audit_rules_session_events ++ - audit_rules_sysadmin_actions ++ - audit_rules_system_shutdown ++ - audit_rules_time_adjtimex ++ - audit_rules_time_clock_settime ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_time_watch_localtime ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_truncate ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_shadow +diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile +new file mode 100644 +index 00000000000..592be03783f +--- /dev/null ++++ b/rhel9/profiles/ism_o.profile +@@ -0,0 +1,134 @@ ++documentation_complete: true ++ ++metadata: ++ SMEs: ++ - shaneboulden ++ - wcushen ++ - ahamilto156 ++ ++reference: https://www.cyber.gov.au/ism ++ ++title: 'Australian Cyber Security Centre (ACSC) ISM Official' ++ ++description: |- ++ This profile contains configuration checks for Red Hat Enterprise Linux 8 ++ that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) ++ with the applicability marking of OFFICIAL. ++ ++ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning ++ Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls ++ specific to an organisation's security posture and risk profile. ++ ++ A copy of the ISM can be found at the ACSC website: ++ ++ https://www.cyber.gov.au/ism ++ ++extends: e8 ++ ++selections: ++ ++ ## Operating system configuration ++ ## Identifiers 1491 ++ - no_shelllogin_for_systemaccounts ++ ++ ## Local administrator accounts ++ ## Identifiers 1382 / 1410 ++ - accounts_password_all_shadowed ++ - package_sudo_installed ++ ++ ## Content filtering & Anti virus ++ ## Identifiers 0576 / 1341 / 1034 / 1417 / 1288 ++ - package_aide_installed ++ ++ ## Software firewall ++ ## Identifiers 1416 ++# - configure_firewalld_ports # not supported in RHEL9 ATM ++ ## Removing due to build error ++ ## - configure_firewalld_rate_limiting ++# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM ++ - set_firewalld_default_zone ++ ++ ## Endpoint device control software ++ ## Identifiers 1418 ++ - package_usbguard_installed ++ - service_usbguard_enabled ++ ++ ## Authentication hardening ++ ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560 ++ ## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431 ++ - sshd_max_auth_tries_value=5 ++ - disable_host_auth ++ - require_emergency_target_auth ++ - require_singleuser_auth ++ - sshd_disable_kerb_auth ++ - sshd_set_max_auth_tries ++ ++ ## Password authentication & Protecting credentials ++ ## Identifiers 0421 / 0431 / 0418 / 1402 ++ - var_password_pam_minlen=14 ++ - var_accounts_password_warn_age_login_defs=7 ++ - var_accounts_minimum_age_login_defs=1 ++ - var_accounts_maximum_age_login_defs=60 ++ - accounts_password_warn_age_login_defs ++ - accounts_maximum_age_login_defs ++ - accounts_minimum_age_login_defs ++ - accounts_passwords_pam_faillock_interval ++ - accounts_passwords_pam_faillock_unlock_time ++ - accounts_passwords_pam_faillock_deny ++ - accounts_passwords_pam_faillock_deny_root ++ - accounts_password_pam_minlen ++ ++ ## Centralised logging facility ++ ## Identifiers 1405 / 0988 ++ - rsyslog_cron_logging ++ - rsyslog_files_groupownership ++ - rsyslog_files_ownership ++ - rsyslog_files_permissions ++ - rsyslog_nolisten ++ - rsyslog_remote_loghost ++ - rsyslog_remote_tls ++ - rsyslog_remote_tls_cacert ++ - package_chrony_installed ++ - service_chronyd_enabled ++# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM ++ - chronyd_specify_remote_server ++# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM ++ ++ ## Events to be logged ++ ## Identifiers 0580 / 0584 / 0582 / 0585 / 0586 / 0846 / 0957 ++ - display_login_attempts ++ - sebool_auditadm_exec_content ++ - audit_rules_privileged_commands ++ - audit_rules_session_events ++ - audit_rules_unsuccessful_file_modification ++ - audit_access_failed ++ - audit_access_success ++ ++ ## Web application & Database servers ++ ## Identifiers 1552 / 1277 ++# - openssl_use_strong_entropy # not supported in RHEL9 ATM ++ ++ ## Network design and configuration ++ ## Identifiers 1055 / 1311 ++# - network_nmcli_permissions # not supported in RHEL9 ATM ++ - service_snmpd_disabled ++# - snmpd_use_newer_protocol # not supported in RHEL9 ATM ++ ++ ## Wireless networks ++ ## Identifiers 1315 ++ - wireless_disable_interfaces ++ ++ ## ASD Approved Cryptographic Algorithms ++ ## Identifiers 0471 / 0472 / 0473 / 0474 / 0475 / 0476 / 0477 / ++ ## 0479 / 0480 / 0481 / 0489 / 0497 / 0994 / 0998 / 1001 / 1139 / ++ ## 1372 / 1373 / 1374 / 1375 ++# - enable_fips_mode # not supported in RHEL9 ATM ++ - var_system_crypto_policy=fips ++ - configure_crypto_policy ++ ++ ## Secure Shell access ++ ## Identifiers 0484 / 1506 / 1449 / 0487 ++ - sshd_allow_only_protocol2 ++ - sshd_enable_warning_banner ++ - sshd_disable_x11_forwarding ++ - file_permissions_sshd_private_key +diff --git a/rhel9/profiles/ospp-mls.profile b/rhel9/profiles/ospp-mls.profile +new file mode 100644 +index 00000000000..d1d1b8aff73 +--- /dev/null ++++ b/rhel9/profiles/ospp-mls.profile +@@ -0,0 +1,25 @@ ++documentation_complete: false ++ ++title: 'Protection Profile for General Purpose Operating Systems - MLS Mode' ++ ++description: |- ++ Placeholder to put MLS specific rules ++ ++extends: ospp ++ ++selections: ++ ++ ################################################ ++ ## MUST INSTALL PACKAGES IN MLS MODE ++ #cups ++ #foomatic ++ #ghostscript ++ #ghostscript-fonts ++ #checkpolicy ++ #mcstrans ++ #policycoreutils-newrole ++ #selinux-policy-devel ++ ##xinetd ++ #iproute ++ #iputils ++ #netlabel_tools +diff --git a/rhel9/profiles/ospp.profile b/rhel9/profiles/ospp.profile +new file mode 100644 +index 00000000000..c4a43dc5eb6 +--- /dev/null ++++ b/rhel9/profiles/ospp.profile +@@ -0,0 +1,444 @@ ++documentation_complete: true ++ ++metadata: ++ version: 4.2.1 ++ SMEs: ++ - comps ++ - carlosmmatos ++ - stevegrubb ++ ++reference: https://www.niap-ccevs.org/Profile/PP.cfm ++ ++title: 'Protection Profile for General Purpose Operating Systems' ++ ++description: |- ++ This profile reflects mandatory configuration controls identified in the ++ NIAP Configuration Annex to the Protection Profile for General Purpose ++ Operating Systems (Protection Profile Version 4.2.1). ++ ++ This configuration profile is consistent with CNSSI-1253, which requires ++ U.S. National Security Systems to adhere to certain configuration ++ parameters. Accordingly, this configuration profile is suitable for ++ use in U.S. National Security Systems. ++ ++selections: ++ ++ ####################################################### ++ ### GENERAL REQUIREMENTS ++ ### Things needed to meet OSPP functional requirements. ++ ####################################################### ++ ++ ### Partitioning ++ - mount_option_home_nodev ++ - mount_option_home_nosuid ++ - mount_option_tmp_nodev ++ - mount_option_tmp_noexec ++ - mount_option_tmp_nosuid ++ - partition_for_var_tmp ++ - mount_option_var_tmp_nodev ++ - mount_option_var_tmp_noexec ++ - mount_option_var_tmp_nosuid ++ - mount_option_dev_shm_nodev ++ - mount_option_dev_shm_noexec ++ - mount_option_dev_shm_nosuid ++ - mount_option_nodev_nonroot_local_partitions ++ - mount_option_boot_nodev ++ - mount_option_boot_nosuid ++ - partition_for_home ++ - partition_for_var ++ - mount_option_var_nodev ++ - partition_for_var_log ++ - mount_option_var_log_nodev ++ - mount_option_var_log_nosuid ++ - mount_option_var_log_noexec ++ - partition_for_var_log_audit ++ - mount_option_var_log_audit_nodev ++ - mount_option_var_log_audit_nosuid ++ - mount_option_var_log_audit_noexec ++ ++ ### Services ++ # sshd ++ - sshd_disable_root_login ++ - sshd_enable_strictmodes ++ - disable_host_auth ++ - sshd_disable_empty_passwords ++ - sshd_disable_kerb_auth ++ - sshd_disable_gssapi_auth ++ - var_sshd_set_keepalive=0 ++ - sshd_enable_warning_banner ++ - sshd_rekey_limit ++ - var_rekey_limit_size=1G ++ - var_rekey_limit_time=1hour ++# - sshd_use_strong_rng # not supported in RHEL9 ATM ++# - openssl_use_strong_entropy # not supported in RHEL9 ATM ++ ++ # Time Server ++# - chronyd_client_only # not supported in RHEL9 ATM ++# - chronyd_no_chronyc_network # not supported in RHEL9 ATM ++ ++ ### Network Settings ++ - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv4_tcp_syncookies ++ ++ ### systemd ++# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM ++# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM ++# - service_debug-shell_disabled # not supported in RHEL9 ATM ++ ++ ### umask ++ - var_accounts_user_umask=027 ++ - accounts_umask_etc_profile ++ - accounts_umask_etc_bashrc ++# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM ++ ++ ### Software update ++ - ensure_redhat_gpgkey_installed ++ - ensure_gpgcheck_globally_activated ++ - ensure_gpgcheck_local_packages ++ - ensure_gpgcheck_never_disabled ++ ++ ### Passwords ++ - var_password_pam_difok=4 ++ - accounts_password_pam_difok ++ - var_password_pam_maxrepeat=3 ++ - accounts_password_pam_maxrepeat ++ - var_password_pam_maxclassrepeat=4 ++ - accounts_password_pam_maxclassrepeat ++ ++ ### Kernel Config ++ ## Boot prompt ++ - grub2_audit_argument ++ - grub2_audit_backlog_limit_argument ++ - grub2_slub_debug_argument ++ - grub2_page_poison_argument ++ - grub2_vsyscall_argument ++ - grub2_vsyscall_argument.role=unscored ++ - grub2_vsyscall_argument.severity=info ++ - grub2_pti_argument ++ - grub2_kernel_trust_cpu_rng ++ ++ ## Security Settings ++ - sysctl_kernel_kptr_restrict ++ - sysctl_kernel_dmesg_restrict ++ - sysctl_kernel_kexec_load_disabled ++ - sysctl_kernel_yama_ptrace_scope ++ - sysctl_kernel_perf_event_paranoid ++ - sysctl_user_max_user_namespaces ++ - sysctl_user_max_user_namespaces.role=unscored ++ - sysctl_user_max_user_namespaces.severity=info ++ - sysctl_kernel_unprivileged_bpf_disabled ++ - sysctl_net_core_bpf_jit_harden ++ - service_kdump_disabled ++ ++ ## File System Settings ++ - sysctl_fs_protected_hardlinks ++ - sysctl_fs_protected_symlinks ++ ++ ### Audit ++ - service_auditd_enabled ++ - var_auditd_flush=incremental_async ++ - auditd_data_retention_flush ++ - auditd_local_events ++ - auditd_write_logs ++ - auditd_log_format ++ - auditd_freq ++ - auditd_name_format ++ ++ ### Module Blacklist ++ - kernel_module_cramfs_disabled ++ - kernel_module_bluetooth_disabled ++ - kernel_module_sctp_disabled ++ - kernel_module_firewire-core_disabled ++ - kernel_module_atm_disabled ++ - kernel_module_can_disabled ++ - kernel_module_tipc_disabled ++ ++ ### rpcbind ++ ++ ### Install Required Packages ++ - package_aide_installed ++ - package_dnf-automatic_installed ++ - package_subscription-manager_installed ++# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM ++ - package_firewalld_installed ++ - package_openscap-scanner_installed ++ - package_policycoreutils_installed ++ - package_sudo_installed ++ - package_usbguard_installed ++ - package_scap-security-guide_installed ++ - package_audit_installed ++ - package_crypto-policies_installed ++ - package_openssh-server_installed ++ - package_openssh-clients_installed ++ - package_policycoreutils-python-utils_installed ++ - package_rsyslog_installed ++ - package_rsyslog-gnutls_installed ++ - package_audispd-plugins_installed ++ - package_chrony_installed ++ - package_gnutls-utils_installed ++ ++ ### Remove Prohibited Packages ++ - package_sendmail_removed ++ - package_iprutils_removed ++ - package_gssproxy_removed ++ - package_nfs-utils_removed ++ - package_krb5-workstation_removed ++ - package_abrt-addon-kerneloops_removed ++ - package_abrt-addon-python_removed ++ - package_abrt-addon-ccpp_removed ++ - package_abrt-plugin-rhtsupport_removed ++ - package_abrt-plugin-logger_removed ++ - package_abrt-plugin-sosreport_removed ++ - package_abrt-cli_removed ++ - package_abrt_removed ++ ++ ### Login ++ - disable_users_coredumps ++ - sysctl_kernel_core_pattern ++# - coredump_disable_storage ++# - coredump_disable_backtraces ++ - service_systemd-coredump_disabled ++ - var_accounts_max_concurrent_login_sessions=10 ++ - accounts_max_concurrent_login_sessions ++ - securetty_root_login_console_only ++ - var_password_pam_unix_remember=5 ++ - accounts_password_pam_unix_remember ++# - use_pam_wheel_for_su # not supported in RHEL9 ATM ++ ++ ### SELinux Configuration ++ - var_selinux_state=enforcing ++ - selinux_state ++ - var_selinux_policy_name=targeted ++ - selinux_policytype ++ ++ ### Application Whitelisting (RHEL 9) ++ - package_fapolicyd_installed ++ - service_fapolicyd_enabled ++ ++ ### Configure USBGuard ++ - service_usbguard_enabled ++ - configure_usbguard_auditbackend ++ - usbguard_allow_hid_and_hub ++ ++ ++ ### Enable / Configure FIPS ++# - enable_fips_mode # not supported in RHEL9 ATM ++ - var_system_crypto_policy=fips_ospp ++ - configure_crypto_policy ++ - configure_ssh_crypto_policy ++ - configure_bind_crypto_policy ++ - configure_openssl_crypto_policy ++ - configure_libreswan_crypto_policy ++ - configure_kerberos_crypto_policy ++# - enable_dracut_fips_module # not supported in RHEL9 ATM ++ ++ ####################################################### ++ ### CONFIGURATION ANNEX TO THE PROTECTION PROFILE ++ ### FOR GENERAL PURPOSE OPERATING SYSTEMS ++ ### ANNEX RELEASE 1 ++ ### FOR PROTECTION PROFILE VERSIONS 4.2 ++ ### ++ ### https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/ ++ ####################################################### ++ ++ ## Configure Minimum Password Length to 12 Characters ++ ## IA-5 (1)(a) / FMT_MOF_EXT.1 ++ - var_accounts_password_minlen_login_defs=12 ++ - accounts_password_minlen_login_defs ++ - var_password_pam_minlen=12 ++ - accounts_password_pam_minlen ++ ++ ## Require at Least 1 Special Character in Password ++ ## IA-5(1)(a) / FMT_MOF_EXT.1 ++ - var_password_pam_ocredit=1 ++ - accounts_password_pam_ocredit ++ ++ ## Require at Least 1 Numeric Character in Password ++ ## IA-5(1)(a) / FMT_MOF_EXT.1 ++ - var_password_pam_dcredit=1 ++ - accounts_password_pam_dcredit ++ ++ ## Require at Least 1 Uppercase Character in Password ++ ## IA-5(1)(a) / FMT_MOF_EXT.1 ++ - var_password_pam_ucredit=1 ++ - accounts_password_pam_ucredit ++ ++ ## Require at Least 1 Lowercase Character in Password ++ ## IA-5(1)(a) / FMT_MOF_EXT.1 ++ - var_password_pam_lcredit=1 ++ - accounts_password_pam_lcredit ++ ++ ## Enable Screen Lock ++ ## FMT_MOF_EXT.1 ++ - package_tmux_installed ++# - configure_bashrc_exec_tmux # not supported in RHEL9 ATM ++# - no_tmux_in_shells # not supported in RHEL9 ATM ++# - configure_tmux_lock_command # not supported in RHEL9 ATM ++# - configure_tmux_lock_after_time # not supported in RHEL9 ATM ++ ++ ## Set Screen Lock Timeout Period to 30 Minutes or Less ++ ## AC-11(a) / FMT_MOF_EXT.1 ++ ## We deliberately set sshd timeout to 1 minute before tmux lock timeout ++ - sshd_idle_timeout_value=14_minutes ++ - sshd_set_idle_timeout ++ ++ ## Disable Unauthenticated Login (such as Guest Accounts) ++ ## FIA_UAU.1 ++ - require_singleuser_auth ++# - grub2_disable_interactive_boot # not supported in RHEL9 ATM ++# - grub2_uefi_password # not supported in RHEL9 ATM ++ - no_empty_passwords ++ ++ ## Set Maximum Number of Authentication Failures to 3 Within 15 Minutes ++ ## AC-7 / FIA_AFL.1 ++ - var_accounts_passwords_pam_faillock_deny=3 ++ - accounts_passwords_pam_faillock_deny ++ - var_accounts_passwords_pam_faillock_fail_interval=900 ++ - accounts_passwords_pam_faillock_interval ++ - var_accounts_passwords_pam_faillock_unlock_time=never ++ - accounts_passwords_pam_faillock_unlock_time ++ ++ ## Enable Host-Based Firewall ++ ## SC-7(12) / FMT_MOF_EXT.1 ++ - service_firewalld_enabled ++ ++ ## Configure Name/Addres of Remote Management Server ++ ## From Which to Receive Config Settings ++ ## CM-3(3) / FMT_MOF_EXT.1 ++ ++ ## Configure the System to Offload Audit Records to a Log ++ ## Server ++ ## AU-4(1) / FAU_GEN.1.1.c ++ # temporarily dropped ++ ++ ## Set Logon Warning Banner ++ ## AC-8(a) / FMT_MOF_EXT.1 ++ ++ ## Audit All Logons (Success/Failure) and Logoffs (Success) ++ ## CNSSI 1253 Value or DoD-Specific Values: ++ ## (1) Logons (Success/Failure) ++ ## (2) Logoffs (Success) ++ ## AU-2(a) / FAU_GEN.1.1.c ++ ++ ## Audit File and Object Events (Unsuccessful) ++ ## CNSSI 1253 Value or DoD-specific Values: ++ ## (1) Create (Success/Failure) ++ ## (2) Access (Success/Failure) ++ ## (3) Delete (Sucess/Failure) ++ ## (4) Modify (Success/Failure) ++ ## (5) Permission Modification (Sucess/Failure) ++ ## (6) Ownership Modification (Success/Failure) ++ ## AU-2(a) / FAU_GEN.1.1.c ++ ## ++ ## ++ ## (1) Create (Success/Failure) ++ ## (open with O_CREAT) ++ ## (2) Access (Success/Failure) ++ ## (3) Delete (Success/Failure) ++ ## (4) Modify (Success/Failure) ++ ## (5) Permission Modification (Success/Failure) ++ ## (6) Ownership Modification (Success/Failure) ++ ++ ## Audit User and Group Management Events (Success/Failure) ++ ## CNSSI 1253 Value or DoD-specific Values: ++ ## (1) User add, delete, modify, disable, enable (Success/Failure) ++ ## (2) Group/Role add, delete, modify (Success/Failure) ++ ## AU-2(a) / FAU_GEN.1.1.c ++ ## ++ ## Generic User and Group Management Events (Success/Failure) ++ ## Selection of setuid programs that relate to ++ ## user accounts. ++ ## ++ ## CNSSI 1253: (1) User add, delete, modify, disable, enable (Success/Failure) ++ ## ++ ## CNSSI 1252: (2) Group/Role add, delete, modify (Success/Failure) ++ ## ++ ## Audit Privilege or Role Escalation Events (Success/Failure) ++ ## CNSSI 1253 Value or DoD-specific Values: ++ ## - Privilege/Role escalation (Success/Failure) ++ ## AU-2(a) / FAU_GEN.1.1.c ++ ## Audit All Audit and Log Data Accesses (Success/Failure) ++ ## CNSSI 1253 Value or DoD-specific Values: ++ ## - Audit and log data access (Success/Failure) ++ ## AU-2(a) / FAU_GEN.1.1.c ++ ## Audit Cryptographic Verification of Software (Success/Failure) ++ ## CNSSI 1253 Value or DoD-specific Values: ++ ## - Applications (e.g. Firefox, Internet Explorer, MS Office Suite, ++ ## etc) initialization (Success/Failure) ++ ## AU-2(a) / FAU_GEN.1.1.c ++ ## Audit Kernel Module Loading and Unloading Events (Success/Failure) ++ ## AU-2(a) / FAU_GEN.1.1.c ++ - audit_basic_configuration ++ - audit_immutable_login_uids ++ - audit_create_failed ++ - audit_create_success ++ - audit_modify_failed ++ - audit_modify_success ++ - audit_access_failed ++ - audit_access_success ++ - audit_delete_failed ++ - audit_delete_success ++ - audit_perm_change_failed ++ - audit_perm_change_success ++ - audit_owner_change_failed ++ - audit_owner_change_success ++ - audit_ospp_general ++ - audit_module_load ++ ++ ## Enable Automatic Software Updates ++ ## SI-2 / FMT_MOF_EXT.1 ++ # Configure dnf-automatic to Install Only Security Updates ++ - dnf-automatic_security_updates_only ++ ++ # Configure dnf-automatic to Install Available Updates Automatically ++ - dnf-automatic_apply_updates ++ ++ # Enable dnf-automatic Timer ++ - timer_dnf-automatic_enabled ++ ++ # Configure TLS for remote logging ++ - rsyslog_remote_tls ++ - rsyslog_remote_tls_cacert ++ ++ # Prevent Kerberos use by system daemons ++ - kerberos_disable_no_keytab ++ ++ # set ssh client rekey limit ++# - ssh_client_rekey_limit # not supported in RHEL9 ATM ++ - var_ssh_client_rekey_limit_size=1G ++ - var_ssh_client_rekey_limit_time=1hour ++ ++# configure ssh client to use strong entropy ++# - ssh_client_use_strong_rng_sh # not supported in RHEL9 ATM ++# - ssh_client_use_strong_rng_csh # not supported in RHEL9 ATM ++ ++ # zIPl specific rules ++ - zipl_bls_entries_only ++ - zipl_bootmap_is_up_to_date ++ - zipl_audit_argument ++ - zipl_audit_backlog_limit_argument ++ - zipl_slub_debug_argument ++ - zipl_page_poison_argument ++ - zipl_vsyscall_argument ++ - zipl_vsyscall_argument.role=unscored ++ - zipl_vsyscall_argument.severity=info +diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile +index 3ad218b5a0d..966b2d5e1d8 100644 +--- a/rhel9/profiles/pci-dss.profile ++++ b/rhel9/profiles/pci-dss.profile +@@ -6,14 +6,142 @@ metadata: + + reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + +-title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9' ++title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8' + + description: |- + Ensures PCI-DSS v3.2.1 security configuration settings are applied. + + selections: +- # selections are empty because almost no rules are applicable for RHEL9 +- - package_rsyslog_installed ++ - var_password_pam_unix_remember=4 ++ - var_account_disable_post_pw_expiration=90 ++ - var_accounts_passwords_pam_faillock_deny=6 ++ - var_accounts_passwords_pam_faillock_unlock_time=1800 ++ - sshd_idle_timeout_value=15_minutes ++ - var_password_pam_minlen=7 ++ - var_password_pam_minclass=2 ++ - var_accounts_maximum_age_login_defs=90 ++ - var_auditd_num_logs=5 ++ - service_auditd_enabled ++ - grub2_audit_argument ++ - auditd_data_retention_num_logs ++ - auditd_data_retention_max_log_file ++ - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_space_left_action ++ - auditd_data_retention_admin_space_left_action ++ - auditd_data_retention_action_mail_acct ++ - package_audispd-plugins_installed ++ - auditd_audispd_syslog_plugin_activated ++ - audit_rules_time_adjtimex ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_time_clock_settime ++ - audit_rules_time_watch_localtime ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_shadow ++ - audit_rules_networkconfig_modification ++ - file_permissions_var_log_audit ++ - file_ownership_var_log_audit ++ - audit_rules_mac_modification ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_fremovexattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_setxattr ++ - audit_rules_login_events ++ - audit_rules_session_events ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_truncate ++ - audit_rules_privileged_commands ++ - audit_rules_media_export ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_renameat ++ - audit_rules_file_deletion_events_rmdir ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlinkat ++ - audit_rules_sysadmin_actions ++ - audit_rules_kernel_module_loading_delete ++ - audit_rules_kernel_module_loading_finit ++ - audit_rules_kernel_module_loading_init ++ - audit_rules_immutable ++ - var_multiple_time_servers=rhel ++# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM ++# - chronyd_or_ntpd_specify_remote_server # not supported in RHEL9 ATM ++# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM ++ - rpm_verify_permissions ++ - rpm_verify_hashes ++# - install_hids # not supported in RHEL9 ATM + - rsyslog_files_permissions + - rsyslog_files_ownership + - rsyslog_files_groupownership ++ - ensure_logrotate_activated ++ - package_aide_installed ++ - aide_build_database ++ - aide_periodic_cron_checking ++ - account_unique_name ++ - gid_passwd_group_same ++ - accounts_password_all_shadowed ++ - no_empty_passwords ++ - display_login_attempts ++ - account_disable_post_pw_expiration ++ - accounts_passwords_pam_faillock_deny ++ - accounts_passwords_pam_faillock_unlock_time ++# - dconf_db_up_to_date # not supported in RHEL9 ATM ++# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM ++# - dconf_gnome_screensaver_idle_activation_enabled # not supported in RHEL9 ATM ++# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM ++# - dconf_gnome_screensaver_mode_blank # not supported in RHEL9 ATM ++ - sshd_set_idle_timeout ++ - var_sshd_set_keepalive=0 ++ - accounts_password_pam_minlen ++ - accounts_password_pam_dcredit ++ - accounts_password_pam_ucredit ++ - accounts_password_pam_lcredit ++ - accounts_password_pam_unix_remember ++ - accounts_maximum_age_login_defs ++ - ensure_redhat_gpgkey_installed ++ - ensure_gpgcheck_globally_activated ++ - ensure_gpgcheck_never_disabled ++ - security_patches_up_to_date ++ - package_opensc_installed ++ - var_smartcard_drivers=cac ++# - configure_opensc_card_drivers # not supported in RHEL9 ATM ++# - force_opensc_card_drivers # not supported in RHEL9 ATM ++# - package_pcsc-lite_installed # not supported in RHEL9 ATM ++# - service_pcscd_enabled # not supported in RHEL9 ATM ++# - sssd_enable_smartcards # not supported in RHEL9 ATM ++ - set_password_hashing_algorithm_systemauth ++# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM ++# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_permissions_etc_shadow ++ - file_owner_etc_group ++ - file_groupowner_etc_group ++ - file_permissions_etc_group ++ - file_owner_etc_passwd ++ - file_groupowner_etc_passwd ++ - file_permissions_etc_passwd ++ - file_owner_grub2_cfg ++ - file_groupowner_grub2_cfg ++ - package_libreswan_installed ++ - configure_crypto_policy ++ - configure_bind_crypto_policy ++ - configure_openssl_crypto_policy ++ - configure_libreswan_crypto_policy ++ - configure_ssh_crypto_policy ++ - configure_kerberos_crypto_policy +diff --git a/rhel9/profiles/rht-ccp.profile b/rhel9/profiles/rht-ccp.profile +new file mode 100644 +index 00000000000..3b734c2b2c5 +--- /dev/null ++++ b/rhel9/profiles/rht-ccp.profile +@@ -0,0 +1,100 @@ ++documentation_complete: true ++ ++title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' ++ ++description: |- ++ This profile contains the minimum security relevant ++ configuration settings recommended by Red Hat, Inc for ++ Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified ++ Cloud Providers. ++ ++selections: ++ - var_selinux_state=enforcing ++ - var_selinux_policy_name=targeted ++ - file_owner_logfiles_value=root ++ - file_groupowner_logfiles_value=root ++ - sshd_idle_timeout_value=5_minutes ++ - var_accounts_password_minlen_login_defs=6 ++ - var_accounts_minimum_age_login_defs=7 ++ - var_accounts_passwords_pam_faillock_deny=5 ++ - var_accounts_password_warn_age_login_defs=7 ++ - var_password_pam_retry=3 ++ - var_password_pam_dcredit=1 ++ - var_password_pam_ucredit=2 ++ - var_password_pam_ocredit=2 ++ - var_password_pam_lcredit=2 ++ - var_password_pam_difok=3 ++ - var_password_pam_unix_remember=5 ++ - var_accounts_user_umask=077 ++ - login_banner_text=usgcb_default ++ - partition_for_tmp ++ - partition_for_var ++ - partition_for_var_log ++ - partition_for_var_log_audit ++ - selinux_state ++ - selinux_policytype ++ - ensure_redhat_gpgkey_installed ++ - security_patches_up_to_date ++ - ensure_gpgcheck_globally_activated ++ - ensure_gpgcheck_never_disabled ++ - package_aide_installed ++ - accounts_password_pam_unix_remember ++ - no_shelllogin_for_systemaccounts ++ - no_empty_passwords ++ - accounts_password_all_shadowed ++ - accounts_no_uid_except_zero ++ - accounts_password_minlen_login_defs ++ - accounts_minimum_age_login_defs ++ - accounts_password_warn_age_login_defs ++ - accounts_password_pam_retry ++ - accounts_password_pam_dcredit ++ - accounts_password_pam_ucredit ++ - accounts_password_pam_ocredit ++ - accounts_password_pam_lcredit ++ - accounts_password_pam_difok ++ - accounts_passwords_pam_faillock_deny ++ - set_password_hashing_algorithm_systemauth ++# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM ++# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM ++ - require_singleuser_auth ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_permissions_etc_shadow ++ - file_owner_etc_gshadow ++ - file_groupowner_etc_gshadow ++ - file_permissions_etc_gshadow ++ - file_owner_etc_passwd ++ - file_groupowner_etc_passwd ++ - file_permissions_etc_passwd ++ - file_owner_etc_group ++ - file_groupowner_etc_group ++ - file_permissions_etc_group ++ - file_permissions_library_dirs ++ - file_ownership_library_dirs ++ - file_permissions_binary_dirs ++ - file_ownership_binary_dirs ++ - file_permissions_var_log_audit ++ - file_owner_grub2_cfg ++ - file_groupowner_grub2_cfg ++ - file_permissions_grub2_cfg ++ - grub2_password ++ - kernel_module_dccp_disabled ++ - kernel_module_sctp_disabled ++ - service_firewalld_enabled ++ - set_firewalld_default_zone ++# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM ++ - service_abrtd_disabled ++ - service_telnet_disabled ++ - package_telnet-server_removed ++ - package_telnet_removed ++ - sshd_allow_only_protocol2 ++ - sshd_set_idle_timeout ++ - var_sshd_set_keepalive=0 ++ - disable_host_auth ++ - sshd_disable_root_login ++ - sshd_disable_empty_passwords ++ - sshd_enable_warning_banner ++ - sshd_do_not_permit_user_env ++ - var_system_crypto_policy=fips ++ - configure_crypto_policy ++ - configure_ssh_crypto_policy +diff --git a/rhel9/profiles/standard.profile b/rhel9/profiles/standard.profile +new file mode 100644 +index 00000000000..a63ae2cf328 +--- /dev/null ++++ b/rhel9/profiles/standard.profile +@@ -0,0 +1,67 @@ ++documentation_complete: true ++ ++title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' ++ ++description: |- ++ This profile contains rules to ensure standard security baseline ++ of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload ++ all of these checks should pass. ++ ++selections: ++ - ensure_redhat_gpgkey_installed ++ - ensure_gpgcheck_globally_activated ++ - rpm_verify_permissions ++ - rpm_verify_hashes ++ - security_patches_up_to_date ++ - no_empty_passwords ++ - file_permissions_unauthorized_sgid ++ - file_permissions_unauthorized_suid ++ - file_permissions_unauthorized_world_writable ++ - accounts_root_path_dirs_no_write ++ - dir_perms_world_writable_sticky_bits ++ - mount_option_dev_shm_nodev ++ - mount_option_dev_shm_nosuid ++ - partition_for_var_log ++ - partition_for_var_log_audit ++ - package_rsyslog_installed ++ - service_rsyslog_enabled ++ - audit_rules_time_adjtimex ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_time_clock_settime ++ - audit_rules_time_watch_localtime ++ - audit_rules_usergroup_modification ++ - audit_rules_networkconfig_modification ++ - audit_rules_mac_modification ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_fremovexattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_setxattr ++ - audit_rules_unsuccessful_file_modification ++ - audit_rules_privileged_commands ++ - audit_rules_media_export ++ - audit_rules_file_deletion_events ++ - audit_rules_sysadmin_actions ++ - audit_rules_kernel_module_loading ++ - service_abrtd_disabled ++ - service_atd_disabled ++ - service_autofs_disabled ++ - service_ntpdate_disabled ++ - service_oddjobd_disabled ++ - service_qpidd_disabled ++ - service_rdisc_disabled ++ - configure_crypto_policy ++ - configure_bind_crypto_policy ++ - configure_openssl_crypto_policy ++ - configure_libreswan_crypto_policy ++ - configure_ssh_crypto_policy ++ - configure_kerberos_crypto_policy +diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile +new file mode 100644 +index 00000000000..50548f7e8eb +--- /dev/null ++++ b/rhel9/profiles/stig.profile +@@ -0,0 +1,1069 @@ ++documentation_complete: true ++ ++metadata: ++ version: V1R2 ++ SMEs: ++ - carlosmmatos ++ ++reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux ++ ++title: 'DISA STIG for Red Hat Enterprise Linux 8' ++ ++description: |- ++ This profile contains configuration checks that align to the ++ DISA STIG for Red Hat Enterprise Linux 8 V1R2. ++ ++ In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this ++ configuration baseline as applicable to the operating system tier of ++ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: ++ ++ - Red Hat Enterprise Linux Server ++ - Red Hat Enterprise Linux Workstation and Desktop ++ - Red Hat Enterprise Linux for HPC ++ - Red Hat Storage ++ - Red Hat Containers with a Red Hat Enterprise Linux 8 image ++ ++selections: ++ ### Variables ++ - var_rekey_limit_size=1G ++ - var_rekey_limit_time=1hour ++ - var_accounts_user_umask=077 ++ - var_password_pam_difok=8 ++ - var_password_pam_maxrepeat=3 ++ - var_sshd_disable_compression=no ++ - var_password_hashing_algorithm=SHA512 ++ - var_password_pam_maxclassrepeat=4 ++ - var_password_pam_minclass=4 ++ - var_accounts_minimum_age_login_defs=1 ++ - var_accounts_max_concurrent_login_sessions=10 ++ - var_password_pam_unix_remember=5 ++ - var_selinux_state=enforcing ++ - var_selinux_policy_name=targeted ++ - var_accounts_password_minlen_login_defs=15 ++ - var_password_pam_unix_rounds=5000 ++ - var_password_pam_minlen=15 ++ - var_password_pam_ocredit=1 ++ - var_password_pam_dcredit=1 ++ - var_password_pam_ucredit=1 ++ - var_password_pam_lcredit=1 ++ - var_password_pam_retry=3 ++ - var_password_pam_minlen=15 ++ - var_sshd_set_keepalive=0 ++ - sshd_idle_timeout_value=10_minutes ++ - var_accounts_passwords_pam_faillock_deny=3 ++ - var_accounts_passwords_pam_faillock_fail_interval=900 ++ - var_accounts_passwords_pam_faillock_unlock_time=never ++ - var_ssh_client_rekey_limit_size=1G ++ - var_ssh_client_rekey_limit_time=1hour ++ - var_accounts_fail_delay=4 ++ - var_account_disable_post_pw_expiration=35 ++ - var_auditd_action_mail_acct=root ++ - var_time_service_set_maxpoll=18_hours ++ - var_accounts_maximum_age_login_defs=60 ++ - var_auditd_space_left=250MB ++ - var_auditd_space_left_action=email ++ - var_auditd_disk_error_action=halt ++ - var_auditd_max_log_file_action=syslog ++ - var_auditd_disk_full_action=halt ++ ++ ### Enable / Configure FIPS ++# - enable_fips_mode # not supported in RHEL9 ATM ++ - var_system_crypto_policy=fips ++ - configure_crypto_policy ++ - configure_bind_crypto_policy ++ - configure_libreswan_crypto_policy ++ - configure_kerberos_crypto_policy ++# - enable_dracut_fips_module # not supported in RHEL9 ATM ++ ++ ### Rules: ++ # RHEL-08-010070 ++ - installed_OS_is_vendor_supported ++ ++ # RHEL-08-010010 ++ - security_patches_up_to_date ++ ++ # RHEL-08-010020 ++ - sysctl_crypto_fips_enabled ++ ++ # RHEL-08-010030 ++ - encrypt_partitions ++ ++ # RHEL-08-010040 ++ - sshd_enable_warning_banner ++ ++ # RHEL-08-010050 ++# - dconf_gnome_banner_enabled # not supported in RHEL9 ATM ++# - dconf_gnome_login_banner_text # not supported in RHEL9 ATM ++ ++ # RHEL-08-010060 ++ - banner_etc_issue ++ ++ # RHEL-08-010070 ++ ++ # RHEL-08-010090 ++ ++ # RHEL-08-010100 ++ ++ # RHEL-08-010110 ++# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM ++ ++ # RHEL-08-010120 ++ ++ # RHEL-08-010130 ++ - accounts_password_pam_unix_rounds_system_auth ++ - accounts_password_pam_unix_rounds_password_auth ++ ++ # RHEL-08-010140 ++# - grub2_uefi_password # not supported in RHEL9 ATM ++# - grub2_uefi_admin_username # not supported in RHEL9 ATM ++ ++ # RHEL-08-010150 ++ - grub2_password ++# - grub2_admin_username # not supported in RHEL9 ATM ++ ++ # RHEL-08-010151 ++ - require_singleuser_auth ++ - require_emergency_target_auth ++ ++ # RHEL-08-010152 ++ # To be released in V1R3 ++ # - require_emergency_target_auth ++ ++ # RHEL-08-010160 ++ - set_password_hashing_algorithm_systemauth ++ ++ # RHEL-08-010161 ++ - kerberos_disable_no_keytab ++ ++ # RHEL-08-010162 ++ - package_krb5-workstation_removed ++ ++ # RHEL-08-010170 ++ - selinux_state ++ ++ # RHEL-08-010171 ++ - package_policycoreutils_installed ++ ++ # RHEL-08-010180 ++ ++ # RHEL-08-010190 ++ - dir_perms_world_writable_sticky_bits ++ ++ # RHEL-08-010200 ++ - sshd_set_idle_timeout ++ ++ # RHEL-08-010210 ++ - file_permissions_var_log_messages ++ ++ # RHEL-08-010220 ++ - file_owner_var_log_messages ++ ++ # RHEL-08-010230 ++ - file_groupowner_var_log_messages ++ ++ # RHEL-08-010240 ++ - file_permissions_var_log ++ ++ # RHEL-08-010250 ++ - file_owner_var_log ++ ++ # RHEL-08-010260 ++ - file_groupowner_var_log ++ ++ # RHEL-08-010290 && RHEL-08-010291 ++ ### NOTE: This will get split out in future STIG releases, as well as we will break ++ ### these rules up to be more flexible in meeting the requirements. ++ - configure_ssh_crypto_policy ++ ++ # RHEL-08-010292 ++# - sshd_use_strong_rng # not supported in RHEL9 ATM ++ ++ # RHEL-08-010293 ++ - configure_openssl_crypto_policy ++ ++ # RHEL-08-010294 ++ - configure_openssl_tls_crypto_policy ++ ++ # RHEL-08-010295 ++# - configure_gnutls_tls_crypto_policy # not supported in RHEL9 ATM ++ ++ # RHEL-08-010300 ++ - file_permissions_binary_dirs ++ ++ # RHEL-08-010310 ++ - file_ownership_binary_dirs ++ ++ # RHEL-08-010320 ++ ++ # RHEL-08-010330 ++ - file_permissions_library_dirs ++ ++ # RHEL-08-010340 ++ - file_ownership_library_dirs ++ ++ # RHEL-08-010350 ++ ++ # RHEL-08-010360 ++ - package_aide_installed ++ - aide_scan_notification ++ ++ # RHEL-08-010370 ++ - ensure_gpgcheck_globally_activated ++ ++ # RHEL-08-010371 ++ - ensure_gpgcheck_local_packages ++ ++ # RHEL-08-010372 ++ - sysctl_kernel_kexec_load_disabled ++ ++ # RHEL-08-010373 ++ - sysctl_fs_protected_symlinks ++ ++ # RHEL-08-010374 ++ - sysctl_fs_protected_hardlinks ++ ++ # RHEL-08-010375 ++ - sysctl_kernel_dmesg_restrict ++ ++ # RHEL-08-010376 ++ - sysctl_kernel_perf_event_paranoid ++ ++ # RHEL-08-010380 ++ - sudo_remove_nopasswd ++ ++ # RHEL-08-010381 ++ - sudo_remove_no_authenticate ++ ++ # RHEL-08-010382 ++ - sudo_restrict_privilege_elevation_to_authorized ++ ++ # RHEL-08-010383 ++ - sudoers_validate_passwd ++ ++ # RHEL-08-010390 ++ - install_smartcard_packages ++ ++ # RHEL-08-010400 ++ ++ # RHEL-08-010410 ++ - package_opensc_installed ++ ++ # RHEL-08-010420 ++ ++ # RHEL-08-010421 ++ - grub2_page_poison_argument ++ ++ # RHEL-08-010422 ++ - grub2_vsyscall_argument ++ ++ # RHEL-08-010423 ++ - grub2_slub_debug_argument ++ ++ # RHEL-08-010430 ++ - sysctl_kernel_randomize_va_space ++ ++ # RHEL-08-010440 ++ - clean_components_post_updating ++ ++ # RHEL-08-010450 ++ - selinux_policytype ++ ++ # RHEL-08-010460 ++# - no_host_based_files # not supported in RHEL9 ATM ++ ++ # RHEL-08-010470 ++# - no_user_host_based_files # not supported in RHEL9 ATM ++ ++ # RHEL-08-010471 ++ - service_rngd_enabled ++ - package_rng-tools_installed ++ ++ # RHEL-08-010480 ++ - file_permissions_sshd_pub_key ++ ++ # RHEL-08-010490 ++ - file_permissions_sshd_private_key ++ ++ # RHEL-08-010500 ++ - sshd_enable_strictmodes ++ ++ # RHEL-08-010510 ++ - sshd_disable_compression ++ ++ # RHEL-08-010520 ++ - sshd_disable_user_known_hosts ++ ++ # RHEL-08-010521 ++ - sshd_disable_kerb_auth ++ - sshd_disable_gssapi_auth ++ ++ # RHEL-08-010540 ++ - partition_for_var ++ ++ # RHEL-08-010541 ++ - partition_for_var_log ++ ++ # RHEL-08-010542 ++ - partition_for_var_log_audit ++ ++ # RHEL-08-010543 ++ - partition_for_tmp ++ ++ # RHEL-08-010544 ++ ### NOTE: Will probably show up in V1R3 - Q3 of 21' ++ - partition_for_var_tmp ++ ++ # RHEL-08-010550 ++ - sshd_disable_root_login ++ ++ # RHEL-08-010560 ++ - service_auditd_enabled ++ ++ # RHEL-08-010561 ++ - service_rsyslog_enabled ++ ++ # RHEL-08-010570 ++ - mount_option_home_nosuid ++ ++ # RHEL-08-010571 ++ - mount_option_boot_nosuid ++ ++ # RHEL-08-010580 ++ - mount_option_nodev_nonroot_local_partitions ++ ++ # RHEL-08-010590 ++ ++ # RHEL-08-010600 ++ - mount_option_nodev_removable_partitions ++ ++ # RHEL-08-010610 ++ - mount_option_noexec_removable_partitions ++ ++ # RHEL-08-010620 ++ - mount_option_nosuid_removable_partitions ++ ++ # RHEL-08-010630 ++ - mount_option_noexec_remote_filesystems ++ ++ # RHEL-08-010640 ++ - mount_option_nodev_remote_filesystems ++ ++ # RHEL-08-010650 ++ - mount_option_nosuid_remote_filesystems ++ ++ # RHEL-08-010660 ++# - accounts_user_dot_no_world_writable_programs # not supported in RHEL9 ATM ++ ++ # RHEL-08-010670 ++ - service_kdump_disabled ++ ++ # RHEL-08-010671 ++ - sysctl_kernel_core_pattern ++ ++ # RHEL-08-010672 ++ - service_systemd-coredump_disabled ++ ++ # RHEL-08-010673 ++ - disable_users_coredumps ++ ++ # RHEL-08-010674 ++ - coredump_disable_storage ++ ++ # RHEL-08-010675 ++ - coredump_disable_backtraces ++ ++ # RHEL-08-010680 ++# - network_configure_name_resolution # not supported in RHEL9 ATM ++ ++ # RHEL-08-010690 ++# - accounts_user_home_paths_only # not supported in RHEL9 ATM ++ ++ # RHEL-08-010700 ++ - dir_perms_world_writable_root_owned ++ ++ # RHEL-08-010710 ++ ++ # RHEL-08-010720 ++# - accounts_user_interactive_home_directory_defined # not supported in RHEL9 ATM ++ ++ # RHEL-08-010730 ++ - file_permissions_home_directories ++ ++ # RHEL-08-010740 ++ - file_groupownership_home_directories ++ ++ # RHEL-08-010750 ++ - accounts_user_interactive_home_directory_exists ++ ++ # RHEL-08-010760 ++# - accounts_have_homedir_login_defs # not supported in RHEL9 ATM ++ ++ # RHEL-08-010770 ++ - file_permission_user_init_files ++ ++ # RHEL-08-010780 ++ - no_files_unowned_by_user ++ ++ # RHEL-08-010790 ++ - file_permissions_ungroupowned ++ ++ # RHEL-08-010800 ++ - partition_for_home ++ ++ # RHEL-08-010820 ++# - gnome_gdm_disable_automatic_login # not supported in RHEL9 ATM ++ ++ # RHEL-08-010830 ++ - sshd_do_not_permit_user_env ++ ++ # RHEL-08-020000 ++# - account_temp_expire_date # not supported in RHEL9 ATM ++ ++ # RHEL-08-020010 ++ - accounts_passwords_pam_faillock_deny ++ ++ # RHEL-08-020011 ++ ++ # RHEL-08-020012 ++ - accounts_passwords_pam_faillock_interval ++ ++ # RHEL-08-020013 ++ ++ # RHEL-08-020014 ++ - accounts_passwords_pam_faillock_unlock_time ++ ++ # RHEL-08-020015 ++ ++ # RHEL-08-020016 ++ ++ # RHEL-08-020017 ++ ++ # RHEL-08-020018 ++ ++ # RHEL-08-020019 ++ ++ # RHEL-08-020020 ++ ++ # RHEL-08-020021 ++ ++ # RHEL-08-020022 ++ - accounts_passwords_pam_faillock_deny_root ++ ++ # RHEL-08-020023 ++ ++ # RHEL-08-020024 ++ - accounts_max_concurrent_login_sessions ++ ++ # RHEL-08-020030 ++# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM ++ ++ # RHEL-08-020040 ++ - package_tmux_installed ++# - configure_tmux_lock_command # not supported in RHEL9 ATM ++ ++ # RHEL-08-020041 ++# - configure_bashrc_exec_tmux # not supported in RHEL9 ATM ++ ++ # RHEL-08-020042 ++# - no_tmux_in_shells # not supported in RHEL9 ATM ++ ++ # RHEL-08-020050 ++# - dconf_gnome_lock_screen_on_smartcard_removal # not supported in RHEL9 ATM ++ ++ # RHEL-08-020060 ++# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM ++ ++ # RHEL-08-020070 ++# - configure_tmux_lock_after_time # not supported in RHEL9 ATM ++ ++ # RHEL-08-020080 ++ ++ # RHEL-08-020090 ++ ++ # RHEL-08-020100 ++ - accounts_password_pam_retry ++ ++ # RHEL-08-020110 ++ - accounts_password_pam_ucredit ++ ++ # RHEL-08-020120 ++ - accounts_password_pam_lcredit ++ ++ # RHEL-08-020130 ++ - accounts_password_pam_dcredit ++ ++ # RHEL-08-020140 ++ - accounts_password_pam_maxclassrepeat ++ ++ # RHEL-08-020150 ++ - accounts_password_pam_maxrepeat ++ ++ # RHEL-08-020160 ++ - accounts_password_pam_minclass ++ ++ # RHEL-08-020170 ++ - accounts_password_pam_difok ++ ++ # RHEL-08-020180 ++# - accounts_password_set_min_life_existing # not supported in RHEL9 ATM ++ ++ # RHEL-08-020190 ++ - accounts_minimum_age_login_defs ++ ++ # RHEL-08-020200 ++ - accounts_maximum_age_login_defs ++ ++ # RHEL-08-020210 ++# - accounts_password_set_max_life_existing # not supported in RHEL9 ATM ++ ++ # RHEL-08-020220 ++ - accounts_password_pam_unix_remember ++ ++ # RHEL-08-020230 ++ - accounts_password_pam_minlen ++ ++ # RHEL-08-020231 ++ - accounts_password_minlen_login_defs ++ ++ # RHEL-08-020240 ++ ++ # RHEL-08-020250 ++# - sssd_enable_smartcards # not supported in RHEL9 ATM ++ ++ # RHEL-08-020260 ++ - account_disable_post_pw_expiration ++ ++ # RHEL-08-020270 ++ ++ # RHEL-08-020280 ++ - accounts_password_pam_ocredit ++ ++ # RHEL-08-020290 ++# - sssd_offline_cred_expiration # not supported in RHEL9 ATM ++ ++ # RHEL-08-020300 ++ ++ # RHEL-08-020310 ++ - accounts_logon_fail_delay ++ ++ # RHEL-08-020320 ++ # - accounts_authorized_local_users ++ ++ # RHEL-08-020330 ++ - no_empty_passwords ++ - sshd_disable_empty_passwords ++ ++ # RHEL-08-020340 ++ - display_login_attempts ++ ++ # RHEL-08-020350 ++ - sshd_print_last_log ++ ++ # RHEL-08-020351 ++ - accounts_umask_etc_login_defs ++ ++ # RHEL-08-020352 ++# - accounts_umask_interactive_users # not supported in RHEL9 ATM ++ ++ # RHEL-08-020353 ++ - accounts_umask_etc_bashrc ++ ++ # RHEL-08-030000 ++# - audit_rules_suid_privilege_function # not supported in RHEL9 ATM ++ ++ # RHEL-08-030010 ++ - rsyslog_cron_logging ++ ++ # RHEL-08-030020 ++ - auditd_data_retention_action_mail_acct ++ ++ # RHEL-08-030030 ++ - postfix_client_configure_mail_alias ++ ++ # RHEL-08-030040 ++ - auditd_data_disk_error_action ++ ++ # RHEL-08-030050 ++ - auditd_data_retention_max_log_file_action ++ ++ # RHEL-08-030060 ++ - auditd_data_disk_full_action ++ ++ # RHEL-08-030061 ++ - auditd_local_events ++ ++ # RHEL-08-030062 ++ - auditd_name_format ++ ++ # RHEL-08-030063 ++ - auditd_log_format ++ ++ # RHEL-08-030070 ++ - file_permissions_var_log_audit ++ ++ # RHEL-08-030080, RHEL-08-030090, RHEL-08-030100, RHEL-08-030110 ++ ### NOTE: These might get broken up, but currently the following ++ ### rule accounts for these STIG ID's ++ - file_ownership_var_log_audit ++ ++ # RHEL-08-030120 ++ - directory_permissions_var_log_audit ++ ++ # *** NOTE *** # ++ # Audit rules are currently under review as to how best to approach ++ # them. We are working with DISA and our internal audit experts to ++ # provide a final solution soon. ++ # ************ # ++ ++ # RHEL-08-030121 ++ # - audit_rules_immutable ++ ++ # RHEL-08-030122 ++ # - audit_immutable_login_uids ++ ++ # RHEL-08-030130 ++ # - audit_rules_usergroup_modification_shadow ++ ++ # RHEL-08-030140 ++ # - audit_rules_usergroup_modification_opasswd ++ ++ # RHEL-08-030150 ++ # - audit_rules_usergroup_modification_passwd ++ ++ # RHEL-08-030160 ++ # - audit_rules_usergroup_modification_gshadow ++ ++ # RHEL-08-030170 ++ # - audit_rules_usergroup_modification_group ++ ++ # RHEL-08-030171, RHEL-08-030172 ++ # - audit_rules_sysadmin_actions ++ ++ # RHEL-08-030180 ++ - package_audit_installed ++ - service_auditd_enabled ++ ++ # RHEL-08-030190 ++ # - audit_rules_privileged_commands_sudo ++ ++ # RHEL-08-030200, RHEL-08-030210, RHEL-08-030220, RHEL-08-030230, RHEL-08-030240 ++ # - audit_perm_change_failed ++ # - audit_perm_change_success ++ ++ # RHEL-08-030250 ++ # - audit_rules_privileged_commands_chage ++ ++ # RHEL-08-030260 ++ # - audit_rules_execution_chcon ++ ++ # RHEL-08-030270 ++ # - audit_perm_change_failed ++ # - audit_perm_change_success ++ ++ # RHEL-08-030280 ++ ++ # RHEL-08-030290, RHEL-08-030300, RHEL-08-030301 ++ # - audit_ospp_general ++ ++ # RHEL-08-030302 ++ # - audit_rules_media_export ++ ++ # RHEL-08-030310 ++ ++ # RHEL-08-030311 ++ # - audit_rules_privileged_commands_postdrop ++ ++ # RHEL-08-030312 ++ # - audit_rules_privileged_commands_postqueue ++ ++ # RHEL-08-030313 ++ # - audit_rules_execution_semanage ++ ++ # RHEL-08-030314 ++ # - audit_rules_execution_setfiles ++ ++ # RHEL-08-030315 ++ # - audit_ospp_general ++ ++ # RHEL-08-030316 ++ # - audit_rules_execution_setsebool ++ ++ # RHEL-08-030317 ++ # - audit_ospp_general ++ ++ # RHEL-08-030320 ++ # - audit_rules_privileged_commands_ssh_keysign ++ ++ # RHEL-08-030330 ++ ++ # RHEL-08-030340 ++ # - audit_rules_privileged_commands_pam_timestamp_check ++ ++ # RHEL-08-030350 ++ # - audit_ospp_general ++ ++ # RHEL-08-030360 ++ # - audit_module_load ++ ++ # RHEL-08-030361, RHEL-08-030362 ++ # - audit_delete_failed ++ # - audit_delete_success ++ ++ # RHEL-08-030363 ++ ++ # RHEL-08-030364, RHEL-08-030365 ++ # - audit_delete_failed ++ # - audit_delete_success ++ ++ # RHEL-08-030370 ++ # - audit_ospp_general ++ ++ # RHEL-08-030380, RHEL-08-030390 ++ # - audit_module_load ++ ++ # RHEL-08-030400 ++ # - audit_ospp_general ++ ++ # RHEL-08-030410 ++ # - audit_rules_privileged_commands_chsh ++ ++ # RHEL-08-030420 ++ # - audit_modify_failed ++ # - audit_modify_success ++ ++ # RHEL-08-030430, RHEL-08-030440, RHEL-08-030450 ++ # - audit_create_failed ++ # - audit_create_success ++ # - audit_modify_failed ++ # - audit_modify_success ++ # - audit_access_failed ++ # - audit_access_success ++ ++ # RHEL-08-030460 ++ # - audit_modify_failed ++ # - audit_modify_success ++ ++ # RHEL-08-030470 ++ # - audit_create_failed ++ # - audit_create_success ++ ++ # RHEL-08-030480 ++ # - audit_owner_change_failed ++ # - audit_owner_change_success ++ ++ # RHEL-08-030490 ++ # - audit_perm_change_failed ++ # - audit_perm_change_success ++ ++ # RHEL-08-030500, RHEL-08-030510, RHEL-08-030520 ++ # - audit_owner_change_failed ++ # - audit_owner_change_success ++ ++ # RHEL-08-030530, RHEL-08-030540 ++ # - audit_perm_change_failed ++ # - audit_perm_change_success ++ ++ # RHEL-08-030550 ++ # - audit_rules_privileged_commands_sudo ++ ++ # RHEL-08-030560 ++ ++ # RHEL-08-030570 ++ ++ # RHEL-08-030580 ++ ++ # RHEL-08-030590 ++ # - audit_rules_login_events_faillock ++ ++ # RHEL-08-030600 ++ # - audit_rules_login_events_lastlog ++ ++ # RHEL-08-030601 ++ - grub2_audit_argument ++ ++ # RHEL-08-030602 ++ - grub2_audit_backlog_limit_argument ++ ++ # RHEL-08-030603 ++ - configure_usbguard_auditbackend ++ ++ # RHEL-08-030610 ++ ++ # RHEL-08-030620 ++ ++ # RHEL-08-030630 ++ ++ # RHEL-08-030640 ++ ++ # RHEL-08-030650 ++ ++ # RHEL-08-030660 ++ ++ # RHEL-08-030670 ++ - package_rsyslog_installed ++ ++ # RHEL-08-030680 ++ - package_rsyslog-gnutls_installed ++ ++ # RHEL-08-030690 ++ - rsyslog_remote_loghost ++ ++ # RHEL-08-030700 ++ ++ # RHEL-08-030710 ++ ++ # RHEL-08-030720 ++ ++ # RHEL-08-030730 ++ # this rule expects configuration in MB instead percentage as how STIG demands ++ # - auditd_data_retention_space_left ++ - auditd_data_retention_space_left_action ++ ++ # RHEL-08-030740 ++ # remediation fails because default configuration file contains pool instead of server keyword ++# - chronyd_or_ntpd_set_maxpoll # not supported in RHEL9 ATM ++ ++ # RHEL-08-030741 ++# - chronyd_client_only # not supported in RHEL9 ATM ++ ++ # RHEL-08-030742 ++# - chronyd_no_chronyc_network # not supported in RHEL9 ATM ++ ++ # RHEL-08-040000 ++ - package_telnet-server_removed ++ ++ # RHEL-08-040001 ++ - package_abrt_removed ++ - package_abrt-addon-ccpp_removed ++ - package_abrt-addon-kerneloops_removed ++ - package_abrt-addon-python_removed ++ - package_abrt-cli_removed ++ - package_abrt-plugin-logger_removed ++ - package_abrt-plugin-rhtsupport_removed ++ - package_abrt-plugin-sosreport_removed ++ ++ # RHEL-08-040002 ++ - package_sendmail_removed ++ ++ # RHEL-08-040003 ++ ### NOTE: Will be removed in V1R2, merged into RHEL-08-040370 ++ ++ # RHEL-08-040004 ++ - grub2_pti_argument ++ ++ # RHEL-08-040010 ++ - package_rsh-server_removed ++ ++ # RHEL-08-040020 ++ ++ # RHEL-08-040021 ++ - kernel_module_atm_disabled ++ ++ # RHEL-08-040022 ++ - kernel_module_can_disabled ++ ++ # RHEL-08-040023 ++ - kernel_module_sctp_disabled ++ ++ # RHEL-08-040024 ++ - kernel_module_tipc_disabled ++ ++ # RHEL-08-040025 ++ - kernel_module_cramfs_disabled ++ ++ # RHEL-08-040026 ++ - kernel_module_firewire-core_disabled ++ ++ # RHEL-08-040030 ++# - configure_firewalld_ports # not supported in RHEL9 ATM ++ ++ # RHEL-08-040060 ++ ### NOTE: Will be removed in V1R2 ++ ++ # RHEL-08-040070 ++ - service_autofs_disabled ++ ++ # RHEL-08-040080 ++ - kernel_module_usb-storage_disabled ++ ++ # RHEL-08-040090 ++ ++ # RHEL-08-040100 ++ - service_firewalld_enabled ++ - package_firewalld_installed ++ ++ # RHEL-08-040110 ++ - wireless_disable_interfaces ++ ++ # RHEL-08-040111 ++ - kernel_module_bluetooth_disabled ++ ++ # RHEL-08-040120 ++ - mount_option_dev_shm_nodev ++ ++ # RHEL-08-040121 ++ - mount_option_dev_shm_nosuid ++ ++ # RHEL-08-040122 ++ - mount_option_dev_shm_noexec ++ ++ # RHEL-08-040123 ++ - mount_option_tmp_nodev ++ ++ # RHEL-08-040124 ++ - mount_option_tmp_nosuid ++ ++ # RHEL-08-040125 ++ - mount_option_tmp_noexec ++ ++ # RHEL-08-040126 ++ - mount_option_var_log_nodev ++ ++ # RHEL-08-040127 ++ - mount_option_var_log_nosuid ++ ++ # RHEL-08-040128 ++ - mount_option_var_log_noexec ++ ++ # RHEL-08-040129 ++ - mount_option_var_log_audit_nodev ++ ++ # RHEL-08-040130 ++ - mount_option_var_log_audit_nosuid ++ ++ # RHEL-08-040131 ++ - mount_option_var_log_audit_noexec ++ ++ # RHEL-08-040132 ++ - mount_option_var_tmp_nodev ++ ++ # RHEL-08-040133 ++ - mount_option_var_tmp_nosuid ++ ++ # RHEL-08-040134 ++ - mount_option_var_tmp_noexec ++ ++ # RHEL-08-040135 ++ - package_fapolicyd_installed ++ - service_fapolicyd_enabled ++ ++ # RHEL-08-040140 ++ - package_usbguard_installed ++ - service_usbguard_enabled ++ ++ # RHEL-08-040150 ++ ++ # RHEL-08-040160 ++ - package_openssh-server_installed ++ - service_sshd_enabled ++ ++ # RHEL-08-040161 ++ - sshd_rekey_limit ++ ++ # RHEL-08-040162 ++# - ssh_client_rekey_limit # not supported in RHEL9 ATM ++ ++ # RHEL-08-040170 ++# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM ++ ++ # RHEL-08-040171 ++# - dconf_gnome_disable_ctrlaltdel_reboot # not supported in RHEL9 ATM ++ ++ # RHEL-08-040172 ++# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM ++ ++ # RHEL-08-040180 ++# - service_debug-shell_disabled # not supported in RHEL9 ATM ++ ++ # RHEL-08-040190 ++ - package_tftp-server_removed ++ ++ # RHEL-08-040200 ++ - accounts_no_uid_except_zero ++ ++ # RHEL-08-040210 ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ ++ # RHEL-08-040220 ++ - sysctl_net_ipv4_conf_all_send_redirects ++ ++ # RHEL-08-040230 ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ ++ # RHEL-08-040240 ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ ++ # RHEL-08-040250 ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ ++ # RHEL-08-040260 ++ - sysctl_net_ipv4_ip_forward ++ ++ # RHEL-08-040261 ++ - sysctl_net_ipv6_conf_all_accept_ra ++ ++ # RHEL-08-040262 ++ - sysctl_net_ipv6_conf_default_accept_ra ++ ++ # RHEL-08-040270 ++ - sysctl_net_ipv4_conf_default_send_redirects ++ ++ # RHEL-08-040280 ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ ++ # RHEL-08-040281 ++ - sysctl_kernel_unprivileged_bpf_disabled ++ ++ # RHEL-08-040282 ++ - sysctl_kernel_yama_ptrace_scope ++ ++ # RHEL-08-040283 ++ - sysctl_kernel_kptr_restrict ++ ++ # RHEL-08-040284 ++ - sysctl_user_max_user_namespaces ++ ++ # RHEL-08-040285 ++ - sysctl_net_ipv4_conf_all_rp_filter ++ ++ # RHEL-08-040290 ++ # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation ++ # there needs to be a new platform check to identify when postfix is installed or not ++ # - postfix_prevent_unrestricted_relay ++ ++ # RHEL-08-040300 ++ - aide_verify_ext_attributes ++ ++ # RHEL-08-040310 ++ - aide_verify_acls ++ ++ # RHEL-08-040320 ++ - xwindows_remove_packages ++ ++ # RHEL-08-040330 ++ - network_sniffer_disabled ++ ++ # RHEL-08-040340 ++ - sshd_disable_x11_forwarding ++ ++ # RHEL-08-040341 ++# - sshd_x11_use_localhost # not supported in RHEL9 ATM ++ ++ # RHEL-08-040350 ++# - tftpd_uses_secure_mode # not supported in RHEL9 ATM ++ ++ # RHEL-08-040360 ++ - package_vsftpd_removed ++ ++ # RHEL-08-040370 ++ - package_gssproxy_removed ++ ++ # RHEL-08-040380 ++ - package_iprutils_removed ++ ++ # RHEL-08-040390 ++ - package_tuned_removed +diff --git a/rhel9/profiles/stig_gui.profile b/rhel9/profiles/stig_gui.profile +new file mode 100644 +index 00000000000..ff9a2833df8 +--- /dev/null ++++ b/rhel9/profiles/stig_gui.profile +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++metadata: ++ version: V1R2 ++ SMEs: ++ - carlosmmatos ++ ++reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux ++ ++title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' ++ ++description: |- ++ This profile contains configuration checks that align to the ++ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2. ++ ++ In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this ++ configuration baseline as applicable to the operating system tier of ++ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: ++ ++ - Red Hat Enterprise Linux Server ++ - Red Hat Enterprise Linux Workstation and Desktop ++ - Red Hat Enterprise Linux for HPC ++ - Red Hat Storage ++ - Red Hat Containers with a Red Hat Enterprise Linux 8 image ++ ++ Warning: The installation and use of a Graphical User Interface (GUI) ++ increases your attack vector and decreases your overall security posture. If ++ your Information Systems Security Officer (ISSO) lacks a documented operational ++ requirement for a graphical user interface, please consider using the ++ standard DISA STIG for Red Hat Enterprise Linux 8 profile. ++ ++extends: stig ++ ++selections: ++ # RHEL-08-040320 ++ - '!xwindows_remove_packages' + +From 5c5a4500a92ebd32078cf05b2b3eb24a9f58f285 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 10 Jun 2021 19:48:13 +0200 +Subject: [PATCH 2/4] Added note that the profile is a RHEL9 draft. + +--- + rhel9/profiles/cis.profile | 10 +++------- + rhel9/profiles/cjis.profile | 2 +- + rhel9/profiles/e8.profile | 4 ++-- + rhel9/profiles/hipaa.profile | 4 ++-- + rhel9/profiles/ism_o.profile | 4 ++-- + rhel9/profiles/ospp.profile | 2 +- + rhel9/profiles/pci-dss.profile | 2 +- + rhel9/profiles/rht-ccp.profile | 4 ++-- + rhel9/profiles/standard.profile | 2 +- + rhel9/profiles/stig.profile | 7 +++---- + rhel9/profiles/stig_gui.profile | 13 ++++++------- + 11 files changed, 24 insertions(+), 30 deletions(-) + +diff --git a/rhel9/profiles/cis.profile b/rhel9/profiles/cis.profile +index 8939011ad1f..7cc538f82ce 100644 +--- a/rhel9/profiles/cis.profile ++++ b/rhel9/profiles/cis.profile +@@ -1,21 +1,17 @@ + documentation_complete: true + + metadata: +- version: 1.0.0 ++ version: 0.0.0 + SMEs: + - vojtapolasek + - yuumasato + + reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +-title: 'CIS Red Hat Enterprise Linux 8 Benchmark' ++title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark' + + description: |- +- This profile defines a baseline that aligns to the Center for Internet Security® +- Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. +- +- This profile includes Center for Internet Security® +- Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ This is a draft CIS profile based on the RHEL8 CIS + + selections: + # Necessary for dconf rules +diff --git a/rhel9/profiles/cjis.profile b/rhel9/profiles/cjis.profile +index 1fc531952b6..3c9c385cd48 100644 +--- a/rhel9/profiles/cjis.profile ++++ b/rhel9/profiles/cjis.profile +@@ -7,7 +7,7 @@ metadata: + + reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center + +-title: 'Criminal Justice Information Services (CJIS) Security Policy' ++title: '[RHEL9 DRAFT] Criminal Justice Information Services (CJIS) Security Policy' + + description: |- + This profile is derived from FBI's CJIS v5.4 +diff --git a/rhel9/profiles/e8.profile b/rhel9/profiles/e8.profile +index 30eb9c594ac..6d87a778eee 100644 +--- a/rhel9/profiles/e8.profile ++++ b/rhel9/profiles/e8.profile +@@ -6,10 +6,10 @@ metadata: + + reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + +-title: 'Australian Cyber Security Centre (ACSC) Essential Eight' ++title: '[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight' + + description: |- +- This profile contains configuration checks for Red Hat Enterprise Linux 8 ++ This profile contains configuration checks for Red Hat Enterprise Linux 9 + that align to the Australian Cyber Security Centre (ACSC) Essential Eight. + + A copy of the Essential Eight in Linux Environments guide can be found at the +diff --git a/rhel9/profiles/hipaa.profile b/rhel9/profiles/hipaa.profile +index 7919649d4d5..1bd7cc10459 100644 +--- a/rhel9/profiles/hipaa.profile ++++ b/rhel9/profiles/hipaa.profile +@@ -7,7 +7,7 @@ metadata: + + reference: https://www.hhs.gov/hipaa/for-professionals/index.html + +-title: 'Health Insurance Portability and Accountability Act (HIPAA)' ++title: '[RHEL9 DRAFT] Health Insurance Portability and Accountability Act (HIPAA)' + + description: |- + The HIPAA Security Rule establishes U.S. national standards to protect individuals’ +@@ -17,7 +17,7 @@ description: |- + confidentiality, integrity, and security of electronic protected health + information. + +- This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security ++ This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security + Rule identified for securing of electronic protected health information. + Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + +diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile +index 592be03783f..3a884f8371d 100644 +--- a/rhel9/profiles/ism_o.profile ++++ b/rhel9/profiles/ism_o.profile +@@ -8,10 +8,10 @@ metadata: + + reference: https://www.cyber.gov.au/ism + +-title: 'Australian Cyber Security Centre (ACSC) ISM Official' ++title: '[RHEL9 DRAFT] Australian Cyber Security Centre (ACSC) ISM Official' + + description: |- +- This profile contains configuration checks for Red Hat Enterprise Linux 8 ++ This profile contains configuration checks for Red Hat Enterprise Linux 9 + that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) + with the applicability marking of OFFICIAL. + +diff --git a/rhel9/profiles/ospp.profile b/rhel9/profiles/ospp.profile +index c4a43dc5eb6..84d23fe8ff5 100644 +--- a/rhel9/profiles/ospp.profile ++++ b/rhel9/profiles/ospp.profile +@@ -9,7 +9,7 @@ metadata: + + reference: https://www.niap-ccevs.org/Profile/PP.cfm + +-title: 'Protection Profile for General Purpose Operating Systems' ++title: '[RHEL9 DRAFT] Protection Profile for General Purpose Operating Systems' + + description: |- + This profile reflects mandatory configuration controls identified in the +diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile +index 966b2d5e1d8..6b00be5f76a 100644 +--- a/rhel9/profiles/pci-dss.profile ++++ b/rhel9/profiles/pci-dss.profile +@@ -6,7 +6,7 @@ metadata: + + reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + +-title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8' ++title: '[RHEL9 DRAFT] PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9' + + description: |- + Ensures PCI-DSS v3.2.1 security configuration settings are applied. +diff --git a/rhel9/profiles/rht-ccp.profile b/rhel9/profiles/rht-ccp.profile +index 3b734c2b2c5..34244db3f3d 100644 +--- a/rhel9/profiles/rht-ccp.profile ++++ b/rhel9/profiles/rht-ccp.profile +@@ -1,11 +1,11 @@ + documentation_complete: true + +-title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' ++title: '[RHEL9 DRAFT] Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + + description: |- + This profile contains the minimum security relevant + configuration settings recommended by Red Hat, Inc for +- Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified ++ Red Hat Enterprise Linux 9 instances deployed by Red Hat Certified + Cloud Providers. + + selections: +diff --git a/rhel9/profiles/standard.profile b/rhel9/profiles/standard.profile +index a63ae2cf328..921e30749d6 100644 +--- a/rhel9/profiles/standard.profile ++++ b/rhel9/profiles/standard.profile +@@ -1,6 +1,6 @@ + documentation_complete: true + +-title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' ++title: 'Standard System Security Profile for Red Hat Enterprise Linux 9' + + description: |- + This profile contains rules to ensure standard security baseline +diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile +index 50548f7e8eb..1baafe6f751 100644 +--- a/rhel9/profiles/stig.profile ++++ b/rhel9/profiles/stig.profile +@@ -1,17 +1,16 @@ + documentation_complete: true + + metadata: +- version: V1R2 ++ version: NA + SMEs: + - carlosmmatos + + reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +-title: 'DISA STIG for Red Hat Enterprise Linux 8' ++title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 9' + + description: |- +- This profile contains configuration checks that align to the +- DISA STIG for Red Hat Enterprise Linux 8 V1R2. ++ This profile contains configuration checks that are based on the RHEL8 STIG + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/rhel9/profiles/stig_gui.profile b/rhel9/profiles/stig_gui.profile +index ff9a2833df8..da26c9f1b89 100644 +--- a/rhel9/profiles/stig_gui.profile ++++ b/rhel9/profiles/stig_gui.profile +@@ -1,19 +1,18 @@ + documentation_complete: true + + metadata: +- version: V1R2 ++ version: NA + SMEs: + - carlosmmatos + + reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +-title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' ++title: '[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9' + + description: |- +- This profile contains configuration checks that align to the +- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2. ++ This profile contains configuration checks that are based on the RHEL8 STIG + +- In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this ++ In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this + configuration baseline as applicable to the operating system tier of + Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: + +@@ -21,13 +20,13 @@ description: |- + - Red Hat Enterprise Linux Workstation and Desktop + - Red Hat Enterprise Linux for HPC + - Red Hat Storage +- - Red Hat Containers with a Red Hat Enterprise Linux 8 image ++ - Red Hat Containers with a Red Hat Enterprise Linux 9 image + + Warning: The installation and use of a Graphical User Interface (GUI) + increases your attack vector and decreases your overall security posture. If + your Information Systems Security Officer (ISSO) lacks a documented operational + requirement for a graphical user interface, please consider using the +- standard DISA STIG for Red Hat Enterprise Linux 8 profile. ++ standard DISA STIG for Red Hat Enterprise Linux 9 profile. + + extends: stig + + +From f27a9195b81f017f25f95eec50ec19114b0ea406 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 16 Jun 2021 12:04:53 +0200 +Subject: [PATCH 3/4] Added RHEL9 CCEs. + +Some of the available CCEs were actually taken, so the amount of removed CCEs is greater +than the number of rules that got a CCE. +Sometimes PRs introduce CCE inconsistencies: https://github.com/ComplianceAsCode/content/pull/6579 +--- + .../service_avahi-daemon_disabled/rule.yml | 1 + + .../base/package_abrt_removed/rule.yml | 1 + + .../base/service_abrtd_disabled/rule.yml | 1 + + .../base/service_kdump_disabled/rule.yml | 1 + + .../base/service_ntpdate_disabled/rule.yml | 1 + + .../base/service_oddjobd_disabled/rule.yml | 1 + + .../base/service_qpidd_disabled/rule.yml | 1 + + .../base/service_rdisc_disabled/rule.yml | 1 + + .../base/service_rhnsd_disabled/rule.yml | 1 + + .../file_groupowner_cron_d/rule.yml | 1 + + .../file_groupowner_cron_daily/rule.yml | 1 + + .../file_groupowner_cron_hourly/rule.yml | 1 + + .../file_groupowner_cron_monthly/rule.yml | 1 + + .../file_groupowner_cron_weekly/rule.yml | 1 + + .../file_groupowner_crontab/rule.yml | 1 + + .../cron_and_at/file_owner_cron_d/rule.yml | 1 + + .../file_owner_cron_daily/rule.yml | 1 + + .../file_owner_cron_hourly/rule.yml | 1 + + .../file_owner_cron_monthly/rule.yml | 1 + + .../file_owner_cron_weekly/rule.yml | 1 + + .../cron_and_at/file_owner_crontab/rule.yml | 1 + + .../file_permissions_cron_d/rule.yml | 1 + + .../file_permissions_cron_daily/rule.yml | 1 + + .../file_permissions_cron_hourly/rule.yml | 1 + + .../file_permissions_cron_monthly/rule.yml | 1 + + .../file_permissions_cron_weekly/rule.yml | 1 + + .../file_permissions_crontab/rule.yml | 1 + + .../cron_and_at/service_atd_disabled/rule.yml | 1 + + .../service_crond_enabled/rule.yml | 1 + + .../package_dhcp_removed/rule.yml | 1 + + .../service_dhcpd_disabled/rule.yml | 1 + + .../service_named_disabled/rule.yml | 1 + + .../package_fapolicyd_installed/rule.yml | 1 + + .../service_fapolicyd_enabled/rule.yml | 1 + + .../package_vsftpd_removed/rule.yml | 1 + + .../service_vsftpd_disabled/rule.yml | 1 + + .../service_httpd_disabled/rule.yml | 1 + + .../service_dovecot_disabled/rule.yml | 1 + + .../kerberos_disable_no_keytab/rule.yml | 1 + + .../package_openldap-clients_removed/rule.yml | 1 + + .../mail/package_sendmail_removed/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../service_rpcbind_disabled/rule.yml | 1 + + .../service_nfs_disabled/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../package_nfs-utils_removed/rule.yml | 1 + + .../ntp/chronyd_run_as_chrony_user/rule.yml | 1 + + .../chronyd_specify_remote_server/rule.yml | 1 + + .../ntp/package_chrony_installed/rule.yml | 1 + + .../ntp/service_chronyd_enabled/rule.yml | 1 + + .../package_xinetd_removed/rule.yml | 1 + + .../service_xinetd_disabled/rule.yml | 1 + + .../nis/package_ypbind_removed/rule.yml | 1 + + .../nis/package_ypserv_removed/rule.yml | 1 + + .../r_services/no_rsh_trust_files/rule.yml | 1 + + .../package_rsh-server_removed/rule.yml | 1 + + .../r_services/package_rsh_removed/rule.yml | 1 + + .../obsolete/service_rsyncd_disabled/rule.yml | 1 + + .../talk/package_talk-server_removed/rule.yml | 1 + + .../talk/package_talk_removed/rule.yml | 1 + + .../package_telnet-server_removed/rule.yml | 1 + + .../telnet/package_telnet_removed/rule.yml | 1 + + .../telnet/service_telnet_disabled/rule.yml | 1 + + .../tftp/package_tftp-server_removed/rule.yml | 1 + + .../printing/service_cups_disabled/rule.yml | 1 + + .../package_squid_removed/rule.yml | 1 + + .../service_squid_disabled/rule.yml | 1 + + .../rng/service_rngd_enabled/rule.yml | 1 + + .../package_quagga_removed/rule.yml | 1 + + .../service_zebra_disabled/rule.yml | 1 + + .../service_smb_disabled/rule.yml | 1 + + .../service_snmpd_disabled/rule.yml | 1 + + .../ssh/file_groupowner_sshd_config/rule.yml | 1 + + .../ssh/file_owner_sshd_config/rule.yml | 1 + + .../ssh/file_permissions_sshd_config/rule.yml | 1 + + .../rule.yml | 1 + + .../file_permissions_sshd_pub_key/rule.yml | 1 + + .../rule.yml | 1 + + .../package_openssh-server_installed/rule.yml | 1 + + .../ssh/service_sshd_enabled/rule.yml | 1 + + .../ssh/ssh_server/disable_host_auth/rule.yml | 1 + + .../sshd_allow_only_protocol2/rule.yml | 1 + + .../sshd_disable_compression/rule.yml | 1 + + .../sshd_disable_empty_passwords/rule.yml | 1 + + .../sshd_disable_gssapi_auth/rule.yml | 1 + + .../sshd_disable_kerb_auth/rule.yml | 1 + + .../ssh_server/sshd_disable_rhosts/rule.yml | 1 + + .../sshd_disable_root_login/rule.yml | 1 + + .../sshd_disable_tcp_forwarding/rule.yml | 1 + + .../sshd_disable_user_known_hosts/rule.yml | 1 + + .../sshd_disable_x11_forwarding/rule.yml | 1 + + .../sshd_do_not_permit_user_env/rule.yml | 1 + + .../sshd_enable_strictmodes/rule.yml | 1 + + .../sshd_enable_warning_banner/rule.yml | 1 + + .../ssh_server/sshd_print_last_log/rule.yml | 1 + + .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 1 + + .../ssh_server/sshd_set_idle_timeout/rule.yml | 1 + + .../ssh_server/sshd_set_keepalive/rule.yml | 1 + + .../sshd_set_loglevel_info/rule.yml | 1 + + .../sshd_set_max_auth_tries/rule.yml | 1 + + .../ssh_server/sshd_set_max_sessions/rule.yml | 1 + + .../configure_usbguard_auditbackend/rule.yml | 1 + + .../package_usbguard_installed/rule.yml | 1 + + .../service_usbguard_enabled/rule.yml | 1 + + .../usbguard_allow_hid_and_hub/rule.yml | 1 + + .../rule.yml | 1 + + .../xwindows_remove_packages/rule.yml | 1 + + .../xwindows_runlevel_target/rule.yml | 1 + + .../banner_etc_issue/rule.yml | 1 + + .../accounts-banners/banner_etc_motd/rule.yml | 1 + + .../file_permissions_etc_issue/rule.yml | 1 + + .../file_permissions_etc_motd/rule.yml | 1 + + .../display_login_attempts/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_password_pam_dcredit/rule.yml | 1 + + .../accounts_password_pam_difok/rule.yml | 1 + + .../accounts_password_pam_lcredit/rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_password_pam_maxrepeat/rule.yml | 1 + + .../accounts_password_pam_minclass/rule.yml | 1 + + .../accounts_password_pam_minlen/rule.yml | 1 + + .../accounts_password_pam_ocredit/rule.yml | 1 + + .../accounts_password_pam_retry/rule.yml | 1 + + .../accounts_password_pam_ucredit/rule.yml | 1 + + .../rule.yml | 1 + + .../require_emergency_target_auth/rule.yml | 1 + + .../require_singleuser_auth/rule.yml | 1 + + .../package_tmux_installed/rule.yml | 1 + + .../install_smartcard_packages/rule.yml | 1 + + .../package_opensc_installed/rule.yml | 1 + + .../rule.yml | 1 + + .../account_unique_name/rule.yml | 1 + + .../accounts_maximum_age_login_defs/rule.yml | 1 + + .../accounts_minimum_age_login_defs/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_password_all_shadowed/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../gid_passwd_group_same/rule.yml | 1 + + .../no_empty_passwords/rule.yml | 1 + + .../no_legacy_plus_entries_etc_group/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../password_storage/no_netrc_files/rule.yml | 1 + + .../accounts_no_uid_except_zero/rule.yml | 1 + + .../no_direct_root_logins/rule.yml | 1 + + .../no_shelllogin_for_systemaccounts/rule.yml | 1 + + .../restrict_serial_port_logins/rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_logon_fail_delay/rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_polyinstantiated_tmp/rule.yml | 1 + + .../rule.yml | 1 + + .../accounts-session/accounts_tmout/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../file_permission_user_init_files/rule.yml | 1 + + .../rule.yml | 1 + + .../file_permissions_home_dirs/rule.yml | 1 + + .../accounts_root_path_dirs_no_write/rule.yml | 1 + + .../accounts_umask_etc_bashrc/rule.yml | 1 + + .../accounts_umask_etc_login_defs/rule.yml | 1 + + .../accounts_umask_etc_profile/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../audit_rules_execution_chcon/rule.yml | 1 + + .../audit_rules_execution_restorecon/rule.yml | 1 + + .../audit_rules_execution_semanage/rule.yml | 1 + + .../audit_rules_execution_setfiles/rule.yml | 1 + + .../audit_rules_execution_setsebool/rule.yml | 1 + + .../audit_rules_execution_seunshare/rule.yml | 1 + + .../audit_rules_file_deletion_events/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../audit_rules_login_events/rule.yml | 1 + + .../rule.yml | 1 + + .../audit_rules_login_events_lastlog/rule.yml | 1 + + .../rule.yml | 1 + + .../audit_rules_privileged_commands/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../audit_rules_immutable/rule.yml | 1 + + .../audit_rules_mac_modification/rule.yml | 1 + + .../audit_rules_media_export/rule.yml | 1 + + .../rule.yml | 1 + + .../audit_rules_session_events/rule.yml | 1 + + .../audit_rules_sysadmin_actions/rule.yml | 1 + + .../audit_rules_system_shutdown/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../audit_rules_time_adjtimex/rule.yml | 1 + + .../audit_rules_time_clock_settime/rule.yml | 1 + + .../audit_rules_time_settimeofday/rule.yml | 1 + + .../audit_rules_time_stime/rule.yml | 1 + + .../audit_rules_time_watch_localtime/rule.yml | 1 + + .../rule.yml | 1 + + .../file_ownership_var_log_audit/rule.yml | 1 + + .../file_permissions_var_log_audit/rule.yml | 1 + + .../rule.yml | 1 + + .../auditd_data_disk_error_action/rule.yml | 1 + + .../auditd_data_disk_full_action/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../auditd_data_retention_flush/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../auditd_data_retention_num_logs/rule.yml | 1 + + .../rule.yml | 1 + + .../auditd_freq/rule.yml | 1 + + .../auditd_local_events/rule.yml | 1 + + .../auditd_log_format/rule.yml | 1 + + .../auditd_name_format/rule.yml | 1 + + .../auditd_write_logs/rule.yml | 1 + + .../auditing/grub2_audit_argument/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../auditing/package_audit_installed/rule.yml | 1 + + .../policy_rules/audit_access_failed/rule.yml | 1 + + .../audit_access_success/rule.yml | 1 + + .../audit_basic_configuration/rule.yml | 1 + + .../policy_rules/audit_create_failed/rule.yml | 1 + + .../audit_create_success/rule.yml | 1 + + .../policy_rules/audit_delete_failed/rule.yml | 1 + + .../audit_delete_success/rule.yml | 1 + + .../audit_immutable_login_uids/rule.yml | 1 + + .../policy_rules/audit_modify_failed/rule.yml | 1 + + .../audit_modify_success/rule.yml | 1 + + .../policy_rules/audit_module_load/rule.yml | 1 + + .../policy_rules/audit_ospp_general/rule.yml | 1 + + .../audit_owner_change_failed/rule.yml | 1 + + .../audit_owner_change_success/rule.yml | 1 + + .../audit_perm_change_failed/rule.yml | 1 + + .../audit_perm_change_success/rule.yml | 1 + + .../auditing/service_auditd_enabled/rule.yml | 1 + + .../grub2_enable_iommu_force/rule.yml | 1 + + .../grub2_kernel_trust_cpu_rng/rule.yml | 1 + + .../grub2_pti_argument/rule.yml | 1 + + .../grub2_vsyscall_argument/rule.yml | 1 + + .../file_groupowner_grub2_cfg/rule.yml | 1 + + .../non-uefi/file_owner_grub2_cfg/rule.yml | 1 + + .../file_permissions_grub2_cfg/rule.yml | 1 + + .../non-uefi/grub2_password/rule.yml | 1 + + .../zipl_audit_argument/rule.yml | 1 + + .../rule.yml | 1 + + .../zipl_bls_entries_only/rule.yml | 1 + + .../zipl_bootmap_is_up_to_date/rule.yml | 1 + + .../zipl_page_poison_argument/rule.yml | 1 + + .../zipl_slub_debug_argument/rule.yml | 1 + + .../zipl_vsyscall_argument/rule.yml | 1 + + .../rsyslog_cron_logging/rule.yml | 1 + + .../ensure_logrotate_activated/rule.yml | 1 + + .../package_rsyslog-gnutls_installed/rule.yml | 1 + + .../rsyslog_nolisten/rule.yml | 1 + + .../rsyslog_remote_loghost/rule.yml | 1 + + .../rsyslog_remote_tls/rule.yml | 1 + + .../rsyslog_remote_tls_cacert/rule.yml | 1 + + .../logging/service_rsyslog_enabled/rule.yml | 1 + + .../package_firewalld_installed/rule.yml | 1 + + .../service_firewalld_enabled/rule.yml | 1 + + .../set_firewalld_default_zone/rule.yml | 1 + + .../package_libreswan_installed/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../sysctl_net_ipv4_tcp_rfc1337/rule.yml | 1 + + .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../sysctl_net_ipv4_ip_forward/rule.yml | 1 + + .../kernel_module_atm_disabled/rule.yml | 1 + + .../kernel_module_can_disabled/rule.yml | 1 + + .../kernel_module_dccp_disabled/rule.yml | 1 + + .../rule.yml | 1 + + .../kernel_module_rds_disabled/rule.yml | 1 + + .../kernel_module_sctp_disabled/rule.yml | 1 + + .../kernel_module_tipc_disabled/rule.yml | 1 + + .../kernel_module_bluetooth_disabled/rule.yml | 1 + + .../wireless_disable_interfaces/rule.yml | 1 + + .../network/network_sniffer_disabled/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../file_permissions_ungroupowned/rule.yml | 1 + + .../files/no_files_unowned_by_user/rule.yml | 1 + + .../file_groupowner_backup_etc_group/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../file_groupowner_etc_group/rule.yml | 1 + + .../file_groupowner_etc_gshadow/rule.yml | 1 + + .../file_groupowner_etc_passwd/rule.yml | 1 + + .../file_groupowner_etc_shadow/rule.yml | 1 + + .../file_owner_backup_etc_group/rule.yml | 1 + + .../file_owner_backup_etc_gshadow/rule.yml | 1 + + .../file_owner_backup_etc_passwd/rule.yml | 1 + + .../file_owner_backup_etc_shadow/rule.yml | 1 + + .../file_owner_etc_group/rule.yml | 1 + + .../file_owner_etc_gshadow/rule.yml | 1 + + .../file_owner_etc_passwd/rule.yml | 1 + + .../file_owner_etc_shadow/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../file_permissions_etc_group/rule.yml | 1 + + .../file_permissions_etc_gshadow/rule.yml | 1 + + .../file_permissions_etc_passwd/rule.yml | 1 + + .../file_permissions_etc_shadow/rule.yml | 1 + + .../file_groupowner_var_log/rule.yml | 1 + + .../file_groupowner_var_log_messages/rule.yml | 1 + + .../file_owner_var_log/rule.yml | 1 + + .../file_owner_var_log_messages/rule.yml | 1 + + .../file_permissions_var_log/rule.yml | 1 + + .../rule.yml | 1 + + .../file_ownership_binary_dirs/rule.yml | 1 + + .../file_ownership_library_dirs/rule.yml | 1 + + .../file_permissions_binary_dirs/rule.yml | 1 + + .../file_permissions_library_dirs/rule.yml | 1 + + .../sysctl_fs_protected_hardlinks/rule.yml | 1 + + .../sysctl_fs_protected_symlinks/rule.yml | 1 + + .../kernel_module_cramfs_disabled/rule.yml | 1 + + .../kernel_module_squashfs_disabled/rule.yml | 1 + + .../kernel_module_udf_disabled/rule.yml | 1 + + .../rule.yml | 1 + + .../mounting/service_autofs_disabled/rule.yml | 1 + + .../mount_option_boot_nodev/rule.yml | 1 + + .../mount_option_boot_noexec/rule.yml | 1 + + .../mount_option_boot_nosuid/rule.yml | 1 + + .../mount_option_dev_shm_nodev/rule.yml | 1 + + .../mount_option_dev_shm_noexec/rule.yml | 1 + + .../mount_option_dev_shm_nosuid/rule.yml | 1 + + .../mount_option_home_nodev/rule.yml | 1 + + .../mount_option_home_noexec/rule.yml | 1 + + .../mount_option_home_nosuid/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../mount_option_opt_nosuid/rule.yml | 1 + + .../mount_option_srv_nosuid/rule.yml | 1 + + .../mount_option_tmp_nodev/rule.yml | 1 + + .../mount_option_tmp_noexec/rule.yml | 1 + + .../mount_option_tmp_nosuid/rule.yml | 1 + + .../mount_option_var_log_audit_nodev/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../mount_option_var_log_nodev/rule.yml | 1 + + .../mount_option_var_log_noexec/rule.yml | 1 + + .../mount_option_var_log_nosuid/rule.yml | 1 + + .../mount_option_var_nodev/rule.yml | 1 + + .../mount_option_var_noexec/rule.yml | 1 + + .../mount_option_var_nosuid/rule.yml | 1 + + .../mount_option_var_tmp_nodev/rule.yml | 1 + + .../mount_option_var_tmp_noexec/rule.yml | 1 + + .../mount_option_var_tmp_nosuid/rule.yml | 1 + + .../disable_users_coredumps/rule.yml | 1 + + .../rule.yml | 1 + + .../sysctl_fs_suid_dumpable/rule.yml | 1 + + .../sysctl_kernel_exec_shield/rule.yml | 1 + + .../sysctl_kernel_kptr_restrict/rule.yml | 1 + + .../sysctl_kernel_randomize_va_space/rule.yml | 1 + + .../grub2_page_poison_argument/rule.yml | 1 + + .../grub2_slub_debug_argument/rule.yml | 1 + + .../sysctl_kernel_core_pattern/rule.yml | 1 + + .../sysctl_kernel_dmesg_restrict/rule.yml | 1 + + .../rule.yml | 1 + + .../sysctl_kernel_modules_disabled/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../sysctl_kernel_pid_max/rule.yml | 1 + + .../restrictions/sysctl_kernel_sysrq/rule.yml | 1 + + .../rule.yml | 1 + + .../sysctl_kernel_yama_ptrace_scope/rule.yml | 1 + + .../sysctl_net_core_bpf_jit_harden/rule.yml | 1 + + .../sysctl_user_max_user_namespaces/rule.yml | 1 + + .../sysctl_vm_mmap_min_addr/rule.yml | 1 + + .../selinux/grub2_enable_selinux/rule.yml | 1 + + .../package_libselinux_installed/rule.yml | 1 + + .../selinux/package_mcstrans_removed/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../package_setroubleshoot_removed/rule.yml | 1 + + .../sebool_auditadm_exec_content/rule.yml | 1 + + .../sebool_deny_execmem/rule.yml | 1 + + .../sebool_polyinstantiation_enabled/rule.yml | 1 + + .../sebool_secure_mode_insmod/rule.yml | 1 + + .../sebool_selinuxuser_execheap/rule.yml | 1 + + .../sebool_selinuxuser_execmod/rule.yml | 1 + + .../sebool_selinuxuser_execstack/rule.yml | 1 + + .../sebool_ssh_sysadm_login/rule.yml | 1 + + .../selinux_confinement_of_daemons/rule.yml | 1 + + .../selinux/selinux_policytype/rule.yml | 1 + + .../system/selinux/selinux_state/rule.yml | 1 + + .../encrypt_partitions/rule.yml | 1 + + .../partition_for_home/rule.yml | 1 + + .../partition_for_srv/rule.yml | 1 + + .../partition_for_tmp/rule.yml | 1 + + .../partition_for_var/rule.yml | 1 + + .../partition_for_var_log/rule.yml | 1 + + .../partition_for_var_log_audit/rule.yml | 1 + + .../partition_for_var_tmp/rule.yml | 1 + + .../gnome/package_gdm_removed/rule.yml | 1 + + .../installed_OS_is_vendor_supported/rule.yml | 1 + + .../configure_bind_crypto_policy/rule.yml | 1 + + .../crypto/configure_crypto_policy/rule.yml | 1 + + .../configure_kerberos_crypto_policy/rule.yml | 1 + + .../rule.yml | 1 + + .../configure_openssl_crypto_policy/rule.yml | 1 + + .../rule.yml | 1 + + .../configure_ssh_crypto_policy/rule.yml | 1 + + .../rule.yml | 1 + + .../fips/sysctl_crypto_fips_enabled/rule.yml | 1 + + .../aide/aide_build_database/rule.yml | 1 + + .../aide/aide_periodic_cron_checking/rule.yml | 1 + + .../aide/aide_scan_notification/rule.yml | 1 + + .../aide/aide_verify_acls/rule.yml | 1 + + .../aide/aide_verify_ext_attributes/rule.yml | 1 + + .../aide/package_aide_installed/rule.yml | 1 + + .../rpm_verify_hashes/rule.yml | 1 + + .../rpm_verify_ownership/rule.yml | 1 + + .../rpm_verify_permissions/rule.yml | 1 + + .../system/software/prefer_64bit_os/rule.yml | 1 + + .../sudo/package_sudo_installed/rule.yml | 1 + + .../software/sudo/sudo_add_noexec/rule.yml | 1 + + .../sudo/sudo_add_requiretty/rule.yml | 1 + + .../software/sudo/sudo_add_use_pty/rule.yml | 1 + + .../sudo/sudo_custom_logfile/rule.yml | 1 + + .../sudo/sudo_remove_no_authenticate/rule.yml | 1 + + .../sudo/sudo_remove_nopasswd/rule.yml | 1 + + .../sudo/sudo_require_authentication/rule.yml | 1 + + .../rule.yml | 1 + + .../software/sudo/sudo_vdsm_nopasswd/rule.yml | 1 + + .../sudoers_explicit_command_args/rule.yml | 5 +- + .../sudo/sudoers_no_command_negation/rule.yml | 5 +- + .../sudo/sudoers_no_root_target/rule.yml | 5 +- + .../sudo/sudoers_validate_passwd/rule.yml | 1 + + .../package_abrt-addon-ccpp_removed/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../package_abrt-cli_removed/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../package_gnutls-utils_installed/rule.yml | 1 + + .../package_gssproxy_removed/rule.yml | 1 + + .../package_iprutils_removed/rule.yml | 1 + + .../package_krb5-workstation_removed/rule.yml | 1 + + .../rule.yml | 1 + + .../package_rear_installed/rule.yml | 1 + + .../package_rng-tools_installed/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../package_tuned_removed/rule.yml | 1 + + .../clean_components_post_updating/rule.yml | 1 + + .../dnf-automatic_apply_updates/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../ensure_gpgcheck_local_packages/rule.yml | 1 + + .../ensure_gpgcheck_never_disabled/rule.yml | 1 + + .../package_dnf-automatic_installed/rule.yml | 1 + + .../timer_dnf-automatic_enabled/rule.yml | 1 + + 549 files changed, 554 insertions(+), 577 deletions(-) + +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +index 86fabb43744..8ad5ad300aa 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80338-7 + cce@rhel8: CCE-82188-4 ++ cce@rhel9: CCE-90824-4 + + references: + cis@rhel7: 2.2.3 +diff --git a/linux_os/guide/services/base/package_abrt_removed/rule.yml b/linux_os/guide/services/base/package_abrt_removed/rule.yml +index 53b633c1f32..d1f2c060751 100644 +--- a/linux_os/guide/services/base/package_abrt_removed/rule.yml ++++ b/linux_os/guide/services/base/package_abrt_removed/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-81040-8 + cce@rhel8: CCE-80948-3 ++ cce@rhel9: CCE-84228-6 + + references: + srg: SRG-OS-000095-GPOS-00049 +diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml +index cacd7eeb3a7..73b3fad1446 100644 +--- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82027-4 + cce@rhel8: CCE-80870-9 ++ cce@rhel9: CCE-84234-4 + + references: + nist: CM-7(a),CM-6(a) +diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +index 1bb014b5993..5129bcd31e7 100644 +--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80258-7 + cce@rhel8: CCE-80878-2 ++ cce@rhel9: CCE-84232-8 + cce@sle12: CCE-83105-7 + cce@sle15: CCE-85638-5 + +diff --git a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml +index 8dfbcf5faab..7c1ae86f5fe 100644 +--- a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml +@@ -23,6 +23,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80262-9 + cce@rhel8: CCE-80879-0 ++ cce@rhel9: CCE-84236-9 + + references: + disa: CCI-000382 +diff --git a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml +index 64aa1c45f9e..dbe4b22a809 100644 +--- a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80263-7 + cce@rhel8: CCE-80880-8 ++ cce@rhel9: CCE-84229-4 + + references: + disa: CCI-000381 +diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml +index badee1af18e..be12fd102a1 100644 +--- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml +@@ -24,6 +24,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80266-0 + cce@rhel8: CCE-80882-4 ++ cce@rhel9: CCE-84231-0 + + references: + disa: CCI-000382 +diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml +index 772f8c37e68..3cae11fd233 100644 +--- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80268-6 + cce@rhel8: CCE-80883-2 ++ cce@rhel9: CCE-84237-7 + + references: + disa: CCI-000382 +diff --git a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml +index ba3b04d8811..35290e39084 100644 +--- a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml +@@ -22,6 +22,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80269-4 + cce@rhel8: CCE-82405-2 ++ cce@rhel9: CCE-84235-1 + + references: + cis@rhel7: 1.2.5 +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +index bcf17d8d1ba..63741db4654 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82265-0 + cce@rhel8: CCE-82268-4 ++ cce@rhel9: CCE-84177-5 + + references: + cis@rhel7: 5.1.7 +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +index 3731bcff80a..2bbef88897c 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82232-0 + cce@rhel8: CCE-82234-6 ++ cce@rhel9: CCE-84170-0 + + references: + cis@rhel7: 5.1.4 +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +index f6be1d8e385..c1d873c80b4 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82226-2 + cce@rhel8: CCE-82227-0 ++ cce@rhel9: CCE-84186-6 + + references: + cis@rhel7: 5.1.3 +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +index 823bf13d3a8..5f98988f1d3 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82255-1 + cce@rhel8: CCE-82256-9 ++ cce@rhel9: CCE-84189-0 + + references: + cis@rhel7: 5.1.6 +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +index edeef8ff378..e6876272e08 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82242-9 + cce@rhel8: CCE-82244-5 ++ cce@rhel9: CCE-84174-2 + + references: + cis@rhel7: 5.1.5 +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +index 8c4027198e3..6556e3f8d23 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82222-1 + cce@rhel8: CCE-82223-9 ++ cce@rhel9: CCE-84171-8 + + references: + cis@rhel7: 5.1.2 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +index 29df5f3a977..2e95b3569da 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82270-0 + cce@rhel8: CCE-82272-6 ++ cce@rhel9: CCE-84169-2 + + references: + cis@rhel7: 5.1.7 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +index f7e7811c8b1..41b87b5c458 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82236-1 + cce@rhel8: CCE-82237-9 ++ cce@rhel9: CCE-84188-2 + + references: + cis@rhel7: 5.1.4 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +index 04041e13dfe..97ecab21d35 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82208-0 + cce@rhel8: CCE-82209-8 ++ cce@rhel9: CCE-84168-4 + + references: + cis@rhel7: 5.1.3 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +index 46757a03195..b607f980e6e 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82259-3 + cce@rhel8: CCE-82260-1 ++ cce@rhel9: CCE-84179-1 + + references: + cis@rhel7: 5.1.6 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +index 48f897e4339..3c0d65d9349 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82246-0 + cce@rhel8: CCE-82247-8 ++ cce@rhel9: CCE-84190-8 + + references: + cis@rhel7: 5.1.5 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +index 738d9820b7f..ff0493c9d22 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82217-1 + cce@rhel8: CCE-82224-7 ++ cce@rhel9: CCE-84167-6 + + references: + cis@rhel7: 5.1.2 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +index f47ae580724..d3af795efcb 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82276-7 + cce@rhel8: CCE-82277-5 ++ cce@rhel9: CCE-84183-3 + + references: + cis@rhel7: 5.1.7 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +index ce7a7447a68..40eb753b45c 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82239-5 + cce@rhel8: CCE-82240-3 ++ cce@rhel9: CCE-84175-9 + + references: + cis@rhel7: 5.1.4 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +index dc9c7274f6e..cb0d959fecf 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82229-6 + cce@rhel8: CCE-82230-4 ++ cce@rhel9: CCE-84173-4 + + references: + cis@rhel7: 5.1.3 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +index 0ce221933e3..1bb7486b3be 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82262-7 + cce@rhel8: CCE-82263-5 ++ cce@rhel9: CCE-84181-7 + + references: + cis@rhel7: 5.1.6 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +index 0bcf7c9dfa3..ea5020367e9 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82250-2 + cce@rhel8: CCE-82253-6 ++ cce@rhel9: CCE-84187-4 + + references: + cis@rhel7: 5.1.5 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +index 4a743ab10d5..62b3623b10c 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82205-6 + cce@rhel8: CCE-82206-4 ++ cce@rhel9: CCE-84176-7 + + references: + cis@rhel7: 5.1.2 +diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml +index 12bde00f86c..bd3f5894e1d 100644 +--- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80345-2 + cce@rhel8: CCE-80871-7 ++ cce@rhel9: CCE-84164-3 + + references: + disa: CCI-000381 +diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +index d2c99d0d3f9..5e6aa3f246d 100644 +--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27323-5 + cce@rhel8: CCE-80875-8 ++ cce@rhel9: CCE-84163-5 + + references: + cis@rhel7: 5.1.1 +diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml +index 5f6ef7037d1..e1f2ee67c0c 100644 +--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml ++++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80331-2 + cce@rhel8: CCE-83385-5 ++ cce@rhel9: CCE-84240-1 + + references: + disa: CCI-000366 +diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +index ef7cb53457e..d5a35841bb7 100644 +--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml ++++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80330-4 + cce@rhel8: CCE-82864-0 ++ cce@rhel9: CCE-84241-9 + + references: + disa: CCI-000366 +diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +index ee4527a8953..9416c1a47c3 100644 +--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml ++++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80325-4 + cce@rhel8: CCE-82409-4 ++ cce@rhel9: CCE-84194-0 + + references: + cis@rhel7: 2.2.8 +diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml +index abaa84ceb0f..def5fd0b715 100644 +--- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml ++++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml +@@ -15,6 +15,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82191-8 ++ cce@rhel9: CCE-84224-5 + cce@rhcos4: CCE-82533-1 + + references: +diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml +index a8b98ce3630..69be5807c1d 100644 +--- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml ++++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82249-4 ++ cce@rhel9: CCE-84227-8 + cce@rhcos4: CCE-82534-9 + + references: +diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +index b41afade347..30f5483a471 100644 +--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml ++++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +@@ -15,6 +15,7 @@ severity: high + identifiers: + cce@rhel7: CCE-80245-4 + cce@rhel8: CCE-82414-4 ++ cce@rhel9: CCE-84159-3 + cce@sle15: CCE-85700-3 + + references: +diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml +index e6424e0162a..f43dabbda35 100644 +--- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml ++++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80244-7 + cce@rhel8: CCE-82413-6 ++ cce@rhel9: CCE-84160-1 + + references: + cis@rhel7: 2.2.9 +diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml +index 10808731308..880cb190c41 100644 +--- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml ++++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml +@@ -16,6 +16,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80300-7 + cce@rhel8: CCE-82761-8 ++ cce@rhel9: CCE-84213-8 + + references: + cis@rhel7: 2.2.10 +diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +index 54235dbfe6a..d460c18646d 100644 +--- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml ++++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +@@ -16,6 +16,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80294-2 + cce@rhel8: CCE-82760-0 ++ cce@rhel9: CCE-84242-7 + + references: + cis@rhel7: 2.2.11 +diff --git a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml +index 3e0de0e531f..992e397de54 100644 +--- a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml ++++ b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml +@@ -15,6 +15,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82175-1 ++ cce@rhel9: CCE-84221-1 + + references: + ospp: FTP_ITC_EXT.1 +diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +index 36be8d99194..6d0409fd273 100644 +--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml ++++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +@@ -18,6 +18,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82884-8 + cce@rhel8: CCE-82885-5 ++ cce@rhel9: CCE-90831-9 + + references: + cis@rhel7: 2.3.5 +diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml +index 3c851cfb227..a56d93cdae5 100644 +--- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml ++++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80288-4 + cce@rhel8: CCE-81039-0 ++ cce@rhel9: CCE-90830-1 + + references: + nist: CM-7(a),CM-7(b),CM-6(a) +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +index 28d5b41a750..3d390b35e8f 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +@@ -21,6 +21,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82380-7 + cce@rhel8: CCE-82381-5 ++ cce@rhel9: CCE-90826-9 + cce@sle12: CCE-83031-5 + cce@sle15: CCE-85605-4 + +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +index 4a9a36ab8c3..e0e3a53d9e5 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80289-2 + cce@rhel8: CCE-82174-4 ++ cce@rhel9: CCE-90825-1 + + references: + cis@rhel7: 2.2.16 +diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +index 13723c22bab..a44f0c1c492 100644 +--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +@@ -22,6 +22,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80230-6 + cce@rhel8: CCE-82858-2 ++ cce@rhel9: CCE-84245-0 + + references: + cis@rhel7: 2.2.18 +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +index 5ecd328720e..ef2717e3116 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +@@ -17,6 +17,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80237-1 + cce@rhel8: CCE-82762-6 ++ cce@rhel9: CCE-90850-9 + + references: + cis@rhel7: 2.2.7 +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +index 82eac90b88b..6b2313ecc21 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80239-7 + cce@rhel8: CCE-84052-0 ++ cce@rhel9: CCE-90838-4 + + references: + nist: CM-6(a),MP-2 +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +index 4c65f182a9f..9bd6d8ddfdc 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +@@ -19,6 +19,7 @@ identifiers: + cce@sle12: CCE-83103-2 + cce@sle15: CCE-85636-9 + cce@rhel8: CCE-84050-4 ++ cce@rhel9: CCE-84246-8 + + references: + stigid@ol7: OL07-00-021021 +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +index 134be291155..036bc8f69b3 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +@@ -17,6 +17,7 @@ identifiers: + cce@sle12: CCE-83102-4 + cce@sle15: CCE-85635-1 + cce@rhel8: CCE-84053-8 ++ cce@rhel9: CCE-84247-6 + + references: + stigid@ol7: OL07-00-021020 +diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml +index d8527598136..33f4764f795 100644 +--- a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82933-3 + cce@rhel8: CCE-82932-5 ++ cce@rhel9: CCE-84243-5 + + references: + srg: SRG-OS-000095-GPOS-00049 +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +index 0947a2faaa8..47cb3d67b7e 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +@@ -30,6 +30,7 @@ references: + identifiers: + cce@rhel7: CCE-82878-0 + cce@rhel8: CCE-82879-8 ++ cce@rhel9: CCE-84108-0 + + ocil_clause: 'chronyd is not running under chrony user account' + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +index 3583feaf04f..c36fcad3b77 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -24,6 +24,7 @@ platform: chrony + identifiers: + cce@rhel7: CCE-83418-4 + cce@rhel8: CCE-82873-1 ++ cce@rhel9: CCE-84218-7 + + references: + cis@rhel7: 2.2.1.2 +diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +index 0c7a01f4a15..7b8edaf8b65 100644 +--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml ++++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +@@ -20,6 +20,7 @@ platform: machine + identifiers: + cce@rhel7: CCE-83419-2 + cce@rhel8: CCE-82874-9 ++ cce@rhel9: CCE-84215-3 + + references: + cis@rhel7: 2.2.1.1 +diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +index c582b2d6121..dad54bcbfa4 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +@@ -23,6 +23,7 @@ platform: machine + identifiers: + cce@rhel7: CCE-83420-0 + cce@rhel8: CCE-82875-6 ++ cce@rhel9: CCE-84217-9 + + references: + cis@rhel7: 2.2.1.3 +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +index f582f8b481d..ec4a0de2f61 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +@@ -16,6 +16,7 @@ severity: low + identifiers: + cce@rhel7: CCE-27354-0 + cce@rhel8: CCE-80850-1 ++ cce@rhel9: CCE-84155-1 + + references: + anssi: BP28(R1) +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +index 2c6448da572..3a4e6d4ac78 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27443-1 + cce@rhel8: CCE-80888-1 ++ cce@rhel9: CCE-84156-9 + + references: + cis@rhel7: 2.1.7 +diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +index e836dc6fb10..87f57cda697 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +@@ -22,6 +22,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-27396-1 + cce@rhel8: CCE-82181-9 ++ cce@rhel9: CCE-84151-0 + + references: + anssi: BP28(R1) +diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +index e45f5ad0135..55ad750f02d 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +@@ -20,6 +20,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27399-5 + cce@rhel8: CCE-82432-6 ++ cce@rhel9: CCE-84152-8 + + references: + anssi: BP28(R1) +diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml +index 02e2983feee..d4880e23956 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml +@@ -21,6 +21,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27406-8 + cce@rhel8: CCE-80842-8 ++ cce@rhel9: CCE-84145-2 + + references: + cis@rhel7: 6.2.14 +diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +index 33c36cde67d..ed8c4a6c090 100644 +--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +@@ -20,6 +20,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27342-5 + cce@rhel8: CCE-82184-3 ++ cce@rhel9: CCE-84143-7 + + references: + anssi: BP28(R1) +diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +index 5b27c0ced97..0997a778984 100644 +--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-27274-0 + cce@rhel8: CCE-82183-5 ++ cce@rhel9: CCE-84142-9 + + references: + anssi: BP28(R1) +diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +index 597be531e87..addfd018351 100644 +--- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +@@ -18,6 +18,7 @@ platform: machine + identifiers: + cce@rhel7: CCE-83334-3 + cce@rhel8: CCE-83335-0 ++ cce@rhel9: CCE-84140-3 + + references: + cis@rhel7: 2.2.19 +diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +index e46e4f55d00..e0667d8811f 100644 +--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27210-4 + cce@rhel8: CCE-82180-1 ++ cce@rhel9: CCE-84158-5 + + references: + anssi: BP28(R1) +diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +index 24743fc2d66..0e3c53e4b09 100644 +--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27432-4 + cce@rhel8: CCE-80848-5 ++ cce@rhel9: CCE-84157-7 + + references: + anssi: BP28(R1) +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +index a26491259da..01c967baae8 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +@@ -27,6 +27,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27165-0 + cce@rhel8: CCE-82182-7 ++ cce@rhel9: CCE-84149-4 + cce@sle12: CCE-83084-4 + cce@sle15: CCE-83273-3 + +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +index afef4887348..b953c71f65c 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-27305-2 + cce@rhel8: CCE-80849-3 ++ cce@rhel9: CCE-84146-0 + + references: + anssi: BP28(R1) +diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +index b6446c2a78b..f4e0378f9e5 100644 +--- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +@@ -41,6 +41,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27401-9 + cce@rhel8: CCE-80887-3 ++ cce@rhel9: CCE-84150-2 + + references: + cis@rhel7: 2.2.19 +diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +index ca25bb21244..abcff3d8982 100644 +--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +@@ -20,6 +20,7 @@ severity: high + identifiers: + cce@rhel7: CCE-80213-2 + cce@rhel8: CCE-82436-7 ++ cce@rhel9: CCE-84154-4 + + references: + anssi: BP28(R1) +diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml +index 71ef701ec8f..1cedfddfd2c 100644 +--- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml ++++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml +@@ -14,6 +14,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80282-7 + cce@rhel8: CCE-82861-6 ++ cce@rhel9: CCE-90795-6 + + references: + cis@rhel7: 2.2.4 +diff --git a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml +index f9495eef39c..5567e024ba1 100644 +--- a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml ++++ b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml +@@ -15,6 +15,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80286-8 + cce@rhel8: CCE-82189-2 ++ cce@rhel9: CCE-84238-5 + + {{{ complete_ocil_entry_package(package="squid") }}} + +diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml +index 1a538ab1e05..f12fa6f203d 100644 +--- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml ++++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml +@@ -16,6 +16,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80285-0 + cce@rhel8: CCE-82190-0 ++ cce@rhel9: CCE-84239-3 + + references: + cis@rhel7: 2.2.13 +diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml +index 4f1e4d85197..46387098d2d 100644 +--- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml ++++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82831-9 ++ cce@rhel9: CCE-84223-7 + cce@rhcos4: CCE-82535-6 + + references: +diff --git a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml +index 9688f30b22f..b1dbf5b93af 100644 +--- a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml ++++ b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-27594-1 + cce@rhel8: CCE-82187-6 ++ cce@rhel9: CCE-84191-6 + + references: + disa: CCI-000366 +diff --git a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml +index 8d173cf74f4..595e8da103b 100644 +--- a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml ++++ b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27191-6 + cce@rhel8: CCE-80889-9 ++ cce@rhel9: CCE-84192-4 + + references: + disa: CCI-000366 +diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +index 1dba9883089..acd5c19efaf 100644 +--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml ++++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +@@ -16,6 +16,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80277-7 + cce@rhel8: CCE-82759-2 ++ cce@rhel9: CCE-84201-3 + + references: + cis@rhel7: 2.2.12 +diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +index df46bd44b95..25f676360c2 100644 +--- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml ++++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +@@ -16,6 +16,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80274-4 + cce@rhel8: CCE-82758-4 ++ cce@rhel9: CCE-90832-7 + + references: + vmmsrg: SRG-OS-000480-VMM-002000 +diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +index 08224309561..15a190d5e49 100644 +--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml ++++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82902-8 + cce@rhel8: CCE-82901-0 ++ cce@rhel9: CCE-90817-8 + + references: + cis@rhel7: 5.2.1 +diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +index f69a5a177c0..ee707dc646f 100644 +--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml ++++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82899-6 + cce@rhel8: CCE-82898-8 ++ cce@rhel9: CCE-90821-0 + + references: + cis@rhel7: 5.2.1 +diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +index ff719e2ca20..5250f1c72fb 100644 +--- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml ++++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82895-4 + cce@rhel8: CCE-82894-7 ++ cce@rhel9: CCE-90818-6 + + references: + cis@rhel7: 5.2.1 +diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +index 57f3fcf792b..f6aee9aba0c 100644 +--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml ++++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27485-2 + cce@rhel8: CCE-82424-3 ++ cce@rhel9: CCE-90820-2 + cce@sle12: CCE-83058-8 + cce@sle15: CCE-85644-3 + +diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +index 553560b83f6..30a8002bf1a 100644 +--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml ++++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27311-0 + cce@rhel8: CCE-82428-4 ++ cce@rhel9: CCE-90819-4 + cce@sle12: CCE-83057-0 + cce@sle15: CCE-85643-5 + +diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml +index 5f585c1a502..67bf4e7e022 100644 +--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml ++++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml +@@ -15,6 +15,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82722-0 ++ cce@rhel9: CCE-90836-8 + + references: + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +index 2d12bf7a8cc..46794f04946 100644 +--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml ++++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80215-7 + cce@rhel8: CCE-83303-8 ++ cce@rhel9: CCE-90823-6 + + references: + stigid@ol7: OL07-00-040300 +diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +index a7aaa4f3f9c..8ecbc74b778 100644 +--- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml ++++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80216-5 + cce@rhel8: CCE-82426-8 ++ cce@rhel9: CCE-90822-8 + cce@sle12: CCE-83201-4 + cce@sle15: CCE-83297-2 + +diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +index af004f81acf..888e9aa2aab 100644 +--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27413-4 + cce@rhel8: CCE-80786-7 ++ cce@rhel9: CCE-90816-0 + + references: + stigid@ol7: OL07-00-010470 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml +index fc9d1b9b3f3..4094e612579 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml +@@ -20,6 +20,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27320-1 + cce@rhel8: CCE-80894-9 ++ cce@rhel9: CCE-90812-9 + + references: + stigid@ol7: OL07-00-040390 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +index 54f40e75063..2e56c574a6c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80224-9 + cce@rhel8: CCE-80895-6 ++ cce@rhel9: CCE-90801-2 + cce@sle12: CCE-83062-0 + cce@sle15: CCE-85647-6 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +index 9e1cf6aae75..a8a1497d84d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +@@ -21,6 +21,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27471-2 + cce@rhel8: CCE-80896-4 ++ cce@rhel9: CCE-90799-8 + cce@sle12: CCE-83014-1 + cce@sle15: CCE-85667-4 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +index c15ef0c36a2..282b850f24c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80220-7 + cce@rhel8: CCE-80897-2 ++ cce@rhel9: CCE-90808-7 + + references: + stigid@ol7: OL07-00-040430 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +index 206a7c1399d..76708e44e1e 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80221-5 + cce@rhel8: CCE-80898-0 ++ cce@rhel9: CCE-90802-0 + + references: + stigid@ol7: OL07-00-040440 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +index d9bbe22ec98..2d8670ee211 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27377-1 + cce@rhel8: CCE-80899-8 ++ cce@rhel9: CCE-90797-2 + cce@rhcos4: CCE-82665-1 + + references: +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +index 5b36e99912a..3d987f0281d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27445-6 + cce@rhel8: CCE-80901-2 ++ cce@rhel9: CCE-90800-4 + cce@sle12: CCE-83035-6 + cce@sle15: CCE-85557-7 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml +index 9a0a7b6dfa5..b9282f8c0dc 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml +@@ -15,6 +15,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83301-2 ++ cce@rhel9: CCE-90806-1 + + references: + cis@rhel8: 5.2.17 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +index cd63b670a25..2580b3cdfe4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80372-6 + cce@rhel8: CCE-80902-0 ++ cce@rhel9: CCE-90796-4 + cce@sle12: CCE-83056-2 + cce@sle15: CCE-85642-7 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index b93aa2e6430..7da4e89cd6b 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83359-0 + cce@rhel8: CCE-83360-8 ++ cce@rhel9: CCE-90798-0 + cce@sle15: CCE-85707-8 + + references: +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +index 006a8496cef..cd08a39312b 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27363-1 + cce@rhel8: CCE-80903-8 ++ cce@rhel9: CCE-90803-8 + cce@sle12: CCE-83015-8 + cce@sle15: CCE-85666-6 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +index 757ffe95f0e..6edd3480966 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80222-3 + cce@rhel8: CCE-80904-6 ++ cce@rhel9: CCE-90809-5 + cce@sle12: CCE-83060-4 + cce@sle15: CCE-85645-0 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +index c2c045ceb48..b8c7e45edf0 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27314-4 + cce@rhel8: CCE-80905-3 ++ cce@rhel9: CCE-90807-9 + cce@sle12: CCE-83066-1 + cce@sle15: CCE-83263-4 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +index 886a03cdadd..d4a520437bb 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80225-6 + cce@rhel8: CCE-82281-7 ++ cce@rhel9: CCE-90804-6 + cce@sle12: CCE-83083-6 + cce@sle15: CCE-85563-5 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +index 84eb61830ff..a4f65562d73 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +@@ -18,6 +18,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82177-7 ++ cce@rhel9: CCE-90815-2 + + references: + ospp: FCS_SSHS_EXT.1 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +index 7444e9680d1..7b49ebbbefb 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27433-2 + cce@rhel8: CCE-80906-1 ++ cce@rhel9: CCE-90811-1 + cce@rhcos4: CCE-82549-7 + cce@sle12: CCE-83027-3 + cce@sle15: CCE-83281-6 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +index 3995cd8c4ad..5b08b3b93fb 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27082-7 + cce@rhel8: CCE-80907-9 ++ cce@rhel9: CCE-90805-3 + cce@rhcos4: CCE-82464-9 + cce@sle12: CCE-83034-9 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml +index 2f170a1a3c8..f6c57ccd113 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml +@@ -21,6 +21,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80645-5 + cce@rhel8: CCE-82282-5 ++ cce@rhel9: CCE-90813-7 + + references: + cis@debian10: 9.3.2 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +index c7aa0e8899e..806953fd3c8 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82354-2 + cce@rhel8: CCE-83500-9 ++ cce@rhel9: CCE-90810-3 + + references: + cis@debian9: 9.3.5 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml +index 2782b71905a..a283a97f99a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83357-4 ++ cce@rhel9: CCE-84103-1 + + references: + cis@rhel8: 5.2.19 +diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml +index 7202c3b73e7..88c5f0a0684 100644 +--- a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml ++++ b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml +@@ -18,6 +18,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82168-6 ++ cce@rhel9: CCE-84206-2 + cce@rhcos4: CCE-82538-0 + + references: +diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +index e7d3514efb0..dfc9d60d51c 100644 +--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml ++++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +@@ -41,6 +41,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82960-6 + cce@rhel8: CCE-82959-8 ++ cce@rhel9: CCE-84203-9 + cce@rhcos4: CCE-82524-0 + + references: +diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +index a111d010844..28136f33936 100644 +--- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml ++++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +@@ -18,6 +18,7 @@ platform: machine + + identifiers: + cce@rhel8: CCE-82853-3 ++ cce@rhel9: CCE-84205-4 + cce@rhcos4: CCE-82537-2 + + references: +diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml +index 49fbfceb390..2f54b61c9b0 100644 +--- a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml ++++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82368-2 ++ cce@rhel9: CCE-84210-4 + cce@rhcos4: CCE-82539-8 + + references: +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +index b1f1c590828..9c3e5853578 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27218-7 + cce@rhel8: CCE-82757-6 ++ cce@rhel9: CCE-84104-9 + + references: + cis@rhel7: 2.2.2 +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +index 10d5efe93f4..d4ae55e76e3 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +@@ -37,6 +37,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83410-1 + cce@rhel8: CCE-83411-9 ++ cce@rhel9: CCE-84106-4 + + references: + disa: CCI-000366 +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +index e64ddd91807..4a33f52bb91 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27285-6 + cce@rhel8: CCE-83380-6 ++ cce@rhel9: CCE-84105-6 + + references: + disa: CCI-000366 +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +index 8dde113ea69..42313d7861f 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +@@ -84,6 +84,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27303-7 + cce@rhel8: CCE-80763-6 ++ cce@rhel9: CCE-83557-9 + cce@rhcos4: CCE-82555-4 + cce@sle12: CCE-83054-7 + cce@sle15: CCE-83262-6 +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +index fcc47279783..bb74c68d893 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +@@ -51,6 +51,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83394-7 + cce@rhel8: CCE-83496-0 ++ cce@rhel9: CCE-83559-5 + + references: + cis@rhel7: 1.7.1. +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +index b30f8cde0f1..8bca4673c92 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83347-5 + cce@rhel8: CCE-83348-3 ++ cce@rhel9: CCE-83551-2 + + references: + cis@rhel7: 1.7.5 +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +index 460cc2f5d95..bd29403c607 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83337-6 + cce@rhel8: CCE-83338-4 ++ cce@rhel9: CCE-83554-6 + + references: + cis@rhel7: 1.7.4 +diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml +index 1662306b3a9..fc4f0e4b87d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml +@@ -29,6 +29,7 @@ severity: low + identifiers: + cce@rhel7: CCE-27275-7 + cce@rhel8: CCE-80788-3 ++ cce@rhel9: CCE-83560-3 + cce@sle12: CCE-83149-5 + cce@sle15: CCE-85560-1 + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +index cb90c7ce004..98c5f2922be 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82030-8 + cce@rhel8: CCE-80666-1 ++ cce@rhel9: CCE-83584-3 + cce@sle15: CCE-85678-1 + + references: +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +index 37434a1f593..cee6c05fd97 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27350-8 + cce@rhel8: CCE-80667-9 ++ cce@rhel9: CCE-83587-6 + + references: + stigid@ol7: OL07-00-010320 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +index da61edfad1f..a03264066f1 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80353-6 + cce@rhel8: CCE-80668-7 ++ cce@rhel9: CCE-83589-2 + + references: + stigid@ol7: OL07-00-010330 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +index 7dd0b99acf3..87026e13fb3 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +@@ -37,6 +37,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27297-1 + cce@rhel8: CCE-80669-5 ++ cce@rhel9: CCE-83583-5 + + references: + stigid@ol7: OL07-00-010320 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +index 08902f5a931..2eb38a4ba6f 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-26884-7 + cce@rhel8: CCE-80670-3 ++ cce@rhel9: CCE-83588-4 + + references: + stigid@ol7: OL07-00-010320 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +index c575ed1c153..b76cf3ad00c 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27214-6 + cce@rhel8: CCE-80653-9 ++ cce@rhel9: CCE-83566-0 + + references: + stigid@ol7: OL07-00-010140 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +index 44f24e8cfb0..f0408f872b8 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +@@ -32,6 +32,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82020-9 + cce@rhel8: CCE-80654-7 ++ cce@rhel9: CCE-83564-5 + + references: + stigid@ol7: OL07-00-010160 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +index 20361952d6b..245e97485a3 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27345-8 + cce@rhel8: CCE-80655-4 ++ cce@rhel9: CCE-83570-2 + + references: + stigid@ol7: OL07-00-010130 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +index a1eaf377d24..c2a456fabd4 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27512-3 + cce@rhel8: CCE-81034-1 ++ cce@rhel9: CCE-83575-1 + + references: + stigid@ol7: OL07-00-010190 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml +index b4fc71af15b..2ee715f20ce 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82055-5 + cce@rhel8: CCE-82066-2 ++ cce@rhel9: CCE-83567-8 + + references: + stigid@ol7: OL07-00-010180 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +index 1738c4a07c0..509ba7d0f3b 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +@@ -39,6 +39,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82045-6 + cce@rhel8: CCE-82046-4 ++ cce@rhel9: CCE-83563-7 + + references: + stigid@ol7: OL07-00-010170 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +index 529799224b3..b395ce336e2 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27293-0 + cce@rhel8: CCE-80656-2 ++ cce@rhel9: CCE-83579-3 + + references: + stigid@ol7: OL07-00-010280 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +index 2f42a13c24b..3f64ac5fff7 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27360-7 + cce@rhel8: CCE-80663-8 ++ cce@rhel9: CCE-83565-2 + + references: + stigid@ol7: OL07-00-010150 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +index f1f65e3b03d..c1ef5e5f64d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27160-1 + cce@rhel8: CCE-80664-6 ++ cce@rhel9: CCE-83569-4 + + references: + stigid@ol7: OL07-00-010119 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +index a55c1b17003..33c60084985 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27200-5 + cce@rhel8: CCE-80665-3 ++ cce@rhel9: CCE-83568-6 + + references: + stigid@ol7: OL07-00-010120 +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +index b0ecbd2bf1e..282c6182af8 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +@@ -46,6 +46,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82043-1 + cce@rhel8: CCE-80893-1 ++ cce@rhel9: CCE-83581-9 + cce@sle12: CCE-83184-2 + cce@sle15: CCE-85565-0 + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +index bc8c0a224b1..91515fcda12 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82185-0 + cce@rhel8: CCE-82186-8 ++ cce@rhel9: CCE-83592-6 + + references: + stigid@rhel7: RHEL-07-010481 +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +index 3dee04454c3..49e084358b2 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27287-2 + cce@rhel8: CCE-80855-0 ++ cce@rhel9: CCE-83594-2 + cce@rhcos4: CCE-82550-5 + + references: +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +index b6f9df180ea..70f73ee2865 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82963-0 + cce@rhel8: CCE-80644-8 ++ cce@rhel9: CCE-83599-1 + + references: + cui: 3.1.10 +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +index 652e9287759..be1ca56f2da 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +@@ -38,6 +38,7 @@ identifiers: + cce@sle12: CCE-83177-6 + cce@sle15: CCE-83292-3 + cce@rhel8: CCE-84029-8 ++ cce@rhel9: CCE-83596-7 + + references: + stigid@ol7: OL07-00-041001 +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +index 5f8caa69b5e..dfcf1709d0d 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80568-9 + cce@rhel8: CCE-80846-9 ++ cce@rhel9: CCE-83595-9 + + references: + disa: CCI-001954,CCI-001953 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +index 0c538123879..71c05cec2a7 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27355-7 + cce@rhel8: CCE-80954-1 ++ cce@rhel9: CCE-83627-0 + cce@rhcos4: CCE-82695-8 + cce@sle12: CCE-83051-3 + cce@sle15: CCE-85558-5 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +index 6ef67acd5a1..4ef020cccff 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80208-2 + cce@rhel8: CCE-80674-5 ++ cce@rhel9: CCE-83628-8 + + references: + cjis: 5.5.2 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +index 15486e55f95..e89543ee542 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27051-2 + cce@rhel8: CCE-80647-1 ++ cce@rhel9: CCE-83606-4 + cce@sle12: CCE-83050-5 + cce@sle15: CCE-85570-0 + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +index 31cf2d2124c..3bb7d560c33 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82036-5 + cce@rhel8: CCE-80648-9 ++ cce@rhel9: CCE-83610-6 + cce@sle12: CCE-83049-7 + cce@sle15: CCE-85720-1 + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +index 4f316230045..6fc5842a7cb 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82049-8 + cce@rhel8: CCE-80652-1 ++ cce@rhel9: CCE-83608-0 + + references: + cjis: 5.6.2.1 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +index 3b51e91d080..3cee41c8ab3 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82016-7 + cce@rhel8: CCE-80671-1 ++ cce@rhel9: CCE-83609-8 + + references: + cui: 3.5.8 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml +index 0563b15fc4e..a018101e9fa 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27352-4 + cce@rhel8: CCE-80651-3 ++ cce@rhel9: CCE-83618-9 + + references: + cjis: 5.5.2 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml +index 71c7f51f1fd..e0219783963 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83402-8 + cce@rhel8: CCE-83403-6 ++ cce@rhel9: CCE-83615-5 + + references: + anssi: BP28(R32) +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml +index e4912d51154..36181c5b094 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83384-8 + cce@rhel8: CCE-83386-3 ++ cce@rhel9: CCE-83621-3 + + references: + anssi: BP28(R32) +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml +index 4f48f364505..97a37c42f91 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml +@@ -14,6 +14,7 @@ severity: low + identifiers: + cce@rhel7: CCE-27503-2 + cce@rhel8: CCE-80822-0 ++ cce@rhel9: CCE-83613-0 + + references: + stigid@ol7: OL07-00-020300 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +index 4f0c5894d10..eb36cc54ff4 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +@@ -24,6 +24,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27286-4 + cce@rhel8: CCE-80841-0 ++ cce@rhel9: CCE-83611-4 + cce@rhcos4: CCE-82553-9 + cce@sle12: CCE-83039-8 + cce@sle15: CCE-85576-7 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml +index f9799183e0c..126f2ba5645 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83388-9 + cce@rhel8: CCE-83389-7 ++ cce@rhel9: CCE-83616-3 + + references: + cis@rhel7: 6.2.4 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml +index 1703c8b7ff4..12e9a1253e1 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82889-7 + cce@rhel8: CCE-82890-5 ++ cce@rhel9: CCE-83620-5 + + references: + cis@rhel7: 6.2.2 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml +index 94ba6160154..102c4def630 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83390-5 + cce@rhel8: CCE-84290-6 ++ cce@rhel9: CCE-83612-2 + + references: + cis@rhel7: 6.2.3 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +index 9e9ac4a3d87..1781d30ce87 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80211-6 + cce@rhel8: CCE-83444-0 ++ cce@rhel9: CCE-83617-1 + cce@rhcos4: CCE-82667-7 + + references: +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +index 0174370d54c..4357fd62803 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +@@ -24,6 +24,7 @@ severity: high + identifiers: + cce@rhel7: CCE-82054-8 + cce@rhel8: CCE-80649-7 ++ cce@rhel9: CCE-83624-7 + cce@rhcos4: CCE-82699-0 + cce@sle12: CCE-83020-8 + cce@sle15: CCE-85664-1 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml +index cf261e7dbc4..ee402c27798 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27294-8 + cce@rhel8: CCE-80840-2 ++ cce@rhel9: CCE-83625-4 + cce@rhcos4: CCE-82698-2 + + references: +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +index 65e41ca5c18..b82172844fd 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82015-9 + cce@rhel8: CCE-80843-6 ++ cce@rhel9: CCE-83623-9 + cce@rhcos4: CCE-82697-4 + cce@sle15: CCE-85672-4 + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml +index 1755f68c28e..0828e1c14e4 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27268-2 + cce@rhel8: CCE-80856-8 ++ cce@rhel9: CCE-83622-1 + + references: + cui: '3.1.1,3.1.5' +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml +index e53917e4f22..3d04c7ec7ec 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27318-5 + cce@rhel8: CCE-80864-2 ++ cce@rhel9: CCE-83626-2 + + references: + cui: '3.1.1,3.1.5' +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +index d1da3b69637..c5696d27985 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +@@ -17,6 +17,7 @@ identifiers: + cce@rhel7: CCE-80352-8 + cce@sle12: CCE-83028-1 + cce@rhel8: CCE-84037-1 ++ cce@rhel9: CCE-83635-3 + + references: + stigid@ol7: OL07-00-010430 +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +index 50ae13a1df7..dfc5836d665 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +@@ -20,6 +20,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82041-5 + cce@rhel8: CCE-80955-8 ++ cce@rhel9: CCE-83641-1 + cce@sle12: CCE-83065-3 + cce@sle15: CCE-85555-1 + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml +index abe3c4e82a8..74e0ee3261e 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-83731-0 + cce@rhel8: CCE-83732-8 ++ cce@rhel9: CCE-90827-7 + + references: + anssi: BP28(R39) +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml +index 5ded3a505f8..312a2ab6987 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-83777-3 + cce@rhel8: CCE-83778-1 ++ cce@rhel9: CCE-83642-9 + + references: + anssi: BP28(R39) +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +index 5130296ad98..4c890a9ed9f 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27557-8 + cce@rhel8: CCE-80673-7 ++ cce@rhel9: CCE-83633-8 + cce@sle12: CCE-83011-7 + cce@sle15: CCE-83269-1 + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index ac541680fa7..bd075ed358c 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80529-1 + cce@rhel8: CCE-83424-2 ++ cce@rhel9: CCE-83639-5 + cce@sle12: CCE-83074-5 + cce@sle15: CCE-85628-6 + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +index 237e7e86c12..bfd92f73cfe 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80532-5 + cce@rhel8: CCE-83434-1 ++ cce@rhel9: CCE-83629-6 + cce@sle12: CCE-83096-8 + cce@sle15: CCE-85711-0 + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +index 044118cbdcd..722603ca78c 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +@@ -21,6 +21,7 @@ identifiers: + cce@sle12: CCE-83097-6 + cce@sle15: CCE-85630-2 + cce@rhel8: CCE-84043-9 ++ cce@rhel9: CCE-83637-9 + + references: + stigid@ol7: OL07-00-020710 +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +index e070fdb6669..6f2e53f38da 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +@@ -21,6 +21,7 @@ identifiers: + cce@sle12: CCE-83076-0 + cce@sle15: CCE-85629-4 + cce@rhel8: CCE-84038-9 ++ cce@rhel9: CCE-83634-6 + + references: + stigid@ol7: OL07-00-020630 +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml +index f3b68707cb0..95e67220245 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80201-7 + cce@rhel8: CCE-84274-0 ++ cce@rhel9: CCE-83638-7 + + references: + disa: CCI-000225 +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +index 73ebb701cc8..1f09ce4d10e 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80200-9 + cce@rhel8: CCE-80672-9 ++ cce@rhel9: CCE-83643-7 + + references: + disa: CCI-000366 +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +index d9afad723ef..3ddbc2272db 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80202-5 + cce@rhel8: CCE-81036-6 ++ cce@rhel9: CCE-83644-5 + cce@rhcos4: CCE-84260-9 + + references: +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +index 99c7f274bd5..e4f7690f9c7 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80205-8 + cce@rhel8: CCE-82888-9 ++ cce@rhel9: CCE-83647-8 + cce@sle12: CCE-83052-1 + cce@sle15: CCE-85659-1 + +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml +index 2ccc8b93149..e2531c67eb5 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml +@@ -17,6 +17,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80204-1 + cce@rhel8: CCE-81035-8 ++ cce@rhel9: CCE-90828-5 + cce@rhcos4: CCE-84262-5 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +index 7f4367ca2e8..826c83f6026 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27339-1 + cce@rhel8: CCE-80685-1 ++ cce@rhel9: CCE-83830-0 + cce@rhcos4: CCE-82556-2 + cce@sle12: CCE-83106-5 + cce@sle15: CCE-85693-0 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +index a5f3f15bf35..05a2bb66ee9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27364-9 + cce@rhel8: CCE-80686-9 ++ cce@rhel9: CCE-83812-8 + cce@rhcos4: CCE-82557-0 + cce@sle12: CCE-83137-0 + cce@sle15: CCE-85690-6 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +index 48f1016a4c7..11c083e8cc1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27393-8 + cce@rhel8: CCE-80687-7 ++ cce@rhel9: CCE-83832-6 + cce@rhcos4: CCE-82558-8 + cce@sle12: CCE-83133-9 + cce@sle15: CCE-85694-8 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +index b1da8c2e2d9..43a95de5a29 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27388-8 + cce@rhel8: CCE-80688-5 ++ cce@rhel9: CCE-83822-7 + cce@rhcos4: CCE-82559-6 + cce@sle12: CCE-83132-1 + cce@sle15: CCE-85695-5 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +index 4688f94c29e..5499a793840 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +@@ -32,6 +32,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27356-5 + cce@rhel8: CCE-80689-3 ++ cce@rhel9: CCE-83829-2 + cce@rhcos4: CCE-82560-4 + cce@sle12: CCE-83136-2 + cce@sle15: CCE-85721-9 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +index 94bf93b456e..6ac0c29bb8b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27387-0 + cce@rhel8: CCE-80690-1 ++ cce@rhel9: CCE-83831-8 + cce@rhcos4: CCE-82561-2 + cce@sle12: CCE-83134-7 + cce@sle15: CCE-85692-2 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +index 6c6490cec14..2c57c277664 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +@@ -34,6 +34,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27353-2 + cce@rhel8: CCE-80691-9 ++ cce@rhel9: CCE-83821-9 + cce@rhcos4: CCE-82562-0 + cce@sle12: CCE-83138-8 + cce@sle15: CCE-85686-4 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +index f8d076876e0..bbb177ebd9a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27389-6 + cce@rhel8: CCE-80692-7 ++ cce@rhel9: CCE-83817-7 + cce@rhcos4: CCE-82563-8 + cce@sle12: CCE-83141-2 + cce@sle15: CCE-85688-0 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +index 746f5b38f70..2682b06a4ba 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27083-5 + cce@rhel8: CCE-80693-5 ++ cce@rhel9: CCE-83833-4 + cce@rhcos4: CCE-82564-6 + cce@sle12: CCE-83135-4 + cce@sle15: CCE-85691-4 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +index cada76ea71f..c5b7f0a4b1a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +@@ -34,6 +34,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27410-0 + cce@rhel8: CCE-80694-3 ++ cce@rhel9: CCE-83814-4 + cce@rhcos4: CCE-82565-3 + cce@sle12: CCE-83139-6 + cce@sle15: CCE-85685-6 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +index 7b8a48e4295..ccc2520da57 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27280-7 + cce@rhel8: CCE-80695-0 ++ cce@rhel9: CCE-83808-6 + cce@rhcos4: CCE-82566-1 + cce@sle15: CCE-85689-8 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +index 839857dfbbe..89895b2802c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27367-2 + cce@rhel8: CCE-80696-8 ++ cce@rhel9: CCE-83807-8 + cce@rhcos4: CCE-82567-9 + cce@sle12: CCE-83140-4 + cce@sle15: CCE-85684-9 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +index 413b11ebcc3..83511fa4bcf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27213-8 + cce@rhel8: CCE-80697-6 ++ cce@rhel9: CCE-83811-0 + cce@rhcos4: CCE-82568-7 + cce@sle12: CCE-83142-0 + cce@sle15: CCE-85687-2 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +index 0972a0a04ef..f94d9209106 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +@@ -41,6 +41,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80393-2 + cce@rhel8: CCE-80698-4 ++ cce@rhel9: CCE-83748-4 + cce@rhcos4: CCE-82569-5 + cce@sle12: CCE-83215-4 + cce@sle15: CCE-85716-9 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml +index 4b199b8bca6..8c8a39007cb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80394-0 + cce@rhel8: CCE-80699-2 ++ cce@rhel9: CCE-83749-2 + cce@rhcos4: CCE-82570-3 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +index 673bdaf3e2a..6280105ce22 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80391-6 + cce@rhel8: CCE-80700-8 ++ cce@rhel9: CCE-83750-0 + cce@rhcos4: CCE-82571-1 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +index 0440dc51191..dfbfce4df9a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80660-4 + cce@rhel8: CCE-82280-9 ++ cce@rhel9: CCE-83736-9 + cce@rhcos4: CCE-82572-9 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +index 894b1e83fcd..773c1829179 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80392-4 + cce@rhel8: CCE-80701-6 ++ cce@rhel9: CCE-83751-8 + cce@rhcos4: CCE-82573-7 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml +index 80dc8e2825a..f616cc6940e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82362-5 + cce@rhel8: CCE-80933-5 ++ cce@rhel9: CCE-83746-8 + cce@rhcos4: CCE-82574-5 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml +index ae2fc418856..453f4ab4354 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27206-2 + cce@rhel8: CCE-80702-4 ++ cce@rhel9: CCE-83752-6 + + references: + cis@rhel7: 4.1.14 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +index 237403a21c8..1c2149fae72 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80995-4 + cce@rhel8: CCE-80703-2 ++ cce@rhel9: CCE-83754-2 + cce@rhcos4: CCE-82575-2 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +index f8ee193dbfa..5dfc167e34d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80413-8 + cce@rhel8: CCE-80704-0 ++ cce@rhel9: CCE-83756-7 + cce@rhcos4: CCE-82576-0 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +index 7061949cbe2..49f5c093061 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80412-0 + cce@rhel8: CCE-80705-7 ++ cce@rhel9: CCE-83758-3 + cce@rhcos4: CCE-82577-8 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +index 5b4677af2bc..80f1483e895 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80996-2 + cce@rhel8: CCE-80706-5 ++ cce@rhel9: CCE-83757-5 + cce@rhcos4: CCE-82578-6 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +index f0eb0092d79..b6a1a10f75f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80662-0 + cce@rhel8: CCE-80707-3 ++ cce@rhel9: CCE-83755-9 + cce@rhcos4: CCE-82579-4 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +index 2a8763f30b4..7454775a900 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +@@ -35,6 +35,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27347-4 + cce@rhel8: CCE-80750-3 ++ cce@rhel9: CCE-83793-0 + + references: + cjis: 5.4.1.1 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +index 648095bb69f..27423e6deaf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +@@ -35,6 +35,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80385-8 + cce@rhel8: CCE-80751-1 ++ cce@rhel9: CCE-83786-4 + cce@rhcos4: CCE-82621-4 + cce@sle12: CCE-83092-7 + cce@sle15: CCE-85681-5 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +index 5f4e10fc1ac..3391cd44a3d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +@@ -38,6 +38,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80390-8 + cce@rhel8: CCE-80752-9 ++ cce@rhel9: CCE-83800-3 + cce@rhcos4: CCE-82629-7 + cce@sle12: CCE-83091-9 + cce@sle15: CCE-85696-3 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +index 5761374a4f8..7c9441884d3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +@@ -38,6 +38,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80386-6 + cce@rhel8: CCE-80753-7 ++ cce@rhel9: CCE-83801-1 + cce@rhcos4: CCE-82633-9 + cce@sle12: CCE-83131-3 + cce@sle15: CCE-85680-7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +index 7cf89f50dde..4b4c259cd63 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +@@ -35,6 +35,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80388-2 + cce@rhel8: CCE-80755-2 ++ cce@rhel9: CCE-83796-3 + cce@rhcos4: CCE-82640-4 + cce@sle12: CCE-83094-3 + cce@sle15: CCE-85683-1 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +index a4b9c22956c..7b44a725d6f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +@@ -38,6 +38,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80387-4 + cce@rhel8: CCE-80754-5 ++ cce@rhel9: CCE-83794-8 + cce@rhcos4: CCE-82634-7 + cce@sle12: CCE-83093-5 + cce@sle15: CCE-85682-3 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +index f0ac52a2ab9..899c453b947 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +@@ -38,6 +38,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80389-0 + cce@rhel8: CCE-80756-0 ++ cce@rhel9: CCE-83792-2 + cce@rhcos4: CCE-82651-1 + cce@sle12: CCE-83085-1 + cce@sle15: CCE-85608-8 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +index 446766d0e50..35cb29e095f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27129-6 + cce@rhel8: CCE-80709-9 ++ cce@rhel9: CCE-83804-5 + + references: + cis@rhel7: 4.1.17 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +index d8ce90bf575..c96fbb705c8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80415-3 + cce@rhel8: CCE-80711-5 ++ cce@rhel9: CCE-83802-9 + cce@rhcos4: CCE-82580-2 + cce@sle12: CCE-83128-9 + cce@sle15: CCE-85748-2 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +index cf4dea7a588..43b487f06b3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80547-3 + cce@rhel8: CCE-80712-3 ++ cce@rhel9: CCE-83803-7 + cce@rhcos4: CCE-82581-0 + cce@sle12: CCE-83129-7 + cce@sle15: CCE-85749-0 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +index b84eb7c5593..150ae82de02 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80414-6 + cce@rhel8: CCE-80713-1 ++ cce@rhel9: CCE-90835-0 + cce@rhcos4: CCE-82582-8 + cce@sle12: CCE-83130-5 + cce@sle15: CCE-85750-8 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +index bb7d9672a55..e54d1c98fa3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +@@ -31,6 +31,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27204-7 + cce@rhel8: CCE-80717-2 ++ cce@rhel9: CCE-83784-9 + + references: + cjis: 5.4.1.1 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +index e59377bf222..a196008d371 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80383-3 + cce@rhel8: CCE-80718-0 ++ cce@rhel9: CCE-83783-1 + cce@rhcos4: CCE-82583-6 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +index 9c2bd1eac7e..b83e36f9844 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80384-1 + cce@rhel8: CCE-80719-8 ++ cce@rhel9: CCE-83785-6 + cce@rhcos4: CCE-82584-4 + cce@sle12: CCE-83108-1 + cce@sle15: CCE-85598-1 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +index 50cbffd31a3..0f5c73acfd9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80994-7 + cce@rhel8: CCE-80720-6 ++ cce@rhel9: CCE-83782-3 + cce@rhcos4: CCE-82585-1 + cce@sle12: CCE-83107-3 + cce@sle15: CCE-85597-3 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml +index cf997bbcf4a..32731527a24 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml +@@ -39,6 +39,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27437-3 + cce@rhel8: CCE-80724-8 ++ cce@rhel9: CCE-83759-1 + cce@rhcos4: CCE-82589-3 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +index dcfbe5de239..92fc399b45c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80398-1 + cce@rhel8: CCE-80725-5 ++ cce@rhel9: CCE-83765-8 + cce@rhcos4: CCE-82591-9 + cce@sle12: CCE-83110-7 + cce@sle15: CCE-85587-4 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +index 43d151984d8..bf559c8fad2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80404-7 + cce@rhel8: CCE-80726-3 ++ cce@rhel9: CCE-83763-3 + cce@rhcos4: CCE-82592-7 + cce@sle12: CCE-83163-6 + cce@sle15: CCE-85586-6 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +index cdbcd540e15..483c8fb4e84 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80410-4 + cce@rhel8: CCE-80727-1 ++ cce@rhel9: CCE-83761-7 + cce@rhcos4: CCE-82593-5 + cce@sle12: CCE-83126-3 + cce@sle15: CCE-85588-2 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +index 64ebb4b3274..ec514df8a96 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80397-3 + cce@rhel8: CCE-80728-9 ++ cce@rhel9: CCE-83773-2 + cce@rhcos4: CCE-82594-3 + cce@sle12: CCE-83161-0 + cce@sle15: CCE-85584-1 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +index a7b1ab0a6f3..f6b09b92430 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80403-9 + cce@rhel8: CCE-80729-7 ++ cce@rhel9: CCE-83766-6 + cce@rhcos4: CCE-82597-6 + cce@sle12: CCE-83162-8 + cce@sle15: CCE-85585-8 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +index c113d75ffb8..cf5804a4eb0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +@@ -41,6 +41,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80411-2 + cce@rhel8: CCE-80730-5 ++ cce@rhel9: CCE-83767-4 + cce@rhcos4: CCE-82599-2 + cce@sle12: CCE-83127-1 + cce@sle15: CCE-85601-3 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +index df3e1b83dce..6c76998b4e5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80395-7 + cce@rhel8: CCE-80731-3 ++ cce@rhel9: CCE-83781-5 + cce@rhcos4: CCE-82600-8 + cce@sle12: CCE-83160-2 + cce@sle15: CCE-85583-3 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +index 6316f31e664..843c42e8c00 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80406-2 + cce@rhel8: CCE-80732-1 ++ cce@rhel9: CCE-83769-0 + cce@rhcos4: CCE-82601-6 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +index 528018fe8a9..6ab088d9adb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80407-0 + cce@rhel8: CCE-80733-9 ++ cce@rhel9: CCE-83770-8 + cce@rhcos4: CCE-82602-4 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +index d32a3c45662..1fdfcda2c17 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +@@ -37,6 +37,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80408-8 + cce@rhel8: CCE-80735-4 ++ cce@rhel9: CCE-83776-5 + cce@rhcos4: CCE-82604-0 + cce@sle12: CCE-83159-4 + cce@sle15: CCE-85582-5 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +index bcb50c6b080..592d53e37ff 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80400-5 + cce@rhel8: CCE-80736-2 ++ cce@rhel9: CCE-83771-6 + cce@rhcos4: CCE-82605-7 + cce@sle12: CCE-83143-8 + cce@sle15: CCE-85602-1 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +index 83775fefe5f..759bbbfdda0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80401-3 + cce@rhel8: CCE-80737-0 ++ cce@rhel9: CCE-83780-7 + cce@rhcos4: CCE-82606-5 + cce@sle12: CCE-83144-6 + cce@sle15: CCE-85603-9 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +index 6f8ed9f3163..45f851653cd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80402-1 + cce@rhel8: CCE-80738-8 ++ cce@rhel9: CCE-83764-1 + cce@rhcos4: CCE-82607-3 + cce@sle15: CCE-85717-7 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +index abf9d895013..db04572f95a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80405-4 + cce@rhel8: CCE-80739-6 ++ cce@rhel9: CCE-83762-5 + cce@rhcos4: CCE-82608-1 + cce@sle12: CCE-83158-6 + cce@sle15: CCE-85734-2 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +index f1b9dd19237..b3a13b54621 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80396-5 + cce@rhel8: CCE-80740-4 ++ cce@rhel9: CCE-83768-2 + cce@rhcos4: CCE-82609-9 + cce@sle12: CCE-83109-9 + cce@sle15: CCE-85727-6 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +index 8d92480f717..e32b43bb00d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80399-9 + cce@rhel8: CCE-80741-2 ++ cce@rhel9: CCE-83760-9 + cce@rhcos4: CCE-82610-7 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +index f42bcf1a18c..e37327bf154 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27097-5 + cce@rhel8: CCE-80708-1 ++ cce@rhel9: CCE-83716-1 + cce@rhcos4: CCE-82668-5 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml +index 3567507042f..bce6d2534dd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27168-4 + cce@rhel8: CCE-80721-4 ++ cce@rhel9: CCE-83721-1 + cce@rhcos4: CCE-82586-9 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +index 883b19d998e..ec97d311975 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27447-2 + cce@rhel8: CCE-80722-2 ++ cce@rhel9: CCE-83735-1 + cce@rhcos4: CCE-82587-7 + cce@sle12: CCE-83217-0 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml +index 134cc80a7d4..7f354a63867 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27076-9 + cce@rhel8: CCE-80723-0 ++ cce@rhel9: CCE-83706-2 + cce@rhcos4: CCE-82588-5 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml +index ddaa1f504b1..a0a232d14b0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27301-1 + cce@rhel8: CCE-80742-0 ++ cce@rhel9: CCE-83713-8 + cce@rhcos4: CCE-82612-3 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +index b1d13fba2b8..4e095e9fcce 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27461-3 + cce@rhel8: CCE-80743-8 ++ cce@rhel9: CCE-83729-4 + cce@rhcos4: CCE-82613-1 + cce@sle15: CCE-85679-9 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml +index 18ee888a8e6..240b0dcff30 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80997-0 + cce@rhel8: CCE-80744-6 ++ cce@rhel9: CCE-83709-6 + + references: + stigid@ol7: OL07-00-030010 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml +index a09d23f6dff..f0580448f18 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml +@@ -34,6 +34,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27192-4 + cce@rhel8: CCE-80757-8 ++ cce@rhel9: CCE-83715-3 + + references: + stigid@ol7: OL07-00-030710 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +index f4f5820b617..1fab77b25f3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80433-6 + cce@rhel8: CCE-80758-6 ++ cce@rhel9: CCE-83722-9 + cce@rhcos4: CCE-82654-5 + cce@sle12: CCE-83121-4 + cce@sle15: CCE-85578-3 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +index 3f48685b35b..889d3bf1c79 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80432-8 + cce@rhel8: CCE-80759-4 ++ cce@rhel9: CCE-83723-7 + cce@rhcos4: CCE-82655-2 + cce@sle12: CCE-83095-0 + cce@sle15: CCE-85580-9 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +index 5e3eba4b3f5..d4cc22ee1a1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80430-2 + cce@rhel8: CCE-80760-2 ++ cce@rhel9: CCE-83712-0 + cce@rhcos4: CCE-82656-0 + cce@sle12: CCE-83123-0 + cce@sle15: CCE-85728-4 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +index 0c545fd0c66..6930d0d20be 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80435-1 + cce@rhel8: CCE-80761-0 ++ cce@rhel9: CCE-83714-6 + cce@rhcos4: CCE-82657-8 + cce@sle12: CCE-83120-6 + cce@sle15: CCE-85577-5 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +index d4763ca4709..32b597820c4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80431-0 + cce@rhel8: CCE-80762-8 ++ cce@rhel9: CCE-83725-2 + cce@rhcos4: CCE-82658-6 + cce@sle12: CCE-83122-2 + cce@sle15: CCE-85579-1 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml +index 3e369f14489..290913884b6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27290-6 + cce@rhel8: CCE-80745-3 ++ cce@rhel9: CCE-83840-9 + cce@rhcos4: CCE-82614-9 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml +index f8ef91a5182..e2bd099a151 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27219-5 + cce@rhel8: CCE-80746-1 ++ cce@rhel9: CCE-83837-5 + cce@rhcos4: CCE-82615-6 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml +index f457fba8061..8a0488d8e3d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27216-1 + cce@rhel8: CCE-80747-9 ++ cce@rhel9: CCE-83836-7 + cce@rhcos4: CCE-82616-4 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml +index b8b6fbe6db2..65de17e8dee 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml +@@ -37,6 +37,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27299-7 + cce@rhel8: CCE-80748-7 ++ cce@rhel9: CCE-83835-9 + cce@rhcos4: CCE-82617-2 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml +index 37d51535902..063725a1aee 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27310-2 + cce@rhel8: CCE-80749-5 ++ cce@rhel9: CCE-83839-1 + cce@rhcos4: CCE-82618-0 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +index 2c869dfb128..c13c8fb13c2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhcos4: CCE-82692-5 + cce@rhel8: CCE-84048-8 ++ cce@rhel9: CCE-83734-4 + + references: + nist: CM-6(a),AC-6(1),AU-9 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +index e495992ecb6..3d2ae4eb21c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80125-8 + cce@rhel8: CCE-80808-9 ++ cce@rhel9: CCE-83726-0 + cce@rhcos4: CCE-82691-7 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +index f9ce395716c..d1f109a7312 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27205-4 + cce@rhel8: CCE-80819-6 ++ cce@rhel9: CCE-83720-3 + cce@rhcos4: CCE-82690-9 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml +index c42c90a8254..ed31e661e58 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27341-7 + cce@rhel8: CCE-80677-8 ++ cce@rhel9: CCE-83695-7 + + references: + cjis: 5.4.1.1 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +index f1102676c58..57e98a96963 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +@@ -25,6 +25,7 @@ identifiers: + cce@rhel7: CCE-80646-3 + cce@rhcos4: CCE-82679-2 + cce@rhel8: CCE-84046-2 ++ cce@rhel9: CCE-83690-8 + + references: + nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +index fd3aff398c6..77a56c9928d 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +@@ -29,6 +29,7 @@ identifiers: + cce@sle12: CCE-83032-3 + cce@sle15: CCE-85606-2 + cce@rhel8: CCE-84045-4 ++ cce@rhel9: CCE-83684-1 + + references: + nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +index 114363370cd..f7e1eed913a 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27394-6 + cce@rhel8: CCE-80678-6 ++ cce@rhel9: CCE-83698-1 + cce@rhcos4: CCE-82675-0 + cce@sle12: CCE-83030-7 + cce@sle15: CCE-85604-7 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml +index c6ce1adb653..98822fb7a92 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27370-6 + cce@rhel8: CCE-80679-4 ++ cce@rhel9: CCE-83700-5 + cce@rhcos4: CCE-82677-6 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +index 6d100796619..7087dd536e1 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27331-8 + cce@rhel8: CCE-80680-2 ++ cce@rhel9: CCE-83685-8 + cce@rhcos4: CCE-82508-3 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml +index d825f887f04..18a83773926 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27319-3 + cce@rhel8: CCE-80681-0 ++ cce@rhel9: CCE-83683-3 + cce@rhcos4: CCE-82694-1 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +index ef32b8dda40..ac486f9fdee 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27231-0 + cce@rhel8: CCE-80682-8 ++ cce@rhel9: CCE-83701-3 + cce@rhcos4: CCE-82680-0 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml +index dbaa3c76e18..8618a85c6d7 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27348-2 + cce@rhel8: CCE-80683-6 ++ cce@rhel9: CCE-83688-2 + cce@rhcos4: CCE-82693-3 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +index 0700e4881d2..6babd3b3a01 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +@@ -31,6 +31,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27375-5 + cce@rhel8: CCE-80684-4 ++ cce@rhel9: CCE-83703-9 + cce@rhcos4: CCE-82678-4 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml +index 3f6cc973db0..56f618c99ae 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82358-3 + cce@rhel8: CCE-82258-5 ++ cce@rhel9: CCE-83704-7 + cce@rhcos4: CCE-82512-5 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml +index ad5a39d3c90..5df38381c28 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82355-9 + cce@rhel8: CCE-82233-8 ++ cce@rhel9: CCE-83682-5 + cce@rhcos4: CCE-82509-1 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml +index 407e33433cd..1f3280507e3 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82357-5 + cce@rhel8: CCE-82201-5 ++ cce@rhel9: CCE-83696-5 + cce@rhcos4: CCE-82511-7 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml +index a778d5faf28..3557e8b79f8 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82359-1 + cce@rhel8: CCE-82897-0 ++ cce@rhel9: CCE-83686-6 + cce@rhcos4: CCE-82513-3 + + references: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml +index 0becb1671ce..24207420764 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82356-7 + cce@rhel8: CCE-82366-6 ++ cce@rhel9: CCE-83705-4 + cce@rhcos4: CCE-82510-9 + + references: +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +index 9f8823ad464..6408818fb8a 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27212-0 + cce@rhel8: CCE-80825-3 ++ cce@rhel9: CCE-83651-0 + + references: + cis@rhel7: 4.1.3 +diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +index aab1e2f8cff..3a93dc412b4 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82156-1 + cce@rhel8: CCE-80943-4 ++ cce@rhel9: CCE-83652-8 + + references: + srg: SRG-OS-000254-GPOS-00095,SRG-OS-000341-GPOS-00132 +diff --git a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml +index 6d96d340a33..85ba222d616 100644 +--- a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml ++++ b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82954-9 + cce@rhel8: CCE-82953-1 ++ cce@rhel9: CCE-83648-6 + + references: + srg: SRG-OS-000342-GPOS-00133 +diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml +index ac1da528ee6..3cbc735f963 100644 +--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml ++++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml +@@ -11,6 +11,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-81042-4 + cce@rhel8: CCE-81043-2 ++ cce@rhel9: CCE-83649-4 + cce@rhcos4: CCE-82669-3 + cce@sle12: CCE-83023-2 + cce@sle15: CCE-85612-0 +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +index a0d856b023b..1d415ae973b 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +@@ -31,6 +31,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82833-5 ++ cce@rhel9: CCE-83672-6 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +index 6f79a5cf04a..dc2ff4236fa 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +@@ -36,6 +36,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82834-3 ++ cce@rhel9: CCE-83653-6 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml +index bd5d6455351..84f064eb799 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml +@@ -44,6 +44,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82827-7 ++ cce@rhel9: CCE-83670-0 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +index b2f731d11ba..6af306aa0aa 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +@@ -44,6 +44,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82374-0 ++ cce@rhel9: CCE-83669-2 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +index a03a7f3b715..cfb737d4452 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +@@ -37,6 +37,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82829-3 ++ cce@rhel9: CCE-83668-4 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +index d4bd88e6cfc..4436051f808 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +@@ -36,6 +36,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82835-0 ++ cce@rhel9: CCE-83667-6 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +index 6c05a736e39..2bf582dd53f 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +@@ -35,6 +35,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82836-8 ++ cce@rhel9: CCE-83680-9 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +index 34e9fc134e0..18514ecff5a 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82828-5 ++ cce@rhel9: CCE-83673-4 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +index 2d0f7cf9da3..81493843494 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +@@ -44,6 +44,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82830-1 ++ cce@rhel9: CCE-83671-8 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +index 28045878a69..45fa2df7aa7 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +@@ -39,6 +39,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82832-7 ++ cce@rhel9: CCE-83681-7 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml +index d764e384ea2..261cd4ef445 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml +@@ -36,6 +36,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82838-4 ++ cce@rhel9: CCE-90814-5 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +index 0a41ece25fc..aef687ae110 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +@@ -116,6 +116,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82373-2 ++ cce@rhel9: CCE-83655-1 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +index a95c0146b11..47c31aeee19 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +@@ -37,6 +37,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82384-9 ++ cce@rhel9: CCE-83675-9 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +index 4133eb193f2..5a6792c5f1b 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +@@ -38,6 +38,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82385-6 ++ cce@rhel9: CCE-83658-5 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +index 47f248a2b36..f83c888b928 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +@@ -36,6 +36,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82837-6 ++ cce@rhel9: CCE-83676-7 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +index 5017b17849b..8bd5d90049a 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +@@ -35,6 +35,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82383-1 ++ cce@rhel9: CCE-83678-3 + + references: + ospp: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +index 19421f40ade..112bda557df 100644 +--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml ++++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +@@ -26,6 +26,7 @@ requires: + identifiers: + cce@rhel7: CCE-27407-6 + cce@rhel8: CCE-80872-5 ++ cce@rhel9: CCE-90829-3 + cce@rhcos4: CCE-82463-1 + cce@sle12: CCE-83024-0 + cce@sle15: CCE-85581-7 +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +index c1f77e21c36..0a0d76aeb23 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +@@ -15,6 +15,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-82351-8 + cce@rhel8: CCE-83920-9 ++ cce@rhel9: CCE-83844-1 + + references: + anssi: BP28(R11) +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +index 03f56b8031d..308ae9cb735 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +@@ -25,6 +25,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83314-5 ++ cce@rhel9: CCE-83841-7 + + references: + ospp: FCS_RBG_EXT.1.1 +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +index f186b1ae6e7..7a8d228ddc3 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +@@ -21,6 +21,7 @@ severity: high + + identifiers: + cce@rhel8: CCE-82194-2 ++ cce@rhel9: CCE-83843-3 + + references: + srg: SRG-OS-000433-GPOS-00193,SRG-OS-000095-GPOS-00049 +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +index 0b5873c56a2..f82c1648315 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82159-5 + cce@rhel8: CCE-80946-7 ++ cce@rhel9: CCE-83842-5 + + references: + srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068 +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml +index 38f33d1812a..28132401b0e 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82023-3 + cce@rhel8: CCE-80800-6 ++ cce@rhel9: CCE-83848-2 + + references: + cis@rhel7: 1.4.2 +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml +index 80c53fdd4b0..70ebc483f25 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82026-6 + cce@rhel8: CCE-80805-5 ++ cce@rhel9: CCE-83845-8 + + references: + cis@rhel7: 1.4.2 +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml +index 6564de998e2..d3ee73725d8 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82039-9 + cce@rhel8: CCE-80814-7 ++ cce@rhel9: CCE-83846-6 + + references: + cis@rhel7: 1.4.2 +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +index 795230dcbec..89b29fc27d4 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +@@ -43,6 +43,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27309-4 + cce@rhel8: CCE-80828-7 ++ cce@rhel9: CCE-83849-0 + cce@sle12: CCE-83044-8 + cce@sle15: CCE-83274-1 + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +index 987a42d31ec..d342163b6c0 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +@@ -22,6 +22,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83321-0 ++ cce@rhel9: CCE-84096-7 + + ocil_clause: 'auditing is not enabled at boot time' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +index cfb8c08f31d..c37fbcb9ba1 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83341-8 ++ cce@rhel9: CCE-84099-1 + + ocil_clause: 'audit backlog limit is not configured' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +index b8b025f74f4..56b634d4b19 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83485-3 ++ cce@rhel9: CCE-84092-6 + + ocil_clause: 'a non BLS boot entry is configured' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +index c8133e19ab4..6c7e3396553 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +@@ -18,6 +18,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83486-1 ++ cce@rhel9: CCE-84098-3 + + ocil_clause: 'the bootmap is outdated' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +index c626f6188cd..0cd61ae2f53 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -22,6 +22,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83351-7 ++ cce@rhel9: CCE-84101-5 + + ocil_clause: 'page allocator poisoning is not enabled' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +index d266165cddc..df0f6c3ee98 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -22,6 +22,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83371-5 ++ cce@rhel9: CCE-84094-2 + + ocil_clause: 'SLUB/SLAB poisoning is not enabled' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +index 387f7f13850..52b192ffc52 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -19,6 +19,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83381-4 ++ cce@rhel9: CCE-84100-7 + + ocil_clause: 'vsyscalls are enabled' + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +index 7d78a6963c2..569c0371ec3 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80380-9 + cce@rhel8: CCE-80859-2 ++ cce@rhel9: CCE-83994-4 + + references: + stigid@ol7: OL07-00-021100 +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +index c2e28da36f8..b734c694779 100644 +--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80195-1 + cce@rhel8: CCE-80794-1 ++ cce@rhel9: CCE-83993-6 + cce@rhcos4: CCE-82689-1 + + references: +diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml +index afa2afd6671..62982ff8a94 100644 +--- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml ++++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82859-0 ++ cce@rhel9: CCE-83987-8 + + references: + ospp: FTP_ITC_EXT.1.1 +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +index e5c90880a27..8ded536b23e 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80192-8 + cce@rhel8: CCE-84275-7 ++ cce@rhel9: CCE-83995-1 + + references: + stigid@ol7: OL07-00-031010 +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +index bf8e746aac9..1bb9f3625e7 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +@@ -38,6 +38,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27343-3 + cce@rhel8: CCE-80863-4 ++ cce@rhel9: CCE-83990-2 + cce@sle12: CCE-83180-0 + cce@sle15: CCE-85552-8 + +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml +index 2f908980994..6bfe1524ce5 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml +@@ -22,6 +22,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82457-3 ++ cce@rhel9: CCE-83991-0 + + references: + nist: AU-9(3),CM-6(a) +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml +index 801684102fe..2398c0317a7 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82458-1 ++ cce@rhel9: CCE-83992-8 + + references: + ospp: FCS_TLSC_EXT.1,FTP_ITC_EXT.1.1 +diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +index 8b88773f0ff..7298262fe52 100644 +--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml ++++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80188-6 + cce@rhel8: CCE-80886-5 ++ cce@rhel9: CCE-83989-4 + + references: + anssi: BP28(R5),NT28(R46) +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +index fc79c5f06e8..b9ce05776a1 100644 +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82999-4 + cce@rhel8: CCE-82998-6 ++ cce@rhel9: CCE-84021-5 + cce@rhcos4: CCE-82521-6 + cce@sle15: CCE-85698-9 + +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +index b4afabb15fd..7003d666198 100644 +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80998-8 + cce@rhel8: CCE-80877-4 ++ cce@rhel9: CCE-90833-5 + cce@rhcos4: CCE-82554-7 + cce@sle15: CCE-85751-6 + +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +index 636e30e3e1f..51848fc19f4 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27349-0 + cce@rhel8: CCE-80890-7 ++ cce@rhel9: CCE-84023-1 + + references: + stigid@ol7: OL07-00-040810 +diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml +index 20e5f729460..e8e06e5b2b4 100644 +--- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml ++++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80170-4 + cce@rhel8: CCE-80845-1 ++ cce@rhel9: CCE-84068-6 + cce@rhcos4: CCE-82525-7 + + references: +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +index 43fd69a2003..5d0fc56b27a 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80180-3 + cce@rhel8: CCE-81006-9 ++ cce@rhel9: CCE-84120-5 + cce@rhcos4: CCE-82467-2 + + references: +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +index ba9182b87a0..979201fc23a 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +@@ -13,6 +13,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84271-6 + cce@rhel8: CCE-84272-4 ++ cce@rhel9: CCE-84115-5 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +index a7a0c007b0b..d430df13480 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +@@ -13,6 +13,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84279-9 + cce@rhel8: CCE-84280-7 ++ cce@rhel9: CCE-84122-1 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +index 909e8cfcfbd..8c009414d35 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +@@ -13,6 +13,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84287-2 + cce@rhel8: CCE-84288-0 ++ cce@rhel9: CCE-84111-4 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +index 8d92c0fec29..66826772a68 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80182-9 + cce@rhel8: CCE-81009-3 ++ cce@rhel9: CCE-84125-4 + cce@rhcos4: CCE-82471-4 + cce@sle15: CCE-85708-6 + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +index bf9263a67a8..a77d1f4a21e 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80179-5 + cce@rhel8: CCE-81013-5 ++ cce@rhel9: CCE-84131-2 + cce@rhcos4: CCE-82480-5 + cce@sle12: CCE-83078-6 + cce@sle15: CCE-85649-2 +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml +index 7f4cf1b36cc..d0b011dd892 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml +@@ -13,6 +13,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84265-8 + cce@rhel8: CCE-84266-6 ++ cce@rhel9: CCE-84126-2 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +index 0f4330678ac..447e9533a56 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80356-9 + cce@rhel8: CCE-82863-2 ++ cce@rhel9: CCE-84114-8 + cce@sle15: CCE-85713-6 + + references: +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml +index 1478ffb0438..038d4b2efbf 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml +@@ -15,6 +15,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84258-3 + cce@rhel8: CCE-84259-1 ++ cce@rhel9: CCE-84112-2 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml +index 70081798a18..697718eef25 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml +@@ -13,6 +13,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84281-5 + cce@rhel8: CCE-84109-8 ++ cce@rhel9: CCE-84128-8 + + + references: +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +index 0bbf39499bf..3736a8c934d 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80181-1 + cce@rhel8: CCE-81007-7 ++ cce@rhel9: CCE-84124-7 + cce@rhcos4: CCE-82468-0 + + references: +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +index ebd596f9688..2da8c426314 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +@@ -13,6 +13,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84267-4 + cce@rhel8: CCE-84268-2 ++ cce@rhel9: CCE-84116-3 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +index 18882c3a826..2865601da80 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +@@ -13,6 +13,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84273-2 + cce@rhel8: CCE-84051-2 ++ cce@rhel9: CCE-84118-9 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +index b0b27f379f5..6de9820b44a 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +@@ -13,6 +13,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84289-8 + cce@rhel8: CCE-84291-4 ++ cce@rhel9: CCE-84121-3 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +index 49d92c2a763..8f55e1ecf4a 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80183-7 + cce@rhel8: CCE-81010-1 ++ cce@rhel9: CCE-84113-0 + cce@rhcos4: CCE-82477-1 + cce@sle15: CCE-85722-7 + cce@sle12: CCE-83223-8 +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +index 3f81bf20f53..a5c911aec64 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80355-1 + cce@rhel8: CCE-81015-0 ++ cce@rhel9: CCE-84130-4 + cce@rhcos4: CCE-82481-3 + cce@sle15: CCE-85653-4 + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml +index 37545b05822..95a023ef48e 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml +@@ -13,6 +13,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84263-3 + cce@rhel8: CCE-84264-1 ++ cce@rhel9: CCE-84133-8 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml +index 5c764c307c6..d7795727431 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml +@@ -15,6 +15,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84256-7 + cce@rhel8: CCE-84257-5 ++ cce@rhel9: CCE-84117-1 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml +index 36b3016ccf4..d4eeebf721e 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml +@@ -13,6 +13,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-84283-1 + cce@rhel8: CCE-83477-0 ++ cce@rhel9: CCE-84026-4 + + + references: +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml +index 0de8259e975..d7aa582a33b 100644 +--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82871-5 + cce@rhel8: CCE-82872-3 ++ cce@rhel9: CCE-84024-9 + + references: + cis@rhel7: 3.3.3 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +index e044f2f85b0..0f835e52c11 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80158-9 + cce@rhel8: CCE-80917-8 ++ cce@rhel9: CCE-84011-6 + cce@rhcos4: CCE-82469-8 + cce@sle12: CCE-83090-1 + cce@sle15: CCE-85651-8 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +index c973a5cd4f5..6e734167503 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27434-0 + cce@rhel8: CCE-81011-9 ++ cce@rhel9: CCE-84001-7 + cce@rhcos4: CCE-82478-9 + cce@sle12: CCE-83064-6 + cce@sle15: CCE-85648-4 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +index 43fefc50c5a..48d815feaa2 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +@@ -17,6 +17,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80160-5 + cce@rhel8: CCE-81018-4 ++ cce@rhel9: CCE-84000-9 + cce@rhcos4: CCE-82486-2 + + references: +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +index 7f1dcbee78d..dabb3606d6d 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80167-0 + cce@rhel8: CCE-81021-8 ++ cce@rhel9: CCE-84008-2 + cce@rhcos4: CCE-82488-8 + + references: +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +index 161b76aa880..cd1865f86fb 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80159-7 + cce@rhel8: CCE-81016-8 ++ cce@rhel9: CCE-84016-5 + cce@rhcos4: CCE-82482-1 + + references: +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +index 8cb3b0a64c1..c1f6770933b 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80163-9 + cce@rhel8: CCE-80919-4 ++ cce@rhel9: CCE-84003-3 + cce@rhcos4: CCE-82470-6 + cce@sle12: CCE-83081-0 + cce@sle15: CCE-85652-6 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +index 6170a83afb1..783c42ee4c2 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80162-1 + cce@rhel8: CCE-80920-2 ++ cce@rhel9: CCE-84007-4 + cce@rhcos4: CCE-82479-7 + cce@sle12: CCE-83079-4 + cce@sle15: CCE-85650-0 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +index 5a7bb934bdf..7ed2e2f1423 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +@@ -17,6 +17,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80161-3 + cce@rhel8: CCE-81020-0 ++ cce@rhel9: CCE-84014-0 + cce@rhcos4: CCE-82487-0 + + references: +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml +index 8e0687c50a4..32498d5de5a 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80168-8 + cce@rhel8: CCE-81022-6 ++ cce@rhel9: CCE-84009-0 + cce@rhcos4: CCE-82489-6 + + references: +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +index 8b6378eaf6e..18da604b29d 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80164-7 + cce@rhel8: CCE-81017-6 ++ cce@rhel9: CCE-84019-9 + cce@rhcos4: CCE-82483-9 + + references: +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +index 11eddda99ed..bd6ee152a31 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80165-4 + cce@rhel8: CCE-80922-8 ++ cce@rhel9: CCE-84004-1 + cce@rhcos4: CCE-82491-2 + cce@sle12: CCE-83080-2 + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +index ab3e5e8b6e7..70eeb8341b6 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +@@ -15,6 +15,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80166-2 + cce@rhel8: CCE-81023-4 ++ cce@rhel9: CCE-84015-7 + cce@rhcos4: CCE-82490-4 + + references: +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml +index c4f398fc3da..84bb91629f2 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-84276-5 + cce@rhel8: CCE-84277-3 ++ cce@rhel9: CCE-90834-3 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml +index f9ff179e2cc..b70279f6cbd 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-84269-0 + cce@rhel8: CCE-84270-8 ++ cce@rhel9: CCE-84012-4 + + references: + anssi: BP28(R22) +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +index 2643f7b34af..4f9ded02621 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27495-1 + cce@rhel8: CCE-80923-6 ++ cce@rhel9: CCE-84006-6 + cce@rhcos4: CCE-82492-0 + cce@sle12: CCE-83179-2 + cce@sle15: CCE-83283-2 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +index 5bb3a291d88..4a941677e84 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80156-3 + cce@rhel8: CCE-80918-6 ++ cce@rhel9: CCE-83997-7 + cce@rhcos4: CCE-82484-7 + cce@sle12: CCE-83089-3 + cce@sle15: CCE-85655-9 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +index c2fca54905b..40dd979e981 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80999-6 + cce@rhel8: CCE-80921-0 ++ cce@rhel9: CCE-83999-3 + cce@rhcos4: CCE-82485-4 + cce@sle12: CCE-83086-9 + cce@sle15: CCE-85654-2 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +index 4b70eed91d5..0885d759506 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80157-1 + cce@rhel8: CCE-81024-2 ++ cce@rhel9: CCE-83998-5 + cce@sle12: CCE-83088-5 + cce@sle15: CCE-85709-4 + +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml +index b35b94c0649..cf538b45c8a 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82162-9 + cce@rhel8: CCE-82028-2 ++ cce@rhel9: CCE-84137-9 + cce@rhcos4: CCE-82518-2 + + references: +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml +index 97c10b91f40..5401bf0a552 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82164-5 + cce@rhel8: CCE-82059-7 ++ cce@rhel9: CCE-84134-6 + cce@rhcos4: CCE-82519-0 + + references: +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +index 110a84efcae..f0842cded24 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82024-1 + cce@rhel8: CCE-80833-7 ++ cce@rhel9: CCE-84136-1 + + references: + stigid@ol7: OL07-00-020101 +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml +index 43ba8378d43..845d4d8f67a 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82160-3 + cce@rhel8: CCE-82005-0 ++ cce@rhel9: CCE-84060-3 + cce@rhcos4: CCE-82517-4 + + references: +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml +index 85a8a7e02e0..beb0c7ffcc4 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml +@@ -17,6 +17,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82869-9 + cce@rhel8: CCE-82870-7 ++ cce@rhel9: CCE-84064-5 + + references: + cis@rhel7: 3.5.3 +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +index aa074954939..53393d561a4 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82044-9 + cce@rhel8: CCE-80834-5 ++ cce@rhel9: CCE-84139-5 + cce@rhcos4: CCE-82516-6 + + references: +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml +index 1b44eeaa816..6f212aae42d 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83395-4 + cce@rhel8: CCE-82297-3 ++ cce@rhel9: CCE-84065-2 + cce@rhcos4: CCE-82520-8 + + references: +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml +index 55fa265f7b3..bd79f613f9e 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27327-6 + cce@rhel8: CCE-80832-9 ++ cce@rhel9: CCE-84067-8 + cce@rhcos4: CCE-82515-8 + + references: +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +index aaa17c752cf..6826f72b38d 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +@@ -36,6 +36,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27358-1 + cce@rhel8: CCE-83501-7 ++ cce@rhel9: CCE-84066-0 + cce@rhcos4: CCE-82660-2 + cce@sle12: CCE-83148-7 + cce@sle15: CCE-83286-5 +diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml +index 9b1e0b4f69d..3048f0bc8d7 100644 +--- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml ++++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml +@@ -29,6 +29,7 @@ platform: machine # The oscap interface probe doesn't support offline mode + identifiers: + cce@rhel7: CCE-80174-6 + cce@rhel8: CCE-82283-3 ++ cce@rhel9: CCE-83996-9 + cce@sle12: CCE-83147-9 + cce@sle15: CCE-85656-7 + +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +index 0a4232cae38..8fccb555dc3 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83374-9 + cce@rhel8: CCE-83375-6 ++ cce@rhel9: CCE-83903-5 + + references: + anssi: BP28(R40) +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +index 4a72ddda83e..2babda397c8 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80130-8 + cce@rhel8: CCE-80783-4 ++ cce@rhel9: CCE-83895-3 + cce@rhcos4: CCE-82753-5 + cce@sle12: CCE-83047-1 + cce@sle15: CCE-83282-4 +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +index 12b1ed7483c..aa821dccf22 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80132-4 + cce@rhel8: CCE-80816-2 ++ cce@rhel9: CCE-83901-9 + + references: + anssi: BP28(R37),BP28(R38) +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +index 079679d5b17..5eccb8ec703 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80133-2 + cce@rhel8: CCE-80817-0 ++ cce@rhel9: CCE-83897-9 + + references: + anssi: BP28(R37),BP28(R38) +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml +index 37614b561ec..cdab3363005 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80131-6 + cce@rhel8: CCE-80818-8 ++ cce@rhel9: CCE-83902-7 + + references: + cis@rhel7: 6.1.10 +diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +index 9af992d2e71..6ffe95805c8 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80135-7 + cce@rhel8: CCE-83497-8 ++ cce@rhel9: CCE-83906-8 + cce@sle12: CCE-83073-7 + cce@sle15: CCE-85658-3 + +diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +index 1169d757fd0..087e23ac547 100644 +--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml ++++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80134-0 + cce@rhel8: CCE-83499-4 ++ cce@rhel9: CCE-83896-1 + cce@sle12: CCE-83072-9 + cce@sle15: CCE-85657-5 + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml +index 8752366d140..a5140984c51 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83474-7 + cce@rhel8: CCE-83475-4 ++ cce@rhel9: CCE-83928-2 + + references: + cis@rhel7: 6.1.8 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +index 4b0f213e2d2..c66413c54a9 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83534-8 + cce@rhel8: CCE-83535-5 ++ cce@rhel9: CCE-83951-4 + + references: + cis@rhel7: 6.1.9 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml +index 67a8a2b2f7b..9bdf77e0f43 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83323-6 + cce@rhel8: CCE-83324-4 ++ cce@rhel9: CCE-83933-2 + + references: + cis@rhel7: 6.1.6 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +index 6f5e7c6db4a..4a33f96814c 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83414-3 + cce@rhel8: CCE-83415-0 ++ cce@rhel9: CCE-83938-1 + + references: + cis@rhel7: 6.1.7 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +index a30e43191dc..0d93a0096dd 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82037-3 + cce@rhel8: CCE-80796-6 ++ cce@rhel9: CCE-83945-6 + + references: + cis@rhel7: 6.1.4 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +index 081652006fd..162f01db012 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82025-8 + cce@rhel8: CCE-80797-4 ++ cce@rhel9: CCE-83948-0 + + references: + cis@rhel7: 6.1.5 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml +index ffe20494729..9a4c5d30561 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-26639-5 + cce@rhel8: CCE-80798-2 ++ cce@rhel9: CCE-83950-6 + + references: + cis@rhel7: 6.1.2 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +index a68a86445ba..4f185f7f2a4 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82051-4 + cce@rhel8: CCE-80799-0 ++ cce@rhel9: CCE-83930-8 + + references: + cis@rhel7: 6.1.3 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml +index 34cc7261d2b..3a301d0304b 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83472-1 + cce@rhel8: CCE-83473-9 ++ cce@rhel9: CCE-83944-9 + + references: + cis@rhel7: 6.1.8 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml +index c7434655b50..55a07f601da 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83532-2 + cce@rhel8: CCE-83533-0 ++ cce@rhel9: CCE-83929-0 + + references: + cis@rhel7: 6.1.9 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml +index e4e7e7b493e..79e4ab1fe62 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83325-1 + cce@rhel8: CCE-83326-9 ++ cce@rhel9: CCE-83947-2 + + references: + cis@rhel7: 6.1.6 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml +index 11b341fcbb4..389f830f055 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83412-7 + cce@rhel8: CCE-83413-5 ++ cce@rhel9: CCE-83949-8 + + references: + cis@rhel7: 6.1.7 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +index cded33d30ce..d19e55104e0 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82031-6 + cce@rhel8: CCE-80801-4 ++ cce@rhel9: CCE-83925-8 + + references: + cis@rhel7: 6.1.4 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +index 52fa58671f4..2419015f113 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82195-9 + cce@rhel8: CCE-80802-2 ++ cce@rhel9: CCE-83924-1 + + references: + cis@rhel7: 6.1.5 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml +index dd04e90f501..e71300f22d1 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82052-2 + cce@rhel8: CCE-80803-0 ++ cce@rhel9: CCE-83943-1 + + references: + cis@rhel7: 6.1.2 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +index fbdb621807b..6eb53bc53d4 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82022-5 + cce@rhel8: CCE-80804-8 ++ cce@rhel9: CCE-83926-6 + + references: + cis@rhel7: 6.1.3 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml +index 5e69037060a..7e79f387e13 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83482-0 + cce@rhel8: CCE-83483-8 ++ cce@rhel9: CCE-83939-9 + + references: + cis@rhel7: 6.1.8 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +index 3d6857d811b..7c3994e5115 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83572-8 + cce@rhel8: CCE-83573-6 ++ cce@rhel9: CCE-83942-3 + + references: + cis@rhel7: 6.1.9 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +index 43f6675bf3f..1f87b073988 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83331-9 + cce@rhel8: CCE-83332-7 ++ cce@rhel9: CCE-83940-7 + + references: + cis@rhel7: 6.1.6 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +index 7c9b99651bc..d36289cda20 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83416-8 + cce@rhel8: CCE-83417-6 ++ cce@rhel9: CCE-83935-7 + + references: + cis@rhel7: 6.1.7 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +index ef8cf0cca28..1a7c3b8854c 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82032-4 + cce@rhel8: CCE-80810-5 ++ cce@rhel9: CCE-83934-0 + + references: + cis@rhel7: 6.1.4 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +index 58c08ac643f..3b3fe738e04 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82192-6 + cce@rhel8: CCE-80811-3 ++ cce@rhel9: CCE-83921-7 + + references: + anssi: BP28(R36) +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml +index 0a7f729c6cd..9faf0f5313a 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82029-0 + cce@rhel8: CCE-80812-1 ++ cce@rhel9: CCE-83931-6 + + references: + cis@rhel7: 6.1.2 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +index be331eca4a4..700f0a73a5d 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82042-3 + cce@rhel8: CCE-80813-9 ++ cce@rhel9: CCE-83941-5 + + references: + anssi: BP28(R36) +diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml +index 84b58bd8cf3..a9e9d909350 100644 +--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml +@@ -13,6 +13,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83659-3 ++ cce@rhel9: CCE-83912-6 + + references: + srg: SRG-OS-000206-GPOS-00084 +diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml +index 40811212654..d73e8fe2470 100644 +--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml +@@ -12,6 +12,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83660-1 ++ cce@rhel9: CCE-83916-7 + + references: + srg: SRG-OS-000206-GPOS-00084 +diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml +index b151758b1b0..a897085ca0a 100644 +--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml +@@ -13,6 +13,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83661-9 ++ cce@rhel9: CCE-83914-2 + + references: + srg: SRG-OS-000206-GPOS-00084 +diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml +index 084e13a1de0..f7e16949999 100644 +--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml +@@ -12,6 +12,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83662-7 ++ cce@rhel9: CCE-83915-9 + + references: + srg: SRG-OS-000206-GPOS-00084 +diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml +index db131144de9..12a62347de7 100644 +--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml +@@ -14,6 +14,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83663-5 ++ cce@rhel9: CCE-83917-5 + + references: + srg: SRG-OS-000206-GPOS-00084 +diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml +index 0a8d5d1dde0..19ab1f8ff76 100644 +--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml +@@ -13,6 +13,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-83665-0 ++ cce@rhel9: CCE-83913-4 + + references: + srg: SRG-OS-000206-GPOS-00084 +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +index 20bd962b3aa..f02d6f4ed7b 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82048-0 + cce@rhel8: CCE-80806-3 ++ cce@rhel9: CCE-83908-4 + cce@sle15: CCE-85730-0 + + references: +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +index ca6fd90c280..df6f29fc2ac 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82021-7 + cce@rhel8: CCE-80807-1 ++ cce@rhel9: CCE-83907-6 + cce@sle15: CCE-85756-5 + + references: +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +index ad69c4f88ec..ea0117bba7e 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82040-7 + cce@rhel8: CCE-80809-7 ++ cce@rhel9: CCE-83911-8 + cce@sle15: CCE-85729-2 + + references: +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +index 0dce477d5f3..6480caed07c 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82033-2 + cce@rhel8: CCE-80815-4 ++ cce@rhel9: CCE-83909-2 + cce@sle15: CCE-85670-8 + + references: +diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml +index 867e0833c64..3a5f2c2a89b 100644 +--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml ++++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-81026-7 + cce@rhel8: CCE-81027-5 ++ cce@rhel9: CCE-84110-6 + cce@rhcos4: CCE-82506-7 + + references: +diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml +index e12a68c95ba..53cb920e90d 100644 +--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml ++++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-81029-1 + cce@rhel8: CCE-81030-9 ++ cce@rhel9: CCE-83900-1 + cce@rhcos4: CCE-82507-5 + + references: +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml +index 10116e8a543..89603b2e9a7 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml +@@ -24,6 +24,7 @@ platform: machine + identifiers: + cce@rhel7: CCE-80137-3 + cce@rhel8: CCE-81031-7 ++ cce@rhel9: CCE-83853-2 + cce@rhcos4: CCE-82514-1 + + references: +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml +index 6b31c36af5e..ef606bfadd8 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml +@@ -24,6 +24,7 @@ platform: machine + identifiers: + cce@rhel7: CCE-80142-3 + cce@rhel8: CCE-83498-6 ++ cce@rhel9: CCE-83855-7 + cce@rhcos4: CCE-82717-0 + + references: +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml +index 11c9f7533a2..51f377830ef 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml +@@ -25,6 +25,7 @@ platform: machine + identifiers: + cce@rhel7: CCE-80143-1 + cce@rhel8: CCE-82729-5 ++ cce@rhel9: CCE-83852-4 + cce@rhcos4: CCE-82718-8 + + references: +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +index 3e3f97d6621..11f1a43f292 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27277-3 + cce@rhel8: CCE-80835-2 ++ cce@rhel9: CCE-83851-6 + cce@rhcos4: CCE-82719-6 + cce@sle12: CCE-83069-5 + cce@sle15: CCE-83294-9 +diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +index bd08b4b93b1..5553f49c884 100644 +--- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27498-5 + cce@rhel8: CCE-80873-3 ++ cce@rhel9: CCE-83850-8 + cce@rhcos4: CCE-82663-6 + cce@sle12: CCE-83070-3 + cce@sle15: CCE-83278-2 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml +index e59ede9c721..ceef17d9ee8 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82135-5 + cce@rhel8: CCE-82941-6 ++ cce@rhel9: CCE-83884-7 + + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml +index b0e499d4f3a..e6f8d284138 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83315-2 + cce@rhel8: CCE-83316-0 ++ cce@rhel9: CCE-83892-0 + + references: + anssi: BP28(R12) +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml +index 54902dbdac5..85de23060a0 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82138-9 + cce@rhel8: CCE-81033-3 ++ cce@rhel9: CCE-83877-1 + + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +index 3173c5b3db7..d38bfa5c41c 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80152-2 + cce@rhel8: CCE-80837-8 ++ cce@rhel9: CCE-83881-3 + cce@rhcos4: CCE-82867-3 + + references: +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +index 845de5fb01d..7d4e76eaca0 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +@@ -22,6 +22,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80153-0 + cce@rhel8: CCE-80838-6 ++ cce@rhel9: CCE-83857-3 + cce@rhcos4: CCE-82868-1 + + references: +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +index 22b2a497522..82ab2971fc3 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80154-8 + cce@rhel8: CCE-80839-4 ++ cce@rhel9: CCE-83891-2 + cce@rhcos4: CCE-82741-0 + + references: +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml +index bd4b69f8ec2..84e19796371 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml +@@ -23,6 +23,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-81047-3 + cce@rhel8: CCE-81048-1 ++ cce@rhel9: CCE-83871-4 + cce@rhcos4: CCE-82740-2 + + references: +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml +index c07bd670135..04f12549f1c 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83327-7 + cce@rhel8: CCE-83328-5 ++ cce@rhel9: CCE-83875-5 + + references: + anssi: BP28(R12) +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +index e6fd9ed7240..de14fa41aa8 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-81153-9 + cce@rhel8: CCE-81050-7 ++ cce@rhel9: CCE-83894-6 + cce@sle12: CCE-83100-8 + cce@sle15: CCE-85633-6 + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +index 5f658b2a592..1725c8daf4c 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80145-6 + cce@rhel8: CCE-82069-6 ++ cce@rhel9: CCE-83873-0 + + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +index 34fadec6e9b..4d830212c30 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +@@ -23,6 +23,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80146-4 + cce@rhel8: CCE-82742-8 ++ cce@rhel9: CCE-83856-5 + cce@rhcos4: CCE-82865-7 + + references: +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +index ab8cec9f91d..4e36f9ef1f5 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80147-2 + cce@rhel8: CCE-82746-9 ++ cce@rhel9: CCE-83883-9 + cce@rhcos4: CCE-82747-7 + + references: +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +index 054fd19e13e..c0c2c12c634 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80148-0 + cce@rhel8: CCE-82744-4 ++ cce@rhel9: CCE-83874-8 + cce@rhcos4: CCE-82745-1 + cce@sle12: CCE-83101-6 + cce@sle15: CCE-85634-4 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml +index a68d065c2f9..b67d96ba8da 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83317-8 + cce@rhel8: CCE-83319-4 ++ cce@rhel9: CCE-83880-5 + + references: + anssi: BP28(R12) +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml +index 469f15db079..022dee6db9a 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83320-2 + cce@rhel8: CCE-83322-8 ++ cce@rhel9: CCE-83862-3 + + references: + anssi: BP28(R12) +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +index 938f7a58215..6cf42d368a7 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80149-8 + cce@rhel8: CCE-82623-0 ++ cce@rhel9: CCE-83869-8 + + references: + cis@rhel7: 1.1.4 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +index 1344518bc2f..055adca538a 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80150-6 + cce@rhel8: CCE-82139-7 ++ cce@rhel9: CCE-83885-4 + + references: + cis@rhel7: 1.1.3 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +index 827eeb0381b..16e919a0586 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80151-4 + cce@rhel8: CCE-82140-5 ++ cce@rhel9: CCE-83872-2 + + references: + cis@rhel7: 1.1.5 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +index 252de20f49e..de0ed866913 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82079-5 + cce@rhel8: CCE-82080-3 ++ cce@rhel9: CCE-83882-1 + + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +index 06b1ee7eddc..8f862132b56 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82146-2 + cce@rhel8: CCE-82975-4 ++ cce@rhel9: CCE-83878-9 + + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +index 1443e2a64f4..a991a15ae5e 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82148-8 + cce@rhel8: CCE-82921-8 ++ cce@rhel9: CCE-83893-8 + + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +index 97670681e06..920351725ad 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82076-1 + cce@rhel8: CCE-82077-9 ++ cce@rhel9: CCE-83886-2 + + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +index 6548012de35..2be49486a16 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82142-1 + cce@rhel8: CCE-82008-4 ++ cce@rhel9: CCE-83887-0 + + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +index 34fe89affd0..4c4c2711f37 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82144-7 + cce@rhel8: CCE-82065-4 ++ cce@rhel9: CCE-83870-6 + + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml +index 92a8dd83813..8a8413b49e6 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82064-7 + cce@rhel8: CCE-82062-1 ++ cce@rhel9: CCE-83868-0 + + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml +index 1cb6cbab055..7119419eb6b 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83329-3 + cce@rhel8: CCE-83330-1 ++ cce@rhel9: CCE-83865-6 + + references: + anssi: BP28(R12) +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml +index f15cc75ae19..ca3e15f3878 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml +@@ -16,6 +16,7 @@ rationale: |- + identifiers: + cce@rhel7: CCE-83378-0 + cce@rhel8: CCE-83383-0 ++ cce@rhel9: CCE-83867-2 + + references: + anssi: BP28(R12) +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +index 03443bd43fd..c78149e13aa 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-81052-3 + cce@rhel8: CCE-82068-8 ++ cce@rhel9: CCE-83864-9 + cce@rhcos4: CCE-82735-2 + + references: +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +index 4adc6791d88..87a5f0e2f5d 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82150-4 + cce@rhel8: CCE-82151-2 ++ cce@rhel9: CCE-83866-4 + cce@rhcos4: CCE-82866-5 + + references: +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +index a22d658a6b2..7df03f1bf13 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82153-8 + cce@rhel8: CCE-82154-6 ++ cce@rhel9: CCE-83863-1 + cce@rhcos4: CCE-82736-0 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +index dd32d225db8..3047f5790ab 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80169-6 + cce@rhel8: CCE-81038-2 ++ cce@rhel9: CCE-83980-3 + cce@rhcos4: CCE-82526-5 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +index baa8a448026..290d91abacf 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +@@ -20,6 +20,7 @@ platform: machine + + identifiers: + cce@rhel8: CCE-82881-4 ++ cce@rhel9: CCE-83974-6 + cce@rhcos4: CCE-82530-7 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml +index b9521a9a648..9734bd75112 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-26900-1 + cce@rhel8: CCE-80912-9 ++ cce@rhel9: CCE-83981-1 + + references: + cis@rhel7: 1.5.1 +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml +index 9e018613784..7ddbcbfc0a3 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml +@@ -27,6 +27,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode + identifiers: + cce@rhel7: CCE-27211-2 + cce@rhel8: CCE-80914-5 ++ cce@rhel9: CCE-83970-4 + + references: + cis@rhel7: 1.5.2 +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +index c678f8f086c..9474fed6098 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80659-6 + cce@rhel8: CCE-80915-2 ++ cce@rhel9: CCE-83972-0 + cce@rhcos4: CCE-82498-7 + cce@sle12: CCE-83125-5 + cce@sle15: CCE-83299-8 +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +index aa46075cdce..c96a8018909 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27127-0 + cce@rhel8: CCE-80916-0 ++ cce@rhel9: CCE-83971-2 + cce@sle12: CCE-83146-1 + cce@sle15: CCE-83300-4 + +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +index 9b18bee588f..77e58a78250 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82158-7 + cce@rhel8: CCE-80944-2 ++ cce@rhel9: CCE-83985-2 + + references: + srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068 +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +index f6059044f14..36241872a02 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82157-9 + cce@rhel8: CCE-80945-9 ++ cce@rhel9: CCE-83986-0 + + references: + srg: SRG-OS-000433-GPOS-00192,SRG-OS-000134-GPOS-00068 +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +index fb3cd558c0b..dd1f67bad8c 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +@@ -15,6 +15,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82215-5 ++ cce@rhel9: CCE-83961-3 + cce@rhcos4: CCE-82527-3 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +index c7ba7b2821b..e7eb3f5caf3 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27050-4 + cce@rhel8: CCE-80913-7 ++ cce@rhel9: CCE-83952-2 + cce@rhcos4: CCE-82499-5 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +index 97fab077088..6433967ce7f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-81056-4 + cce@rhel8: CCE-80952-5 ++ cce@rhel9: CCE-83954-8 + cce@rhcos4: CCE-82500-0 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml +index 2bb534d8382..1722b9370da 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83392-1 + cce@rhel8: CCE-83397-0 ++ cce@rhel9: CCE-83967-0 + + references: + anssi: BP28(R24) +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml +index 147e1f0a96a..52456967c53 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83369-9 + cce@rhel8: CCE-83373-1 ++ cce@rhel9: CCE-83969-6 + + references: + anssi: BP28(R23) +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml +index 1cb4a86a14c..f78db1b0dbd 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83367-3 + cce@rhel8: CCE-83368-1 ++ cce@rhel9: CCE-83962-1 + + references: + anssi: BP28(R23) +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml +index 696994b0f27..c756902afd2 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-81053-1 + cce@rhel8: CCE-81054-9 ++ cce@rhel9: CCE-83959-7 + cce@rhcos4: CCE-82502-6 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml +index 672df86e693..4299f35b9df 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83365-7 + cce@rhel8: CCE-83366-5 ++ cce@rhel9: CCE-83960-5 + + references: + anssi: BP28(R23) +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml +index 88e9e4e6285..f17eeb7a8fe 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83353-3 + cce@rhel8: CCE-83355-8 ++ cce@rhel9: CCE-83968-8 + + references: + anssi: BP28(R23) +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml +index 31fde102de8..9a90716debc 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82203-1 + cce@rhel8: CCE-82974-7 ++ cce@rhel9: CCE-83957-1 + cce@rhcos4: CCE-82504-2 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +index 7cd437ec14a..b686a606f86 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-81058-0 + cce@rhel8: CCE-80953-3 ++ cce@rhel9: CCE-83965-4 + cce@rhcos4: CCE-82501-8 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml +index 9812e2beb16..f87be0ff5c6 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml +@@ -15,6 +15,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82934-1 ++ cce@rhel9: CCE-83966-2 + cce@rhcos4: CCE-82505-9 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml +index 223619814b5..145c652fa73 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml +@@ -23,6 +23,7 @@ severity: low + + identifiers: + cce@rhel8: CCE-82211-4 ++ cce@rhel9: CCE-83956-3 + cce@rhcos4: CCE-82503-4 + + references: +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml +index c5158c6cbb6..93a11ee5086 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83358-2 + cce@rhel8: CCE-83363-2 ++ cce@rhel9: CCE-83958-9 + + references: + anssi: BP28(R23) +diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml +index 87a081248be..4cda0a17a8d 100644 +--- a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml ++++ b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-26961-3 + cce@rhel8: CCE-80827-9 ++ cce@rhel9: CCE-84078-5 + cce@rhcos4: CCE-82666-9 + + references: +diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml +index c8123f6a4f6..d38f1829771 100644 +--- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml ++++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml +@@ -18,6 +18,7 @@ severity: high + identifiers: + cce@rhel7: CCE-82876-4 + cce@rhel8: CCE-82877-2 ++ cce@rhel9: CCE-84069-4 + + references: + cis@rhel7: 1.6.1.1 +diff --git a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml +index becb0dab84a..81f72105a80 100644 +--- a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml ++++ b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80445-0 + cce@rhel8: CCE-82756-8 ++ cce@rhel9: CCE-84072-8 + + references: + cis@rhel7: 1.6.1.8 +diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml +index a18a57dcbb3..74c92194136 100644 +--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml ++++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml +@@ -15,6 +15,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82724-6 ++ cce@rhel9: CCE-84070-2 + + references: + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml +index acce754e9d2..cf3e71a1fc0 100644 +--- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml ++++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml +@@ -26,6 +26,7 @@ severity: high + identifiers: + cce@rhel7: CCE-82977-0 + cce@rhel8: CCE-82976-2 ++ cce@rhel9: CCE-84071-0 + + references: + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml +index c7ec916622c..8992283aecc 100644 +--- a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml ++++ b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml +@@ -20,6 +20,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80444-3 + cce@rhel8: CCE-82755-0 ++ cce@rhel9: CCE-84073-6 + + references: + anssi: BP28(R68) +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml +index bc189ce4d43..f3be1c78a09 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80424-5 + cce@rhel8: CCE-84297-1 ++ cce@rhel9: CCE-84090-0 + + references: + cui: 80424-5 +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml +index e8453fbfb8d..2a35a2db9eb 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82290-8 + cce@rhel8: CCE-83307-9 ++ cce@rhel9: CCE-84082-7 + + references: + anssi: BP28(R67) +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml +index e3591519dc7..53f154e7e84 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82305-4 + cce@rhel8: CCE-84230-2 ++ cce@rhel9: CCE-84083-5 + + references: + anssi: BP28(R39) +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml +index 6942f1e2114..428bb90bb94 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82308-8 + cce@rhel8: CCE-83310-3 ++ cce@rhel9: CCE-84087-6 + + {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_insmod") }}} + +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +index 7fedaab6130..6c6fbb73b26 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82312-0 + cce@rhel8: CCE-80949-1 ++ cce@rhel9: CCE-84084-3 + + references: + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml +index b94d70c0989..f90ef1183de 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82313-8 + cce@rhel8: CCE-80950-9 ++ cce@rhel9: CCE-84086-8 + + references: + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +index 2e0b19f881d..21072e4401e 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82314-6 + cce@rhel8: CCE-80951-7 ++ cce@rhel9: CCE-84089-2 + + references: + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml +index 98673f57c98..f4b47393a75 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82327-8 + cce@rhel8: CCE-83311-1 ++ cce@rhel9: CCE-84081-9 + + {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}} + +diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +index cc0319a4121..216518475e8 100644 +--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27288-0 + cce@rhel8: CCE-80867-5 ++ cce@rhel9: CCE-84075-1 + cce@rhcos4: CCE-82688-3 + + references: +diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +index e4202dcd2c6..44e001c9049 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27279-9 + cce@rhel8: CCE-80868-3 ++ cce@rhel9: CCE-84074-4 + cce@rhcos4: CCE-82532-3 + + references: +diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml +index 1a8066e5f07..ca0a7a04bae 100644 +--- a/linux_os/guide/system/selinux/selinux_state/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_state/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27334-2 + cce@rhel8: CCE-80869-1 ++ cce@rhel9: CCE-84079-3 + cce@rhcos4: CCE-82531-5 + + references: +diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +index ef544f33d48..083d02a36e5 100644 +--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +@@ -53,6 +53,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27128-8 + cce@rhel8: CCE-80789-1 ++ cce@rhel9: CCE-90849-1 + cce@sle12: CCE-83046-3 + cce@sle15: CCE-85719-3 + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +index c44f0c7ce98..35d766d9f9d 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80144-9 + cce@rhel8: CCE-81044-0 ++ cce@rhel9: CCE-83468-9 + cce@rhcos4: CCE-82739-4 + cce@sle12: CCE-83152-9 + cce@sle15: CCE-85639-3 +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml +index ff22050a248..bbfd28c10ce 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml +@@ -25,6 +25,7 @@ references: + identifiers: + cce@rhel7: CCE-83376-4 + cce@rhel8: CCE-83387-1 ++ cce@rhel9: CCE-90846-7 + + {{{ complete_ocil_entry_separate_partition(part="/srv") }}} + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml +index 799dfb99dd7..3a3a28cec04 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml +@@ -17,6 +17,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82053-0 + cce@rhel8: CCE-80851-9 ++ cce@rhel9: CCE-90845-9 + + references: + stigid@ol7: OL07-00-021340 +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +index 834dbbbf210..856a09540ba 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82014-2 + cce@rhel8: CCE-80852-7 ++ cce@rhel9: CCE-83466-3 + cce@sle12: CCE-83153-7 + cce@sle15: CCE-85640-1 + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +index 7f1a8c7ddb9..08ba9a843f0 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82034-0 + cce@rhel8: CCE-80853-5 ++ cce@rhel9: CCE-90848-3 + cce@rhcos4: CCE-82737-8 + + references: +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +index e76d455bf3a..10113499614 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +@@ -20,6 +20,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82035-7 + cce@rhel8: CCE-80854-3 ++ cce@rhel9: CCE-90847-5 + cce@rhcos4: CCE-82738-6 + cce@sle12: CCE-83154-5 + cce@sle15: CCE-85618-7 +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +index 535c0096b46..01c3f9b76ab 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82353-4 + cce@rhel8: CCE-82730-3 ++ cce@rhel9: CCE-83487-9 + cce@rhcos4: CCE-82734-5 + + references: +diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml +index 1222bbf54e5..f5ca4062d3d 100644 +--- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml ++++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82348-4 + cce@rhel8: CCE-82367-4 ++ cce@rhel9: CCE-83549-6 + + references: + nist: CM-7(a),CM-7(b),CM-6(a) +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +index 8a36d5691b7..0a6b95ea19e 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +@@ -33,6 +33,7 @@ severity: high + identifiers: + cce@rhel7: CCE-82371-6 + cce@rhel8: CCE-80947-5 ++ cce@rhel9: CCE-83453-1 + cce@sle12: CCE-83001-8 + cce@sle15: CCE-83260-0 + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml +index b232fdb7bbf..666ae4e2b2c 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-80934-3 ++ cce@rhel9: CCE-83451-5 + cce@rhcos4: CCE-82544-8 + + references: +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +index 726f555e385..f95c16b271b 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +@@ -55,6 +55,7 @@ severity: high + + identifiers: + cce@rhel8: CCE-80935-0 ++ cce@rhel9: CCE-83450-7 + cce@rhcos4: CCE-82541-4 + + references: +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml +index 5f19ce25f9f..64bb048f8e5 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml +@@ -20,6 +20,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-80936-8 ++ cce@rhel9: CCE-83449-9 + cce@rhcos4: CCE-82547-1 + + references: +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +index c156144f2c9..c1e7fb6f9e0 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-80937-6 ++ cce@rhel9: CCE-83446-5 + cce@rhcos4: CCE-82546-3 + + references: +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +index a7d6351eb4b..3953f7f2372 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-80938-4 ++ cce@rhel9: CCE-83452-3 + cce@rhcos4: CCE-82545-5 + + references: +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml +index dfe105771cc..eba82b5fb78 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml +@@ -19,6 +19,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-84255-9 ++ cce@rhel9: CCE-83448-1 + + references: + nist: AC-17(2) +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +index 77030b4c6ed..ff24032229e 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +@@ -20,6 +20,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-80939-2 ++ cce@rhel9: CCE-83445-7 + + references: + nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13 +diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml +index 10974a995e1..68ce39792ba 100644 +--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82723-8 ++ cce@rhel9: CCE-83442-4 + + references: + ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1 +diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +index b373970d241..6d0c3b42890 100644 +--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +@@ -24,6 +24,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode + identifiers: + cce@rhel7: CCE-80658-8 + cce@rhel8: CCE-84027-2 ++ cce@rhel9: CCE-83441-6 + + references: + disa: CCI-000068,CCI-000803,CCI-002450 +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +index d28e3222980..460641ed4e3 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27220-3 + cce@rhel8: CCE-80675-2 ++ cce@rhel9: CCE-83438-2 + + references: + anssi: BP28(R51) +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +index 7feef66f859..2d7a3ac28b2 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +@@ -34,6 +34,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-26952-2 + cce@rhel8: CCE-80676-0 ++ cce@rhel9: CCE-83437-4 + cce@sle15: CCE-85671-6 + + references: +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +index a73fb0a39ad..51dae72ee6d 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80374-2 + cce@rhel8: CCE-82891-3 ++ cce@rhel9: CCE-90844-2 + cce@sle12: CCE-83048-9 + + references: +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +index f527068022a..3342599f5f6 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +@@ -25,6 +25,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80375-9 + cce@rhel8: CCE-84220-3 ++ cce@rhel9: CCE-90837-6 + cce@sle12: CCE-83150-3 + cce@sle15: CCE-85623-7 + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +index 7961f3b5a67..54351d15423 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +@@ -25,6 +25,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80376-7 + cce@rhel8: CCE-83733-6 ++ cce@rhel9: CCE-83439-0 + cce@sle12: CCE-83151-1 + cce@sle15: CCE-85624-5 + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +index 264dd298c11..681da5b976e 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27096-7 + cce@rhel8: CCE-80844-4 ++ cce@rhel9: CCE-90843-4 + cce@sle12: CCE-83067-9 + cce@sle15: CCE-83289-9 + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml +index 873110cc9c3..3d0f77d825b 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml +@@ -36,6 +36,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27157-7 + cce@rhel8: CCE-80857-6 ++ cce@rhel9: CCE-90841-8 + + references: + stigid@ol7: OL07-00-010020 +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +index 97c0957fd68..f085d9a79f9 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +@@ -27,6 +27,7 @@ severity: high + identifiers: + cce@rhel7: CCE-80545-7 + cce@rhel8: CCE-82196-7 ++ cce@rhel9: CCE-90842-6 + cce@rhcos4: CCE-82686-7 + + references: +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +index 8875abd83fe..915cf839a68 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +@@ -32,6 +32,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27209-6 + cce@rhel8: CCE-80858-4 ++ cce@rhel9: CCE-90840-0 + cce@rhcos4: CCE-82687-5 + + references: +diff --git a/linux_os/guide/system/software/prefer_64bit_os/rule.yml b/linux_os/guide/system/software/prefer_64bit_os/rule.yml +index af33fe43359..f2ae5406c24 100644 +--- a/linux_os/guide/system/software/prefer_64bit_os/rule.yml ++++ b/linux_os/guide/system/software/prefer_64bit_os/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83691-6 + cce@rhel8: CCE-83694-0 ++ cce@rhel9: CCE-90839-2 + + references: + anssi: BP28(R10) +diff --git a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml +index 2392bdc2c44..1fb36944e43 100644 +--- a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml ++++ b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82213-0 + cce@rhel8: CCE-82214-8 ++ cce@rhel9: CCE-83523-1 + cce@rhcos4: CCE-82523-2 + + references: +diff --git a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml +index fb6e9833b31..cc7fbbc0959 100644 +--- a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml +@@ -18,6 +18,7 @@ severity: high + identifiers: + cce@rhel7: CCE-83740-1 + cce@rhel8: CCE-83747-6 ++ cce@rhel9: CCE-83537-1 + + references: + anssi: BP28(R58) +diff --git a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml +index 00e56a1427d..e7c96e8d5ac 100644 +--- a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83787-2 + cce@rhel8: CCE-83790-6 ++ cce@rhel9: CCE-83539-7 + + references: + anssi: BP28(R58) +diff --git a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml +index 2164cefec8c..67f9fcb1a42 100644 +--- a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83797-1 + cce@rhel8: CCE-83798-9 ++ cce@rhel9: CCE-83538-9 + + references: + anssi: BP28(R58) +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +index 05a3127c6ae..90760109e3c 100644 +--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +@@ -15,6 +15,7 @@ severity: low + identifiers: + cce@rhel7: CCE-83600-7 + cce@rhel8: CCE-83601-5 ++ cce@rhel9: CCE-83527-2 + + references: + cis@rhel7: 5.2.3 +diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml +index 3c96138cbc9..a9a594e87f8 100644 +--- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80350-2 + cce@rhel8: CCE-82202-3 ++ cce@rhel9: CCE-83544-7 + cce@sle12: CCE-83013-3 + cce@sle15: CCE-83291-5 + +diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml +index 172eedba548..a8658c9ed88 100644 +--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80351-0 + cce@rhel8: CCE-82197-5 ++ cce@rhel9: CCE-83536-3 + cce@sle12: CCE-83012-5 + cce@sle15: CCE-85663-3 + +diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml +index 2138ea9ead0..cae15396bfe 100644 +--- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82278-3 + cce@rhel8: CCE-82279-1 ++ cce@rhel9: CCE-83543-9 + cce@sle15: CCE-85673-2 + + references: +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +index 930915327e0..a708f7a073b 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +@@ -23,6 +23,7 @@ identifiers: + cce@sle15: CCE-85712-8 + cce@rhel7: CCE-83423-4 + cce@rhel8: CCE-83425-9 ++ cce@rhel9: CCE-83525-6 + + + references: +diff --git a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml +index 32bff061c95..a32e759eee4 100644 +--- a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82349-2 + cce@rhel8: CCE-82365-8 ++ cce@rhel9: CCE-83528-0 + + ocil_clause: 'nopasswd is set for any users beyond vdsm' + +diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml +index a0590c8b0b7..8bd794aa2b2 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml +@@ -22,8 +22,9 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel7: CCE-83631-2 +- cce@rhel8: CCE-83632-0 ++ cce@rhel7: CCE-83631-2 ++ cce@rhel8: CCE-83632-0 ++ cce@rhel9: CCE-83545-4 + + references: + anssi: BP28(R63) +diff --git a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml +index 5421c589098..896c103747c 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml +@@ -21,8 +21,9 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel7: CCE-83517-3 +- cce@rhel8: CCE-83518-1 ++ cce@rhel7: CCE-83517-3 ++ cce@rhel8: CCE-83518-1 ++ cce@rhel9: CCE-83524-9 + + references: + anssi: BP28(R61) +diff --git a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml +index ef2dd6e27dc..bcc9ecd0ee3 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml +@@ -18,8 +18,9 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel7: CCE-83597-5 +- cce@rhel8: CCE-83598-3 ++ cce@rhel7: CCE-83597-5 ++ cce@rhel8: CCE-83598-3 ++ cce@rhel9: CCE-83531-4 + + references: + anssi: BP28(R60) +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +index d17f33852db..f336906294a 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +@@ -22,6 +22,7 @@ rationale: |- + identifiers: + cce@rhel7: CCE-83421-8 + cce@rhel8: CCE-83422-6 ++ cce@rhel9: CCE-83529-8 + cce@sle15: CCE-85747-4 + + references: +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml +index 61ec3bb5041..acaf85219c8 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml +@@ -16,6 +16,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82920-0 + cce@rhel8: CCE-82919-2 ++ cce@rhel9: CCE-83507-4 + + references: + srg: SRG-OS-000095-GPOS-00049 +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml +index 8b71752795a..15757ec7a6a 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml +@@ -16,6 +16,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82927-5 + cce@rhel8: CCE-82926-7 ++ cce@rhel9: CCE-83508-2 + + references: + srg: SRG-OS-000095-GPOS-00049 +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml +index fe5b1710349..5440804c82b 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml +@@ -16,6 +16,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82924-2 + cce@rhel8: CCE-82923-4 ++ cce@rhel9: CCE-83510-8 + + references: + srg: SRG-OS-000095-GPOS-00049 +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml +index 6cd038c7614..7723195d483 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml +@@ -16,6 +16,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82908-5 + cce@rhel8: CCE-82907-7 ++ cce@rhel9: CCE-83512-4 + + references: + srg: SRG-OS-000095-GPOS-00049 +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml +index 6fea7c33159..74b217d9e4e 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml +@@ -16,6 +16,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82914-3 + cce@rhel8: CCE-82913-5 ++ cce@rhel9: CCE-83513-2 + + references: + srg: SRG-OS-000095-GPOS-00049 +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml +index 9950ab14215..b058c92597b 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml +@@ -16,6 +16,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82917-6 + cce@rhel8: CCE-82916-8 ++ cce@rhel9: CCE-83514-0 + + references: + srg: SRG-OS-000095-GPOS-00049 +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml +index f98b732a50a..43da8d34b26 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml +@@ -15,6 +15,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82911-9 + cce@rhel8: CCE-82910-1 ++ cce@rhel9: CCE-83515-7 + + references: + srg: SRG-OS-000095-GPOS-00049 +diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml +index c53a12edfc7..1af48c1611b 100644 +--- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml +@@ -18,6 +18,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82395-5 ++ cce@rhel9: CCE-83494-5 + + references: + ospp: FIA_X509_EXT +diff --git a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml +index aa1ae14ade9..3e46bd39a7e 100644 +--- a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml +@@ -15,6 +15,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82944-0 + cce@rhel8: CCE-82943-2 ++ cce@rhel9: CCE-83516-5 + + references: + srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml +index 651bf3eb4c1..6a99a5b82e6 100644 +--- a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml +@@ -16,6 +16,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82947-3 + cce@rhel8: CCE-82946-5 ++ cce@rhel9: CCE-83519-9 + + references: + srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml +index b26dc2dbdf3..845167a237b 100644 +--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82930-9 + cce@rhel8: CCE-82931-7 ++ cce@rhel9: CCE-83520-7 + + references: + srg: SRG-OS-000095-GPOS-00049,SRG-OS-000120-GPOS-00061 +diff --git a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml +index 475980cd54e..c2c8a19aa64 100644 +--- a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82219-7 + cce@rhel8: CCE-82220-5 ++ cce@rhel9: CCE-83502-5 + + references: + srg: SRG-OS-000480-GPOS-00227,SRG-OS-000191-GPOS-00080 +diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml +index 1d0ed040448..2396f5bb118 100644 +--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82882-2 + cce@rhel8: CCE-82883-0 ++ cce@rhel9: CCE-83503-3 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml +index f0ca76b6953..1acb18a6866 100644 +--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82969-7 + cce@rhel8: CCE-82968-9 ++ cce@rhel9: CCE-83504-1 + + references: + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml +index 2c272a01e3b..a7f9dfd8d76 100644 +--- a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82951-5 + cce@rhel8: CCE-82949-9 ++ cce@rhel9: CCE-83505-8 + + references: + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml +index 0742a1638fd..e79b482e89a 100644 +--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82638-8 + cce@rhel8: CCE-82316-1 ++ cce@rhel9: CCE-83506-6 + + references: + srg: SRG-OS-000366-GPOS-00153 +diff --git a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml +index 66f864069e2..728a04f5ac8 100644 +--- a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml +@@ -18,6 +18,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82905-1 + cce@rhel8: CCE-82904-4 ++ cce@rhel9: CCE-83521-5 + + references: + srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +index d0289b311c6..43e3a975354 100644 +--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml ++++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +@@ -23,6 +23,7 @@ severity: low + identifiers: + cce@rhel7: CCE-80346-0 + cce@rhel8: CCE-82476-3 ++ cce@rhel9: CCE-83458-0 + cce@sle12: CCE-83186-7 + cce@sle15: CCE-85551-0 + +diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml +index 7a10f5dd9ed..a8834659ed5 100644 +--- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml ++++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml +@@ -20,6 +20,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82494-6 ++ cce@rhel9: CCE-83456-4 + + references: + ospp: FMT_SMF_EXT.1 +diff --git a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml +index 10e9e0ac2e9..5a4ad9e674e 100644 +--- a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml ++++ b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml +@@ -18,6 +18,7 @@ severity: low + + identifiers: + cce@rhel8: CCE-82267-6 ++ cce@rhel9: CCE-83461-4 + + references: + ospp: FMT_SMF_EXT.1 +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +index 8b2f877b60a..668d4b95f9e 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +@@ -33,6 +33,7 @@ severity: high + identifiers: + cce@rhel7: CCE-26989-4 + cce@rhel8: CCE-80790-9 ++ cce@rhel9: CCE-83457-2 + cce@sle12: CCE-83068-7 + cce@sle15: CCE-83290-7 + +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml +index 67459838987..52c23b17f11 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml +@@ -22,6 +22,7 @@ severity: high + identifiers: + cce@rhel7: CCE-80347-8 + cce@rhel8: CCE-80791-7 ++ cce@rhel9: CCE-83463-0 + + references: + stigid@ol7: OL07-00-020060 +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +index 6adc5810034..53f832bdce8 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +@@ -22,6 +22,7 @@ severity: high + identifiers: + cce@rhel7: CCE-26876-3 + cce@rhel8: CCE-80792-5 ++ cce@rhel9: CCE-83464-8 + + references: + srg: SRG-OS-000366-GPOS-00153 +diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml +index 0bdace740b4..490683fe252 100644 +--- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml ++++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82986-1 + cce@rhel8: CCE-82985-3 ++ cce@rhel9: CCE-83454-9 + + references: + srg: SRG-OS-000191-GPOS-00080 +diff --git a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml +index 07aa5c3575b..7451f5637b5 100644 +--- a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml ++++ b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml +@@ -15,6 +15,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82360-9 ++ cce@rhel9: CCE-83459-8 + + references: + ospp: FMT_SMF_EXT.1 +From 4325e8a4ec9f02766ae873ad25f0bbcf926bd72b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 23 Jun 2021 17:20:40 +0200 +Subject: [PATCH 4/4] Resolved chrony vs ntp rules. + +Profiles should select only chrony rules, as ntp is not +supposed to be used in RHEL9. +--- + rhel9/profiles/ism_o.profile | 3 +-- + rhel9/profiles/pci-dss.profile | 6 +++--- + rhel9/profiles/stig.profile | 2 +- + 3 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile +index 3a884f8371d..2aa4af470e9 100644 +--- a/rhel9/profiles/ism_o.profile ++++ b/rhel9/profiles/ism_o.profile +@@ -90,9 +90,8 @@ selections: + - rsyslog_remote_tls_cacert + - package_chrony_installed + - service_chronyd_enabled +-# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM ++ # - chronyd_specify_multiple_servers + - chronyd_specify_remote_server +-# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM + + ## Events to be logged + ## Identifiers 0580 / 0584 / 0582 / 0585 / 0586 / 0846 / 0957 +diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile +index 6b00be5f76a..2c027af5236 100644 +--- a/rhel9/profiles/pci-dss.profile ++++ b/rhel9/profiles/pci-dss.profile +@@ -79,9 +79,9 @@ selections: + - audit_rules_kernel_module_loading_init + - audit_rules_immutable + - var_multiple_time_servers=rhel +-# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM +-# - chronyd_or_ntpd_specify_remote_server # not supported in RHEL9 ATM +-# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM ++ - service_chronyd_enabled ++ - chronyd_specify_remote_server ++ # - chronyd_specify_multiple_servers + - rpm_verify_permissions + - rpm_verify_hashes + # - install_hids # not supported in RHEL9 ATM +diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile +index 1baafe6f751..eef1f901ab5 100644 +e-- a/rhel9/profiles/stig.profile ++++ b/rhel9/profiles/stig.profile +@@ -820,7 +820,7 @@ selections: + + # RHEL-08-030740 + # remediation fails because default configuration file contains pool instead of server keyword +-# - chronyd_or_ntpd_set_maxpoll # not supported in RHEL9 ATM ++ # - chronyd_set_maxpoll # Doesn't exist in RHEL9, but it should + + # RHEL-08-030741 + # - chronyd_client_only # not supported in RHEL9 ATM diff --git a/scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch b/scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch new file mode 100644 index 0000000..8d072ad --- /dev/null +++ b/scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch @@ -0,0 +1,1052 @@ +From 041e6ff67258af02da7acc4d8c42d3309677ef50 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 14 May 2021 16:01:05 +0200 +Subject: [PATCH 1/5] Enabled integrity-related rules for RHEL9. + +As the product doesn't have fingerprints available, rules have been extended +to build, but to return NOTCHECKED if until the product yaml is updated. +--- + .../updating/ensure_redhat_gpgkey_installed/oval/shared.xml | 3 +++ + .../software/updating/ensure_redhat_gpgkey_installed/rule.yml | 3 ++- + .../software/updating/security_patches_up_to_date/rule.yml | 3 ++- + shared/references/cce-redhat-avail.txt | 2 -- + 4 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml +index 519589c40c3..dd514ad95fc 100644 +--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml ++++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml +@@ -1,3 +1,5 @@ ++{{% if pkg_version %}} ++{{# If pkg_version isn't defined, then the rule should be NOTCHECKED, because we don't have data needed for the check #}} + + + {{{ oval_metadata("The Red Hat release and auxiliary key packages are required to be installed.") }}} +@@ -73,3 +75,4 @@ + {{%- endif %}} + + ++{{% endif %}} +diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml +index 8a7a5e0b9ff..890574b6742 100644 +--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,rhcos4 ++prodtype: rhcos4,rhel7,rhel8,rhel9,rhv4 + + title: 'Ensure Red Hat GPG Key Installed' + +@@ -35,6 +35,7 @@ severity: high + identifiers: + cce@rhel7: CCE-26957-1 + cce@rhel8: CCE-80795-8 ++ cce@rhel9: CCE-84180-9 + cce@rhcos4: CCE-82754-3 + + references: +diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +index f7b42999a23..00a6e56f47a 100644 +--- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml ++++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu1604,ubuntu1804 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804 + + title: 'Ensure Software Patches Installed' + +@@ -38,6 +38,7 @@ severity: high + identifiers: + cce@rhel7: CCE-26895-3 + cce@rhel8: CCE-80865-9 ++ cce@rhel9: CCE-84185-8 + cce@sle12: CCE-83002-6 + cce@sle15: CCE-83261-8 + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 4c4f8c3aa36..626849d3f2b 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -506,10 +506,8 @@ CCE-84176-7 + CCE-84177-5 + CCE-84178-3 + CCE-84179-1 +-CCE-84180-9 + CCE-84181-7 + CCE-84183-3 +-CCE-84185-8 + CCE-84186-6 + CCE-84187-4 + CCE-84188-2 + +From d25f7f0a0373492e1e65e959e3e4a7dee401bdd3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 14 May 2021 16:13:14 +0200 +Subject: [PATCH 2/5] Enable service disabled rules for RHEL9. + +Although some of those services are very unlikely to appear on a RHEL9 system, +there is little harm coming from making sure that they are not enabled. +--- + .../disable_avahi_group/service_avahi-daemon_disabled/rule.yml | 2 +- + linux_os/guide/services/base/service_abrtd_disabled/rule.yml | 2 +- + linux_os/guide/services/base/service_ntpdate_disabled/rule.yml | 2 +- + linux_os/guide/services/base/service_oddjobd_disabled/rule.yml | 2 +- + linux_os/guide/services/base/service_qpidd_disabled/rule.yml | 3 ++- + linux_os/guide/services/base/service_rdisc_disabled/rule.yml | 2 +- + linux_os/guide/services/base/service_rhnsd_disabled/rule.yml | 2 +- + .../guide/services/cron_and_at/service_atd_disabled/rule.yml | 2 +- + .../dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml | 2 +- + .../dns/disabling_dns_server/service_named_disabled/rule.yml | 2 +- + .../ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml | 2 +- + .../http/disabling_httpd/service_httpd_disabled/rule.yml | 2 +- + .../imap/disabling_dovecot/service_dovecot_disabled/rule.yml | 2 +- + .../disabling_nfs_services/service_rpcbind_disabled/rule.yml | 2 +- + .../disabling_nfsd/service_nfs_disabled/rule.yml | 2 +- + .../obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml | 3 ++- + .../guide/services/obsolete/service_rsyncd_disabled/rule.yml | 2 +- + .../services/obsolete/telnet/service_telnet_disabled/rule.yml | 2 +- + .../guide/services/printing/service_cups_disabled/rule.yml | 2 +- + .../proxy/disabling_squid/service_squid_disabled/rule.yml | 2 +- + .../routing/disabling_quagga/service_zebra_disabled/rule.yml | 3 ++- + .../services/smb/disabling_samba/service_smb_disabled/rule.yml | 2 +- + .../disabling_snmp_service/service_snmpd_disabled/rule.yml | 2 +- + .../permissions/mounting/service_autofs_disabled/rule.yml | 2 +- + 24 files changed, 27 insertions(+), 24 deletions(-) + +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +index 2371c89fb6b..9254d328436 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 + + title: 'Disable Avahi Server Software' + +diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml +index be6b76c46ad..cacd7eeb3a7 100644 +--- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Disable Automatic Bug Reporting Tool (abrtd)' + +diff --git a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml +index 9ac97104351..8dfbcf5faab 100644 +--- a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Disable ntpdate Service (ntpdate)' + +diff --git a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml +index f4b72c18890..64aa1c45f9e 100644 +--- a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Disable Odd Job Daemon (oddjobd)' + +diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml +index 3fc7c806ff0..badee1af18e 100644 +--- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml +@@ -1,6 +1,7 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8 ++# package is unlikely to appear on a RHEL9 system, don't extend to RHEL10 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Disable Apache Qpid (qpidd)' + +diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml +index 924720cf9cb..772f8c37e68 100644 +--- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Disable Network Router Discovery Daemon (rdisc)' + +diff --git a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml +index c7eae4fb2f9..ba3b04d8811 100644 +--- a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8 ++prodtype: rhel7,rhel8,rhel9 + + title: 'Disable Red Hat Network Service (rhnsd)' + +diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml +index 372329ad749..12bde00f86c 100644 +--- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Disable At Service (atd)' + +diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +index ab622910ad6..ef7cb53457e 100644 +--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml ++++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,sle15 ++prodtype: rhel7,rhel8,rhel9,sle15 + + title: 'Disable DHCP Service' + +diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +index 67ec760f7fe..ee4527a8953 100644 +--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml ++++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,sle15 ++prodtype: rhel7,rhel8,rhel9,sle15 + + title: 'Disable named Service' + +diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml +index e666b152eea..e6424e0162a 100644 +--- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml ++++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,sle15 ++prodtype: rhel7,rhel8,rhel9,sle15 + + title: 'Disable vsftpd Service' + +diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml +index 54c5c7e338c..10808731308 100644 +--- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml ++++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,sle15 ++prodtype: rhel7,rhel8,rhel9,sle15 + + title: 'Disable httpd Service' + +diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +index 94441062700..54235dbfe6a 100644 +--- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml ++++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,sle15 ++prodtype: rhel7,rhel8,rhel9,sle15 + + title: 'Disable Dovecot Service' + +diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +index 5908d55e6cf..f7631918fe8 100644 +--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 + + title: 'Disable rpcbind Service' + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +index 2e18c0ba09a..5ecd328720e 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel7,rhel8 ++prodtype: fedora,rhel7,rhel8,rhel9 + + title: 'Disable Network File System (nfs)' + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +index c35040318a3..2c6448da572 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +@@ -1,6 +1,7 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle15 ++# package is unlikely to appear on a RHEL9 system, don't extend to RHEL10 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Disable xinetd Service' + +diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +index b26b56dec64..dc284c81998 100644 +--- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Ensure rsyncd service is diabled' + +diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +index 049f2a48d58..b6446c2a78b 100644 +--- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Disable telnet Service' + +diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml +index 11f30b3f837..71ef701ec8f 100644 +--- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml ++++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,sle15 ++prodtype: rhel7,rhel8,rhel9,sle15 + + title: 'Disable the CUPS Service' + +diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml +index c049dd1849f..1a538ab1e05 100644 +--- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml ++++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 + + title: 'Disable Squid' + +diff --git a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml +index b8aabc13a8c..8d173cf74f4 100644 +--- a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml ++++ b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml +@@ -1,6 +1,7 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4 ++# package is unlikely to appear on a RHEL9 system, don't extend to RHEL10 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Disable Quagga Service' + +diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +index 9360fc5de8b..1dba9883089 100644 +--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml ++++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,sle15 ++prodtype: rhel7,rhel8,rhel9,sle15 + + title: 'Disable Samba' + +diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +index 506ee9976f2..df46bd44b95 100644 +--- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml ++++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: debian10,debian9,rhel7,rhel8,sle15 ++prodtype: debian10,debian9,rhel7,rhel8,rhel9,sle15 + + title: 'Disable snmpd Service' + +diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +index f760480a103..e18b2fe0a9f 100644 +--- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019,ubuntu1804 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804,wrlinux1019 + + title: 'Disable the Automounter' + + +From c8ac3c49dc377cd487ac15561938de9f1180c92a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 14 May 2021 16:16:43 +0200 +Subject: [PATCH 3/5] Enabled low-level rules for RHEL9. + +File owner-related settings are largery independent from changes in components. +--- + .../guide/services/cron_and_at/file_groupowner_cron_d/rule.yml | 2 +- + .../services/cron_and_at/file_groupowner_cron_daily/rule.yml | 2 +- + .../services/cron_and_at/file_groupowner_cron_hourly/rule.yml | 2 +- + .../services/cron_and_at/file_groupowner_cron_monthly/rule.yml | 2 +- + .../services/cron_and_at/file_groupowner_cron_weekly/rule.yml | 2 +- + .../guide/services/cron_and_at/file_groupowner_crontab/rule.yml | 2 +- + linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml | 2 +- + .../guide/services/cron_and_at/file_owner_cron_daily/rule.yml | 2 +- + .../guide/services/cron_and_at/file_owner_cron_hourly/rule.yml | 2 +- + .../guide/services/cron_and_at/file_owner_cron_monthly/rule.yml | 2 +- + .../guide/services/cron_and_at/file_owner_cron_weekly/rule.yml | 2 +- + linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml | 2 +- + .../guide/services/ssh/file_groupowner_sshd_config/rule.yml | 2 +- + linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml | 2 +- + .../file_groupownership_home_directories/rule.yml | 2 +- + .../non-uefi/file_groupowner_grub2_cfg/rule.yml | 2 +- + .../bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml | 2 +- + 17 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +index 12b3e134b84..bcf17d8d1ba 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Group Who Owns cron.d' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +index 81b4dafe7ac..3731bcff80a 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Group Who Owns cron.daily' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +index d9d95c54f67..f6be1d8e385 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Group Who Owns cron.hourly' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +index bc34431e4a6..823bf13d3a8 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Group Who Owns cron.monthly' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +index 6098829df8b..edeef8ff378 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Group Who Owns cron.weekly' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +index 93469e4e4f0..8c4027198e3 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Group Who Owns Crontab' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +index 8835efc173e..29df5f3a977 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Owner on cron.d' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +index 329b6c3948c..f7e7811c8b1 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Owner on cron.daily' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +index c28cac4d453..04041e13dfe 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Owner on cron.hourly' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +index 20d3604fb0b..46757a03195 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Owner on cron.monthly' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +index c34295639c3..48f897e4339 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Owner on cron.weekly' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +index 41857468590..738d9820b7f 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15 ++prodtype: rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Owner on crontab' + +diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +index 48c52f4f99d..08224309561 100644 +--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml ++++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15,rhcos4 ++prodtype: rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Group Who Owns SSH Server config file' + +diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +index 8daa499c96f..f69a5a177c0 100644 +--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml ++++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,sle15,rhcos4 ++prodtype: rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify Owner on SSH Server config file' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +index 813c109c155..237e7e86c12 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary User' + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml +index f66589ce1c2..c0acf9f031e 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Group Ownership' + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml +index 40bc1115608..94e219fa1ca 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Verify {{{ grub2_boot_path }}}/grub.cfg User Ownership' + + +From 3e3dedd681319fc9952af9e154fb561e882b896b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 14 May 2021 16:25:28 +0200 +Subject: [PATCH 4/5] Enable rules for RHEL9. + +There are indications that those packages/services will continue to be part of RHEL9. +--- + .../guide/services/cron_and_at/service_crond_enabled/rule.yml | 2 +- + .../firewalld_activation/service_firewalld_enabled/rule.yml | 2 +- + .../software/system-tools/package_rear_installed/rule.yml | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +index de8c5504867..d2c99d0d3f9 100644 +--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Enable cron Service' + +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +index 535c588bc14..248da74dc9c 100644 +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019 + + title: 'Verify firewalld Enabled' + +diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml +index 375301fdb6f..1d0ed040448 100644 +--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Install rear Package' + + +From 8255e799fb395f544871439d5df731da8aed66b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 14 May 2021 16:46:57 +0200 +Subject: [PATCH 5/5] Enabled various rules for RHEL9 + +This heterogenous assortment of rules either configures low-level settings that are largely distribution-independent, +or it performs basic configuration of stable components. +--- + .../postfix_client/postfix_network_listening_disabled/rule.yml | 2 +- + linux_os/guide/services/mail/service_postfix_enabled/rule.yml | 2 +- + linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml | 2 +- + .../disabling_xwindows/xwindows_runlevel_target/rule.yml | 2 +- + .../system/accounts/accounts-banners/banner_etc_issue/rule.yml | 2 +- + .../system/accounts/accounts-banners/banner_etc_motd/rule.yml | 2 +- + .../set_password_hashing_algorithm_systemauth/rule.yml | 2 +- + .../accounts-physical/require_emergency_target_auth/rule.yml | 2 +- + .../accounts/accounts-physical/require_singleuser_auth/rule.yml | 2 +- + .../account_disable_post_pw_expiration/rule.yml | 2 +- + .../password_storage/no_legacy_plus_entries_etc_group/rule.yml | 2 +- + .../password_storage/no_legacy_plus_entries_etc_passwd/rule.yml | 2 +- + .../password_storage/no_legacy_plus_entries_etc_shadow/rule.yml | 2 +- + .../root_logins/no_shelllogin_for_systemaccounts/rule.yml | 2 +- + .../system/accounts/accounts-session/accounts_tmout/rule.yml | 2 +- + .../accounts_user_interactive_home_directory_exists/rule.yml | 2 +- + .../user_umask/accounts_umask_etc_bashrc/rule.yml | 2 +- + linux_os/guide/system/auditing/grub2_audit_argument/rule.yml | 2 +- + .../system/auditing/grub2_audit_backlog_limit_argument/rule.yml | 2 +- + .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 2 +- + .../ruleset_modifications/set_firewalld_default_zone/rule.yml | 2 +- + .../wireless_software/wireless_disable_interfaces/rule.yml | 2 +- + linux_os/guide/system/network/network_sniffer_disabled/rule.yml | 2 +- + .../system/permissions/files/no_files_unowned_by_user/rule.yml | 2 +- + .../restrictions/coredumps/disable_users_coredumps/rule.yml | 2 +- + .../software/disk_partitioning/partition_for_var_tmp/rule.yml | 2 +- + .../aide/aide_periodic_cron_checking/rule.yml | 2 +- + 27 files changed, 27 insertions(+), 27 deletions(-) + +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +index cea6ebe82bd..be9efe4b409 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 + + title: 'Disable Postfix Network Listening' + +diff --git a/linux_os/guide/services/mail/service_postfix_enabled/rule.yml b/linux_os/guide/services/mail/service_postfix_enabled/rule.yml +index c807c0e375f..0906d5202dd 100644 +--- a/linux_os/guide/services/mail/service_postfix_enabled/rule.yml ++++ b/linux_os/guide/services/mail/service_postfix_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 + + title: 'Enable Postfix Service' + +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +index ef9867812c1..5dd9fa6b190 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,fedora,sle15 ++prodtype: fedora,rhel7,rhel8,rhel9,sle15 + + title: 'Ensure that chronyd is running under chrony user account' + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +index 6a7fcbf095c..e64ddd91807 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,sle12,sle15,rhv4 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Disable X Windows Startup By Setting Default Target' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +index 5a462ee0163..75453bc8beb 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'Modify the System Login Banner' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +index 2c735ad0d41..190e5a8599a 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019 + + title: 'Modify the System Message of the Day Banner' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +index 947de262c31..b0ecbd2bf1e 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: "Set PAM's Password Hashing Algorithm" + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +index 76cbe0b7e97..bc8c0a224b1 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Require Authentication for Emergency Systemd Target' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +index 3f8b43cc17b..3dee04454c3 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019 + + title: 'Require Authentication for Single User Mode' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +index 7d9b9bc99cc..0c538123879 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12,sle15 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'Set Account Expiration Following Inactivity' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml +index ba40c093df4..f9799183e0c 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Ensure there are no legacy + NIS entries in /etc/group' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml +index ef2266df268..1703c8b7ff4 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Ensure there are no legacy + NIS entries in /etc/passwd' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml +index 687bbde8a1f..94ba6160154 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Ensure there are no legacy + NIS entries in /etc/shadow' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +index cc86a6e7b71..65e41ca5c18 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,sle15 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15 + + title: 'Ensure that System Accounts Do Not Run a Shell Upon Login' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +index 2a4a2a2f717..5130296ad98 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019,rhcos4 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'Set Interactive Session Timeout' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index 11ebca78867..ac541680fa7 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'All Interactive Users Home Directories Must Exist' + +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +index 5b0676910b3..d9afad723ef 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,sle15 ++prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15 + + title: 'Ensure the Default Bash Umask is Set Correctly' + +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +index 35d93371321..9f8823ad464 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' + +diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +index f087d384578..aab1e2f8cff 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,sle15 + + title: 'Extend Audit Backlog Limit for the Audit Daemon' + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +index 9f4fd1b1460..522da853ab5 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'Set Boot Loader Password in grub2' + +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +index 60520b21c1f..636e30e3e1f 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 + + title: 'Set Default firewalld Zone for Incoming Packets' + +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +index 37483573a33..1a7b2c785ff 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,sle12 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Deactivate Wireless Network Interfaces' + +diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml +index 69f20153097..9b1e0b4f69d 100644 +--- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml ++++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'Ensure System is Not Acting as a Network Sniffer' + +diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +index 81823ab138c..1169d757fd0 100644 +--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml ++++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'Ensure All Files Are Owned by a User' + +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +index c140e11271f..dd32d225db8 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,sle15 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15 + + title: 'Disable Core Dumps for All Users' + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +index 52a1a9bf785..efb2e8fa203 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhcos4,sle15,ubuntu1804 ++prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu1804 + + title: 'Ensure /var/tmp Located On Separate Partition' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +index c3f7dedb33f..998a9780b75 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019 + + title: 'Configure Periodic Execution of AIDE' + diff --git a/scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch b/scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch new file mode 100644 index 0000000..392daec --- /dev/null +++ b/scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch @@ -0,0 +1,815 @@ +From b1ee8de3856252e2052bee8f5dd2aaaee5dcc95b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 20 May 2021 11:33:52 +0200 +Subject: [PATCH 1/8] Enable update-related rules for RHEL9. + +--- + .../software/updating/dnf-automatic_apply_updates/rule.yml | 2 +- + .../software/updating/package_dnf-automatic_installed/rule.yml | 2 +- + .../software/updating/timer_dnf-automatic_enabled/rule.yml | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml +index 8b0343a52ec..7a10f5dd9ed 100644 +--- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml ++++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol8,rhel8 ++prodtype: fedora,ol8,rhel8,rhel9 + + title: Configure dnf-automatic to Install Available Updates Automatically + +diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml +index 8b332b800c7..0bdace740b4 100644 +--- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml ++++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol8,rhel8 ++prodtype: fedora,ol8,rhel8,rhel9 + + title: 'Install dnf-automatic Package' + +diff --git a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml +index 1c51fe22471..07aa5c3575b 100644 +--- a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml ++++ b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol8,rhel8 ++prodtype: fedora,ol8,rhel8,rhel9 + + title: Enable dnf-automatic Timer + + +From 55bc57583158dc7c8080fdfd41b2c7ee4ddb677f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 20 May 2021 11:45:02 +0200 +Subject: [PATCH 2/8] Enable AIDE rules for RHEL9. + +The component hasn't changed observably wrt our rules. +--- + .../certified-vendor/installed_OS_is_FIPS_certified/rule.yml | 2 +- + .../software-integrity/aide/aide_build_database/rule.yml | 2 +- + .../software-integrity/aide/aide_scan_notification/rule.yml | 2 +- + .../software-integrity/aide/aide_use_fips_hashes/rule.yml | 2 +- + .../integrity/software-integrity/aide/aide_verify_acls/rule.yml | 2 +- + .../software-integrity/aide/aide_verify_ext_attributes/rule.yml | 2 +- + 6 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml +index 07d55e58e55..012fe8f6edd 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux8,ubuntu1604,ubuntu1804,ubuntu2004,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux8,ubuntu1604,ubuntu1804,ubuntu2004,wrlinux1019 + + title: 'The Installed Operating System Is FIPS 140-2 Certified' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +index 175c997d508..6c0ee2e4c7b 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: debian9,debian10,fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 ++prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'Build and Test AIDE Database' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +index 24d3f8e1c24..a73fb0a39ad 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,wrlinux1019 + + title: 'Configure Notification of Post-AIDE Scan Details' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml +index 1f86ed8a973..c982b8fde2e 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Configure AIDE to Use FIPS 140-2 for Validating Hashes' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +index 144c0645503..f527068022a 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Configure AIDE to Verify Access Control Lists (ACLs)' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +index b5bcd202dea..7961f3b5a67 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Configure AIDE to Verify Extended Attributes' + + +From 5425108a0a88ba36b422ee2a1f672f301531c167 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 20 May 2021 15:44:41 +0200 +Subject: [PATCH 3/8] Enabled package installed rules for RHEL9. + +Packages are likely to exist in RHEL9. +--- + .../disabling_xwindows/xwindows_remove_packages/rule.yml | 2 +- + .../smart_card_login/install_smartcard_packages/rule.yml | 2 +- + .../smart_card_login/package_opensc_installed/rule.yml | 2 +- + .../system/auditing/package_audispd-plugins_installed/rule.yml | 2 +- + .../package_policycoreutils-python-utils_installed/rule.yml | 2 +- + .../system/selinux/package_policycoreutils_installed/rule.yml | 2 +- + .../software/system-tools/package_rng-tools_installed/rule.yml | 2 +- + 7 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +index 2f9dfc1b039..031d63ba778 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Disable graphical user interface' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +index 85260712c6f..652e9287759 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +@@ -8,7 +8,7 @@ + + documentation_complete: true + +-prodtype: fedora,ol7,rhel7,rhel8,sle12,sle15 ++prodtype: fedora,ol7,rhel7,rhel8,rhel9,sle12,sle15 + + title: 'Install Smart Card Packages For Multifactor Authentication' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +index df01a282459..a55409d9e8f 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Install the opensc Package For Multifactor Authentication' + +diff --git a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml +index 8ed5af7070a..6d96d340a33 100644 +--- a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml ++++ b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4 + + title: 'Install audispd-plugins Package' + +diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml +index 6c23fae18ab..a18a57dcbb3 100644 +--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml ++++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8 ++prodtype: ol8,rhel8,rhel9 + + title: 'Install policycoreutils-python-utils package' + +diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml +index b9fcc6a889e..acce754e9d2 100644 +--- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml ++++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Install policycoreutils Package' + +diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml +index 7d25f41fb98..f0ca76b6953 100644 +--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Install rng-tools Package' + + +From ef063898277b53e35db6f3b54604583c3512ff46 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 20 May 2021 16:07:18 +0200 +Subject: [PATCH 4/8] Enabled service-related rules for RHEL9. + +--- + linux_os/guide/services/base/service_kdump_disabled/rule.yml | 2 +- + linux_os/guide/services/rng/service_rngd_enabled/rule.yml | 2 +- + linux_os/guide/services/ssh/service_sshd_enabled/rule.yml | 2 +- + .../coredumps/service_systemd-coredump_disabled/rule.yml | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +index 8a12fd05711..1bb014b5993 100644 +--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'Disable KDump Kernel Crash Analyzer (kdump)' + +diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml +index 5d47b5d69b3..4f1e4d85197 100644 +--- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml ++++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol8,rhel8 ++prodtype: fedora,ol8,rhcos4,rhel8,rhel9 + + title: 'Enable the Hardware RNG Entropy Gatherer Service' + +diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +index 548750d0f61..a7aaa4f3f9c 100644 +--- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml ++++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'Enable the OpenSSH Service' + +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +index a2e1affd89d..baa8a448026 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol8,rhel8 ++prodtype: fedora,ol8,rhcos4,rhel8,rhel9 + + title: 'Disable acquiring, saving, and processing core dumps' + + +From ce273a6e9a50893d6cd2d623b74d30cba5c5ad8c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 20 May 2021 17:13:54 +0200 +Subject: [PATCH 5/8] More various rules. + +--- + .../files/dir_perms_world_writable_root_owned/rule.yml | 2 +- + .../software/disk_partitioning/encrypt_partitions/rule.yml | 6 ++++-- + .../installed_OS_is_vendor_supported/rule.yml | 4 ++-- + .../crypto/configure_openssl_tls_crypto_policy/rule.yml | 2 +- + .../rule.yml | 2 +- + .../system/software/sudo/sudoers_validate_passwd/rule.yml | 2 +- + .../updating/clean_components_post_updating/rule.yml | 2 +- + 7 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +index 9714947ae47..0a4232cae38 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,wrlinux1019 + + title: 'Ensure All World-Writable Directories Are Owned by root user' + +diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +index 7730800a0e8..ef544f33d48 100644 +--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15 ++prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Encrypt Partitions' + +@@ -37,8 +37,10 @@ description: |- + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/ol8-install-basic.html#install-storage-network") }}}. + {{% elif product in ["sle12", "sle15"] %}} + {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}} +- {{% else %}} ++ {{% elif product == "rhel7" %}} + {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}. ++ {{% else %}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}. + {{% endif %}} + + rationale: |- +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +index ac76ba7c5a0..8a36d5691b7 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 + + title: 'The Installed Operating System Is Vendor Supported' + +@@ -56,7 +56,7 @@ ocil_clause: 'the installed operating system is not supported' + ocil: |- + To verify that the installed operating system is supported, run + the following command: +-{{% if product in ["rhel7", "rhel8"] %}} ++{{% if product.startswith("rhel") %}} + 
$ grep -i "red hat" /etc/redhat-release
+ {{% elif product in ["ol7", "ol8"] %}} + 
$ grep -i "oracle" /etc/oracle-release
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml +index c4637d39fed..dfe105771cc 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8 ++prodtype: rhel8,rhel9 + + title: 'Configure OpenSSL library to use TLS Encryption' + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +index 4b01cb39e1a..930915327e0 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'The operating system must restrict privilege elevation to authorized personnel' + +-prodtype: ol7,ol8,rhel7,rhel8,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 + + description: |- + The sudo command allows a user to execute programs with elevated +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +index eede35be8a1..d17f33852db 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'Ensure invoking users password for privilege escalation when using sudo' + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,sle15 + + description: |- + The sudoers security policy requires that users authenticate themselves before they can use sudo. +diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +index 34723d0e2a5..d0289b311c6 100644 +--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml ++++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions' + + +From 255ee86df41e9d5e8ee427ff28e214833796f156 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 20 May 2021 17:15:51 +0200 +Subject: [PATCH 6/8] Enabled zIPL rules for RHEL9. + +There are indications that zIPL will remain the default bootloader for x390, and the project is very conservative. +--- + .../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 +- + .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +- + .../guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 2 +- + .../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 2 +- + .../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 +- + .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +- + .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 +- + 7 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +index c2fb5ba678c..987a42d31ec 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhcos4 ++prodtype: rhcos4,rhel8,rhel9 + + title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +index 6548c352acc..cfb8c08f31d 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhcos4 ++prodtype: rhcos4,rhel8,rhel9 + + title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +index c3f032d8cbb..b8b025f74f4 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhcos4 ++prodtype: rhcos4,rhel8,rhel9 + + title: 'Ensure all zIPL boot entries are BLS compliant' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +index 13192cd8ca5..c8133e19ab4 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhcos4 ++prodtype: rhcos4,rhel8,rhel9 + + title: 'Ensure zIPL bootmap is up to date' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +index 42c1c8aecd5..c626f6188cd 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhcos4 ++prodtype: rhcos4,rhel8,rhel9 + + title: 'Enable page allocator poisoning in zIPL' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +index 2f9b04f7a27..d266165cddc 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhcos4 ++prodtype: rhcos4,rhel8,rhel9 + + title: 'Enable SLUB/SLAB allocator poisoning in zIPL' + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +index f90a0fb4141..387f7f13850 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhcos4 ++prodtype: rhcos4,rhel8,rhel9 + + title: 'Disable vsyscalls in zIPL' + + +From 807dbda2042184d6d2e602506e846bb3a19a775d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 20 May 2021 17:40:30 +0200 +Subject: [PATCH 7/8] Enabled more audit rules for RHEL9. + +Component maintainers have reported that there are no breaking changes in the audit configuration. +--- + .../system/auditing/policy_rules/audit_access_failed/rule.yml | 2 +- + .../system/auditing/policy_rules/audit_access_success/rule.yml | 2 +- + .../auditing/policy_rules/audit_basic_configuration/rule.yml | 2 +- + .../system/auditing/policy_rules/audit_create_failed/rule.yml | 2 +- + .../system/auditing/policy_rules/audit_create_success/rule.yml | 2 +- + .../system/auditing/policy_rules/audit_delete_failed/rule.yml | 2 +- + .../system/auditing/policy_rules/audit_delete_success/rule.yml | 2 +- + .../auditing/policy_rules/audit_immutable_login_uids/rule.yml | 2 +- + .../system/auditing/policy_rules/audit_modify_failed/rule.yml | 2 +- + .../system/auditing/policy_rules/audit_modify_success/rule.yml | 2 +- + .../system/auditing/policy_rules/audit_module_load/rule.yml | 2 +- + .../system/auditing/policy_rules/audit_ospp_general/rule.yml | 2 +- + .../auditing/policy_rules/audit_owner_change_failed/rule.yml | 2 +- + .../auditing/policy_rules/audit_owner_change_success/rule.yml | 2 +- + .../auditing/policy_rules/audit_perm_change_failed/rule.yml | 2 +- + .../auditing/policy_rules/audit_perm_change_success/rule.yml | 2 +- + 16 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +index 458ac7e0ae6..a0d856b023b 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of unsuccessful file accesses' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +index 064618716e8..6f79a5cf04a 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of successful file accesses' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml +index cce5e83fd6e..bd5d6455351 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure basic parameters of Audit system' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +index 92800b472c7..b2f731d11ba 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of unsuccessful file creations' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +index 59db7b10073..a03a7f3b715 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of successful file creations' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +index 2f67a150dc5..d4bd88e6cfc 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of unsuccessful file deletions' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +index f54899fb842..6c05a736e39 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of successful file deletions' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +index 073f29c9fe6..34e9fc134e0 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure immutable Audit login UIDs' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +index 51f9d76f06d..2d0f7cf9da3 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of unsuccessful file modifications' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +index b51acc04dcb..28045878a69 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of successful file modifications' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml +index 20bfca83eee..d764e384ea2 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of loading and unloading of kernel modules' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +index fbf7473cc4c..0a41ece25fc 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Perform general configuration of Audit for OSPP' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +index b0052f8b645..a95c0146b11 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of unsuccessful ownership changes' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +index 3657a32fc3a..4133eb193f2 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of successful ownership changes' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +index 477c74282d0..47f248a2b36 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of unsuccessful permission changes' + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +index 53ecf9d589a..5017b17849b 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhcos4,rhel8,rhel9 + + title: 'Configure auditing of successful permission changes' + + +From 65b2fe65e7143d38f46f782d7e0d49738ad7dd76 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 20 May 2021 17:46:00 +0200 +Subject: [PATCH 8/8] Enabled Grub cmdline rules for RHEL9. + +Those rules are not very specific - they perform basic configuration of kernel parameters. +--- + .../system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml | 2 +- + .../guide/system/bootloader-grub2/grub2_pti_argument/rule.yml | 2 +- + .../system/bootloader-grub2/grub2_vsyscall_argument/rule.yml | 2 +- + .../restrictions/poisoning/grub2_page_poison_argument/rule.yml | 2 +- + .../restrictions/poisoning/grub2_slub_debug_argument/rule.yml | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +index 39f1bbe285c..03f56b8031d 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8 ++prodtype: ol8,rhel8,rhel9 + + title: 'Configure kernel to trust the CPU random number generator' + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +index 1516972d72c..f186b1ae6e7 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol8,rhel8 ++prodtype: fedora,ol8,rhel8,rhel9 + + title: 'Enable Kernel Page-Table Isolation (KPTI)' + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +index 9ad81924ceb..0b5873c56a2 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Disable vsyscalls' + +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +index 820e4799f87..9b18bee588f 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Enable page allocator poisoning' + +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +index 182a0cc507c..f6059044f14 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Enable SLUB/SLAB allocator poisoning' + diff --git a/scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch b/scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch new file mode 100644 index 0000000..14e8844 --- /dev/null +++ b/scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch @@ -0,0 +1,141 @@ +From a6bd844c52ccadae91ebcb7c252cf4a153522776 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Wed, 30 Jun 2021 15:10:13 +0200 +Subject: [PATCH] Enable templates for RHEL9. + +Concerned templates are low-level, underlying components are stable. +--- + shared/templates/audit_rules_file_deletion_events/bash.template | 2 +- + shared/templates/audit_rules_login_events/bash.template | 2 +- + shared/templates/audit_rules_path_syscall/bash.template | 2 +- + shared/templates/audit_rules_privileged_commands/bash.template | 2 +- + .../audit_rules_unsuccessful_file_modification/bash.template | 2 +- + shared/templates/grub2_bootloader_argument/bash.template | 2 +- + shared/templates/kernel_module_disabled/ansible.template | 2 +- + shared/templates/mount/anaconda.template | 2 +- + shared/templates/mount_option/anaconda.template | 2 +- + .../mount_option_removable_partitions/anaconda.template | 2 +- + shared/templates/zipl_bls_entries_option/ansible.template | 2 +- + shared/templates/zipl_bls_entries_option/bash.template | 2 +- + 12 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template +index c387624cfb..851b0fd43e 100644 +--- a/shared/templates/audit_rules_file_deletion_events/bash.template ++++ b/shared/templates/audit_rules_file_deletion_events/bash.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/shared/templates/audit_rules_login_events/bash.template b/shared/templates/audit_rules_login_events/bash.template +index 065e8bb288..69e8be9c50 100644 +--- a/shared/templates/audit_rules_login_events/bash.template ++++ b/shared/templates/audit_rules_login_events/bash.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template +index c3d31aade9..656d168ddd 100644 +--- a/shared/templates/audit_rules_path_syscall/bash.template ++++ b/shared/templates/audit_rules_path_syscall/bash.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template +index 42e12671ac..85dbc9b828 100644 +--- a/shared/templates/audit_rules_privileged_commands/bash.template ++++ b/shared/templates/audit_rules_privileged_commands/bash.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template +index e89ac0749c..daf146f7eb 100644 +--- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template ++++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template +index bac84526ee..965fe5bac0 100644 +--- a/shared/templates/grub2_bootloader_argument/bash.template ++++ b/shared/templates/grub2_bootloader_argument/bash.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + {{% if product in ["rhel7", "ol7"] %}} + {{% if '/' in ARG_NAME %}} +diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template +index 72f7ae18bf..2526baf737 100644 +--- a/shared/templates/kernel_module_disabled/ansible.template ++++ b/shared/templates/kernel_module_disabled/ansible.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle + # reboot = true + # strategy = disable + # complexity = low +diff --git a/shared/templates/mount/anaconda.template b/shared/templates/mount/anaconda.template +index 5093c926da..fdcb4ee3e8 100644 +--- a/shared/templates/mount/anaconda.template ++++ b/shared/templates/mount/anaconda.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + # reboot = false + # strategy = enable + # complexity = low +diff --git a/shared/templates/mount_option/anaconda.template b/shared/templates/mount_option/anaconda.template +index 0a54865e12..083b0ef008 100644 +--- a/shared/templates/mount_option/anaconda.template ++++ b/shared/templates/mount_option/anaconda.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + # reboot = false + # strategy = enable + # complexity = low +diff --git a/shared/templates/mount_option_removable_partitions/anaconda.template b/shared/templates/mount_option_removable_partitions/anaconda.template +index b4510ae804..8665fb913a 100644 +--- a/shared/templates/mount_option_removable_partitions/anaconda.template ++++ b/shared/templates/mount_option_removable_partitions/anaconda.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + # reboot = false + # strategy = enable + # complexity = low +diff --git a/shared/templates/zipl_bls_entries_option/ansible.template b/shared/templates/zipl_bls_entries_option/ansible.template +index 7e73d391de..336775e4f8 100644 +--- a/shared/templates/zipl_bls_entries_option/ansible.template ++++ b/shared/templates/zipl_bls_entries_option/ansible.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 8 ++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 + # reboot = true + # strategy = configure + # complexity = medium +diff --git a/shared/templates/zipl_bls_entries_option/bash.template b/shared/templates/zipl_bls_entries_option/bash.template +index 81bbb7884b..25cd7432c9 100644 +--- a/shared/templates/zipl_bls_entries_option/bash.template ++++ b/shared/templates/zipl_bls_entries_option/bash.template +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 8 ++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 + + # Correct BLS option using grubby, which is a thin wrapper around BLS operations + grubby --update-kernel=ALL --args="{{{ ARG_NAME }}}={{{ ARG_VALUE }}}" diff --git a/scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch b/scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch new file mode 100644 index 0000000..d633eaf --- /dev/null +++ b/scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch @@ -0,0 +1,206 @@ +From 5d3bcea7c2927f449fbd82074a62425bad89e605 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sun, 30 May 2021 19:16:11 +0100 +Subject: [PATCH 1/5] Add sudo custom logfile control for RHEL 8 CIS + +--- + .../sudo/sudo_custom_logfile/rule.yml | 20 +++++++++++++++++++ + .../system/software/sudo/var_sudo_logfile.var | 16 +++++++++++++++ + rhel8/profiles/cis.profile | 2 +- + 3 files changed, 37 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml + create mode 100644 linux_os/guide/system/software/sudo/var_sudo_logfile.var + +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +new file mode 100644 +index 00000000000..5571c92a679 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +@@ -0,0 +1,20 @@ ++documentation_complete: true ++ ++title: 'Ensure Sudo Logfile Exists - sudo logfile' ++ ++description: |- ++ A custom logfile can be configured for sudo with the logfile tag. ++ ++rationale: |- ++ A sudo log file simplifies auditing of sudo commands. ++ ++severity: medium ++ ++identifiers: ++ cis@rhel8: 1.3.3 ++ ++template: ++ name: sudo_defaults_option ++ vars: ++ option: logfile ++ variable_name: var_sudo_logfile +diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var +new file mode 100644 +index 00000000000..65b23b5f3c2 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var +@@ -0,0 +1,16 @@ ++documentation_complete: true ++ ++title: 'Sudo - logfile value' ++ ++description: |- ++ Specify the sudo logfile to use. The default value used here matches the example ++ location from CIS, which uses /var/log/sudo.log. ++ ++interactive: false ++ ++type: string ++ ++operator: equals ++ ++options: ++ default: "/var/log/sudo.log" +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index ec9cbfa0a3d..411083d6e71 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -132,7 +132,7 @@ selections: + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5220 + + ### 1.3.3 Ensure sudo log file exists (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5221 ++ - sudo_custom_logfile + + ## 1.4 Filesystem Integrity Checking + + +From da0883992ba7e712f805b86e5b7c96162aed93ec Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sun, 30 May 2021 20:46:58 +0100 +Subject: [PATCH 2/5] Update rule with OCIL parameters + +--- + .../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +index 5571c92a679..de0ecb98a76 100644 +--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +@@ -8,11 +8,18 @@ description: |- + rationale: |- + A sudo log file simplifies auditing of sudo commands. + +-severity: medium ++severity: low + + identifiers: + cis@rhel8: 1.3.3 + ++ocil_clause: 'logfile is not enabled in sudo' ++ ++ocil: |- ++ To determine if logfile has been configured for sudo, run the following command: ++ 
$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
++ The command should return a matching output. ++ + template: + name: sudo_defaults_option + vars: + +From 2b6721b3e3858d75f27d7ad8395a79a1ce68bc73 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Mon, 31 May 2021 11:44:13 +0100 +Subject: [PATCH 3/5] Use references field for CIS rather than identifiers + +--- + .../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +index de0ecb98a76..afce7f1867c 100644 +--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +@@ -10,7 +10,7 @@ rationale: |- + + severity: low + +-identifiers: ++references: + cis@rhel8: 1.3.3 + + ocil_clause: 'logfile is not enabled in sudo' + +From ee4ed67f0f9e246b20098d60efed7e20bc7b7a13 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 1 Jun 2021 11:28:08 +0100 +Subject: [PATCH 4/5] Add missing CCE identifiers to sudo logfile rule + +--- + .../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++- + shared/references/cce-redhat-avail.txt | 2 -- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +index afce7f1867c..d08b7891293 100644 +--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +@@ -3,14 +3,21 @@ documentation_complete: true + title: 'Ensure Sudo Logfile Exists - sudo logfile' + + description: |- +- A custom logfile can be configured for sudo with the logfile tag. ++ A custom log sudo file can be configured with the 'logfile' tag. This rule configures ++ a sudo custom logfile at the default location suggested by CIS, which uses ++ /var/log/sudo.log. + + rationale: |- + A sudo log file simplifies auditing of sudo commands. + + severity: low + ++identifiers: ++ cce@rhel7: CCE-83600-7 ++ cce@rhel8: CCE-83601-5 ++ + references: ++ cis@rhel7: 5.2.3 + cis@rhel8: 1.3.3 + + ocil_clause: 'logfile is not enabled in sudo' +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index ae54d0ee0b2..e74b6779509 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -94,8 +94,6 @@ CCE-83594-2 + CCE-83595-9 + CCE-83596-7 + CCE-83599-1 +-CCE-83600-7 +-CCE-83601-5 + CCE-83606-4 + CCE-83608-0 + CCE-83609-8 + +From 298533e0e7360752737b24deb07903c04b33bc21 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 1 Jun 2021 16:19:45 +0100 +Subject: [PATCH 5/5] Allow users to override sudo logfile location with + tailoring + +--- + linux_os/guide/system/software/sudo/var_sudo_logfile.var | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var +index 65b23b5f3c2..7c5d02d37eb 100644 +--- a/linux_os/guide/system/software/sudo/var_sudo_logfile.var ++++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var +@@ -6,7 +6,7 @@ description: |- + Specify the sudo logfile to use. The default value used here matches the example + location from CIS, which uses /var/log/sudo.log. + +-interactive: false ++interactive: true + + type: string + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index f180b0b..1f2b8d5 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -5,13 +5,18 @@ Name: scap-security-guide Version: 0.1.56 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 Patch1: scap-security-guide-0.1.57-build-system-pr-7025.patch Patch2: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch +Patch3: scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch +Patch4: scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch +Patch5: scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch +Patch6: scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch +Patch7: scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch BuildArch: noarch BuildRequires: libxslt @@ -44,6 +49,8 @@ The %{name}-doc package contains HTML formatted documents containing hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. +# Temporarily needed to apply the profile stub patch (identifiers were sorted) +%global _default_patch_fuzz 1 %prep %autosetup -p1 @@ -74,6 +81,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %doc %{_docdir}/%{name}/tables/*.html %changelog +* Mon Jun 28 2021 Matej Tyc - 0.1.56-2 +- Enable more RHEL9 rules and introduce RHEL9 profile stubs + * Wed May 19 2021 Jan Černý - 0.1.56-1 - Upgrade to the latest upstream release - remove README.md and Contributors.md