+- $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
++ $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-10
+
+ rationale: |-
+ Changes to software components can have significant effects on the overall
+@@ -41,8 +41,8 @@ ocil: |-
+ To ensure that the GPG key is installed, run:
+ $ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
+ The command should return the string below:
+- AlmaLinux OS 9 <packager@almalinux.org> public key
++ AlmaLinux OS 10 <packager@almalinux.org> public key
+
+ fixtext: |-
+ Install {{{ full_name }}} GPG key. Run the following command:
+- $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
++ $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-10
+diff --git a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/tests/key_installed.pass.sh b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/tests/key_installed.pass.sh
+index 87b82cb01..ba588f308 100644
+--- a/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/tests/key_installed.pass.sh
++++ b/linux_os/guide/system/software/updating/ensure_almalinux_gpgkey_installed/tests/key_installed.pass.sh
+@@ -1,5 +1,5 @@
+ #!/bin/bash
+ #
+-# platform = AlmaLinux OS 9
++# platform = AlmaLinux OS 10
+
+-rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
++rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-10
+diff --git a/products/almalinux10/CMakeLists.txt b/products/almalinux10/CMakeLists.txt
+new file mode 100644
+index 000000000..1284434a2
+--- /dev/null
++++ b/products/almalinux10/CMakeLists.txt
+@@ -0,0 +1,26 @@
++# Sometimes our users will try to do: "cd almalinux10; cmake ." That needs to error in a nice way.
++if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
++endif()
++
++set(PRODUCT "almalinux10")
++
++ssg_build_product(${PRODUCT})
++
++ssg_build_html_cce_table(${PRODUCT})
++
++ssg_build_html_srgmap_tables(${PRODUCT})
++
++if(SSG_SRG_XLSX_EXPORT)
++ ssg_build_xlsx_srg_export(${PRODUCT} "srg_gpos")
++endif()
++
++#ssg_build_html_stig_tables(${PRODUCT})
++#ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")
++#ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig_gui")
++
++#ssg_build_html_stig_tables(${PRODUCT} "ospp")
++
++if(SSG_CENTOS_DERIVATIVES_ENABLED)
++ ssg_build_derivative_product(${PRODUCT} "centos" "cs10")
++endif()
+diff --git a/products/almalinux10/overlays/srg_support.xml b/products/almalinux10/overlays/srg_support.xml
+new file mode 100644
+index 000000000..6e0a0ab8c
+--- /dev/null
++++ b/products/almalinux10/overlays/srg_support.xml
+@@ -0,0 +1,173 @@
++
++Documentation to Support DISA OS SRG Mapping
++These groups exist to document how the AlmaLinux OS
++product meets (or does not meet) requirements listed in the DISA OS SRG, for
++those cases where Groups or Rules elsewhere in scap-security-guide do
++not clearly relate.
++
++
++
++
++
++Product Meets this Requirement
++
++AlmaLinux OS meets this requirement through design and implementation.
++
++AlmaLinux OS 10 supports this requirement and cannot be configured to be out of
++compliance. This is a permanent not a finding.
++
++
++This requirement is a permanent not a finding. No fix is required.
++
++
++
++
++
++
++
++Product Meets this Requirement
++
++The AlmaLinux OS audit system meets this requirement through design and implementation.
++
++The AlmaLinux OS 10 auditing system supports this requirement and cannot be configured to be out of
++compliance. Every audit record in AlmaLinux OS includes a timestamp, the operation attempted,
++success or failure of the operation, the subject involved (executable/process),
++the object involved (file/path), and security labels for the subject and object.
++It also includes the ability to label events with custom key labels. The auditing system
++centralizes the recording of audit events for the entire system and includes
++reduction (ausearch ), reporting (aureport ), and real-time
++response (audispd ) facilities.
++This is a permanent not a finding.
++
++
++This requirement is a permanent not a finding. No fix is required.
++
++
++
++
++
++
++
++Product Meets this Requirement
++
++AlmaLinux OS meets this requirement through design and implementation.
++
++AlmaLinux OS 10 supports this requirement and cannot be configured to be out of
++compliance. This is a permanent not a finding.
++
++
++This requirement is a permanent not a finding. No fix is required.
++
++
++
++
++
++
++
++
++
++
++
++Guidance Does Not Meet this Requirement Due to Impracticality or Scope
++
++The guidance does not meet this requirement.
++The requirement is impractical or out of scope.
++
++
++AlmaLinux OS 10 cannot support this requirement without assistance from an external
++application, policy, or service. This requirement is NA.
++
++
++This requirement is NA. No fix is required.
++
++
++
++
++
++
++
++Implementation of the Requirement is Not Supported
++
++AlmaLinux OS 10 does not support this requirement.
++
++
++This is a permanent finding.
++
++
++This requirement is a permanent finding and cannot be fixed. An appropriate
++mitigation for the system must be implemented but this finding cannot be
++considered fixed.
++
++
++
++
++
++
++Guidance Does Not Meet this Requirement Due to Impracticality or Scope
++
++The guidance does not meet this requirement.
++The requirement is impractical or out of scope.
++
++
++AlmaLinux OS 10 cannot support this requirement without assistance from an external
++application, policy, or service. This requirement is NA.
++
++
++This requirement is NA. No fix is required.
++
++
++
++
++
++A process for prompt installation of OS updates must exist.
++
++This is a manual inquiry about update procedure.
++
++
++Ask an administrator if a process exists to promptly and automatically apply OS
++software updates. If such a process does not exist, this is a finding.
++
++
++Procedures to promptly apply software updates must be established and
++executed. The AlmaLinux operating system provides support for automating such a
++process, by running the yum program through a cron job or by managing the
++system and its packages through the Foreman.
++
++
++
++
+diff --git a/products/almalinux10/product.yml b/products/almalinux10/product.yml
+new file mode 100644
+index 000000000..a428a42ec
+--- /dev/null
++++ b/products/almalinux10/product.yml
+@@ -0,0 +1,54 @@
++product: almalinux10
++full_name: AlmaLinux OS 10
++type: platform
++
++families:
++ - rhel
++ - rhel-like
++
++major_version_ordinal: 10
++
++benchmark_id: ALMALINUX-10
++benchmark_root: "../../linux_os/guide"
++components_root: "../../components"
++
++profiles_root: "./profiles"
++
++pkg_manager: "dnf"
++
++init_system: "systemd"
++
++# EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
++
++sshd_distributed_config: "true"
++bootable_containers_supported: "true"
++
++dconf_gdm_dir: "distro.d"
++
++faillock_path: "/var/log/faillock"
++
++# The fingerprints below are retrieved from https://almalinux.org/security/
++pkg_release: "668fe8ef"
++pkg_version: "c2a1e572"
++
++release_key_fingerprint: "EE6DB7B98F5BF5EDD9DA0DE5DEE5C11CC2A1E572"
++oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-10.xml.bz2"
++
++cpes_root: "../../shared/applicability"
++cpes:
++ - almalinux10:
++ name: "cpe:/o:almalinux:almalinux:10"
++ title: "AlmaLinux OS 10"
++ check_id: installed_OS_is_almalinux10
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++ login_defs: "shadow-utils"
++
++reference_uris:
++ cis: 'https://www.cisecurity.org/benchmark/almalinuxos_linux/'
++
++
++journald_conf_dir_path: /etc/systemd/journald.conf.d
++audit_watches_style: modern
++rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+diff --git a/products/almalinux10/profiles/anssi_bp28_enhanced.profile b/products/almalinux10/profiles/anssi_bp28_enhanced.profile
+new file mode 100644
+index 000000000..1a013f1de
+--- /dev/null
++++ b/products/almalinux10/profiles/anssi_bp28_enhanced.profile
+@@ -0,0 +1,87 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - marcusburghardt
++ - vojtapolasek
++
++title: 'ANSSI-BP-028 (enhanced)'
++
++description: |-
++ This is a draft profile for experimental purposes.
++ This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.
++
++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
++
++ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
++
++ An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
++ https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
++
++selections:
++ - anssi:all:enhanced
++ - var_password_hashing_algorithm_pam=yescrypt
++ # Following rules are incompatible with rhel10 product
++ - '!enable_authselect'
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ # RHEL 10 does not support 32 bit architecture
++ - '!install_PAE_kernel_on_x86-32'
++ # the package does not exist in RHEL 10
++ - '!package_dracut-fips-aesni_installed'
++ # pam_cracklib is not used in RHEL 10
++ - '!cracklib_accounts_password_pam_lcredit'
++ - '!cracklib_accounts_password_pam_ocredit'
++ - '!cracklib_accounts_password_pam_ucredit'
++ - '!cracklib_accounts_password_pam_minlen'
++ - '!cracklib_accounts_password_pam_dcredit'
++ # umask is configured at a different place in RHEL 10
++ - '!sudo_add_umask'
++ # Non-Red Hat keys are irrelevant on RHEL 10
++ - '!ensure_oracle_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
++ # this rule is not automated anymore
++ - '!security_patches_up_to_date'
++ # There is only chrony package on RHEL 10, no ntpd
++ - '!service_chronyd_or_ntpd_enabled'
++ - 'service_chronyd_enabled'
++ # RHEL 10 unified the paths for grub2 files. These rules are selected in control file by R29.
++ - '!file_groupowner_efi_grub2_cfg'
++ - '!file_owner_efi_grub2_cfg'
++ - '!file_permissions_efi_grub2_cfg'
++ - '!file_groupowner_efi_user_cfg'
++ - '!file_owner_efi_user_cfg'
++ - '!file_permissions_efi_user_cfg'
++ # RHEL 10 unified the paths for grub2 files. This rule is selected in control file by R5.
++ - '!grub2_uefi_password'
++ # disable R45: Enable AppArmor security profiles
++ - '!apparmor_configured'
++ - '!all_apparmor_profiles_enforced'
++ - '!grub2_enable_apparmor'
++ - '!package_apparmor_installed'
++ - '!package_pam_apparmor_installed'
++ # these packages do not exist in rhel10 (R62)
++ - '!package_dhcp_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++ - '!package_sendmail_removed'
++ - '!package_talk_removed'
++ - '!package_talk-server_removed'
++ - '!package_xinetd_removed'
++ - '!package_ypbind_removed'
++ - '!package_ypserv_removed'
++ # RHEL 10 uses a different rule for auditing changes to selinux configuration (R73)
++ - '!audit_rules_mac_modification'
++ - audit_rules_mac_modification_etc_selinux
++ # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
++ - '!accounts_password_pam_retry'
++ # These rules are being modified and they are causing trouble in their current state (R67)
++ - '!sssd_enable_pam_services'
++ - '!sssd_ldap_configure_tls_reqcert'
++ - '!sssd_ldap_start_tls'
++ # These rules are no longer relevant
++ - '!prefer_64bit_os'
+diff --git a/products/almalinux10/profiles/anssi_bp28_high.profile b/products/almalinux10/profiles/anssi_bp28_high.profile
+new file mode 100644
+index 000000000..d769a2284
+--- /dev/null
++++ b/products/almalinux10/profiles/anssi_bp28_high.profile
+@@ -0,0 +1,99 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - marcusburghardt
++ - vojtapolasek
++
++title: 'ANSSI-BP-028 (high)'
++
++description: |-
++ This is a draft profile for experimental purposes.
++ This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
++
++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
++
++ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
++
++ An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
++ https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
++
++selections:
++ - anssi:all:high
++ - var_password_hashing_algorithm_pam=yescrypt
++ # the following rule renders UEFI systems unbootable
++ - '!sebool_secure_mode_insmod'
++ # Following rules are incompatible with rhel10 product
++ - '!enable_authselect'
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ # RHEL 10 does not support 32 bit architecture
++ - '!install_PAE_kernel_on_x86-32'
++ # this timer does not exist in RHEL 10
++ - '!aide_periodic_checking_systemd_timer'
++ # the package does not exist in RHEL 10
++ - '!package_dracut-fips-aesni_installed'
++ # pam_cracklib is not used in RHEL 10
++ - '!cracklib_accounts_password_pam_lcredit'
++ - '!cracklib_accounts_password_pam_ocredit'
++ - '!cracklib_accounts_password_pam_ucredit'
++ - '!cracklib_accounts_password_pam_minlen'
++ - '!cracklib_accounts_password_pam_dcredit'
++ # umask is configured at a different place in RHEL 10
++ - '!sudo_add_umask'
++ # Non-Red Hat keys are irrelevant on RHEL 10
++ - '!ensure_oracle_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
++ # this rule is not automated anymore
++ - '!security_patches_up_to_date'
++ # There is only chrony package on RHEL 10, no ntpd
++ - '!service_chronyd_or_ntpd_enabled'
++ - 'service_chronyd_enabled'
++ # RHEL 10 unified the paths for grub2 files. These rules are selected in control file by R29.
++ - '!file_groupowner_efi_grub2_cfg'
++ - '!file_owner_efi_grub2_cfg'
++ - '!file_permissions_efi_grub2_cfg'
++ - '!file_groupowner_efi_user_cfg'
++ - '!file_owner_efi_user_cfg'
++ - '!file_permissions_efi_user_cfg'
++ # RHEL 10 unified the paths for grub2 files. This rule is selected in control file by R5.
++ - '!grub2_uefi_password'
++ # disable R45: Enable AppArmor security profiles
++ - '!apparmor_configured'
++ - '!all_apparmor_profiles_enforced'
++ - '!grub2_enable_apparmor'
++ - '!package_apparmor_installed'
++ - '!package_pam_apparmor_installed'
++ # these packages do not exist in rhel10 (R62)
++ - '!package_dhcp_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++ - '!package_sendmail_removed'
++ - '!package_talk_removed'
++ - '!package_talk-server_removed'
++ - '!package_xinetd_removed'
++ - '!package_ypbind_removed'
++ - '!package_ypserv_removed'
++ # RHEL 10 uses a different rule for auditing changes to selinux configuration (R73)
++ - '!audit_rules_mac_modification'
++ - audit_rules_mac_modification_etc_selinux
++ # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
++ - '!accounts_password_pam_retry'
++ # These rules are being modified and they are causing trouble in their current state (R67)
++ - '!sssd_enable_pam_services'
++ - '!sssd_ldap_configure_tls_reqcert'
++ - '!sssd_ldap_start_tls'
++ # These rules are no longer relevant
++ - '!prefer_64bit_os'
++ - '!kernel_config_devkmem'
++ - '!kernel_config_hardened_usercopy_fallback'
++ - '!kernel_config_page_poisoning_no_sanity'
++ - '!kernel_config_page_poisoning_zero'
++ - '!kernel_config_page_table_isolation'
++ - '!kernel_config_refcount_full'
++ - '!kernel_config_retpoline'
++ - '!kernel_config_security_writable_hooks'
+diff --git a/products/almalinux10/profiles/anssi_bp28_intermediary.profile b/products/almalinux10/profiles/anssi_bp28_intermediary.profile
+new file mode 100644
+index 000000000..11a10d1e0
+--- /dev/null
++++ b/products/almalinux10/profiles/anssi_bp28_intermediary.profile
+@@ -0,0 +1,62 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - marcusburghardt
++ - vojtapolasek
++
++title: 'ANSSI-BP-028 (intermediary)'
++
++description: |-
++ This is a draft profile for experimental purposes.
++ This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.
++
++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
++
++ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
++
++ An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
++ https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
++
++selections:
++ - anssi:all:intermediary
++ - var_password_hashing_algorithm_pam=yescrypt
++ # Following rules are incompatible with rhel10 product
++ - '!enable_authselect'
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ # pam_cracklib is not used in RHEL 10
++ - '!cracklib_accounts_password_pam_minlen'
++ - '!cracklib_accounts_password_pam_ucredit'
++ - '!cracklib_accounts_password_pam_dcredit'
++ - '!cracklib_accounts_password_pam_lcredit'
++ - '!cracklib_accounts_password_pam_ocredit'
++ # umask is configured at a different place in RHEL 10
++ - '!sudo_add_umask'
++ # Non-Red Hat keys are irrelevant on RHEL 10
++ - '!ensure_oracle_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
++ # this rule is not automated anymore
++ - '!security_patches_up_to_date'
++ # these packages do not exist in rhel10 (R62)
++ - '!package_dhcp_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++ - '!package_sendmail_removed'
++ - '!package_talk_removed'
++ - '!package_talk-server_removed'
++ - '!package_xinetd_removed'
++ - '!package_ypbind_removed'
++ - '!package_ypserv_removed'
++ # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
++ - '!accounts_password_pam_retry'
++ # These rules are being modified and they are causing trouble in their current state (R67)
++ - '!sssd_enable_pam_services'
++ - '!sssd_ldap_configure_tls_reqcert'
++ - '!sssd_ldap_start_tls'
++ # RHEL 10 unified the paths for grub2 files. This rule is selected in control file by R5.
++ - '!grub2_uefi_password'
+diff --git a/products/almalinux10/profiles/anssi_bp28_minimal.profile b/products/almalinux10/profiles/anssi_bp28_minimal.profile
+new file mode 100644
+index 000000000..5833a0cce
+--- /dev/null
++++ b/products/almalinux10/profiles/anssi_bp28_minimal.profile
+@@ -0,0 +1,54 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - marcusburghardt
++ - vojtapolasek
++
++title: 'ANSSI-BP-028 (minimal)'
++
++description: |-
++ This is a draft profile for experimental purposes.
++ This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.
++
++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
++
++ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
++
++ An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
++ https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
++
++selections:
++ - anssi:all:minimal
++ - var_password_hashing_algorithm_pam=yescrypt
++ # Following rules are incompatible with rhel10 product
++ - '!enable_authselect'
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ # pam_cracklib is not used in RHEL 10
++ - '!cracklib_accounts_password_pam_minlen'
++ - '!cracklib_accounts_password_pam_ucredit'
++ - '!cracklib_accounts_password_pam_dcredit'
++ - '!cracklib_accounts_password_pam_lcredit'
++ - '!cracklib_accounts_password_pam_ocredit'
++ # Non-Red Hat keys are irrelevant on RHEL 10
++ - '!ensure_oracle_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
++ # this rule is not automated anymore
++ - '!security_patches_up_to_date'
++ # these packages do not exist in rhel10 (R62)
++ - '!package_dhcp_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++ - '!package_sendmail_removed'
++ - '!package_talk_removed'
++ - '!package_talk-server_removed'
++ - '!package_xinetd_removed'
++ - '!package_ypbind_removed'
++ - '!package_ypserv_removed'
++ # these rules are failing when they are remediated with Ansible, removing then temporarily until they are fixed
++ - '!accounts_password_pam_retry'
+diff --git a/products/almalinux10/profiles/cis.profile b/products/almalinux10/profiles/cis.profile
+new file mode 100644
+index 000000000..32ccfff1f
+--- /dev/null
++++ b/products/almalinux10/profiles/cis.profile
+@@ -0,0 +1,17 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - marcusburghardt
++
++reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
++
++title: 'DRAFT - CIS AlmaLinux OS 10 Benchmark for Level 2 - Server'
++
++description: |-
++ This is a draft profile for experimental purposes.
++ It is based on the CIS AlmaLinux OS 9 profile, because an equivalent policy for AlmaLinux OS 10 didn't yet
++ exist at time of the release.
++
++selections:
++ - cis_rhel10:all:l2_server
+diff --git a/products/almalinux10/profiles/cis_server_l1.profile b/products/almalinux10/profiles/cis_server_l1.profile
+new file mode 100644
+index 000000000..d43ea6ea1
+--- /dev/null
++++ b/products/almalinux10/profiles/cis_server_l1.profile
+@@ -0,0 +1,17 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - marcusburghardt
++
++reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
++
++title: 'DRAFT - CIS AlmaLinux OS 10 Benchmark for Level 1 - Server'
++
++description: |-
++ This is a draft profile for experimental purposes.
++ It is based on the CIS AlmaLinux OS 9 profile, because an equivalent policy for AlmaLinux OS 10 didn't yet
++ exist at time of the release.
++
++selections:
++ - cis_rhel10:all:l1_server
+diff --git a/products/almalinux10/profiles/cis_workstation_l1.profile b/products/almalinux10/profiles/cis_workstation_l1.profile
+new file mode 100644
+index 000000000..27096ea00
+--- /dev/null
++++ b/products/almalinux10/profiles/cis_workstation_l1.profile
+@@ -0,0 +1,17 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - marcusburghardt
++
++reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
++
++title: 'DRAFT - CIS AlmaLinux OS 10 Benchmark for Level 1 - Workstation'
++
++description: |-
++ This is a draft profile for experimental purposes.
++ It is based on the CIS AlmaLinux OS 9 profile, because an equivalent policy for AlmaLinux OS 10 didn't yet
++ exist at time of the release.
++
++selections:
++ - cis_rhel10:all:l1_workstation
+diff --git a/products/almalinux10/profiles/cis_workstation_l2.profile b/products/almalinux10/profiles/cis_workstation_l2.profile
+new file mode 100644
+index 000000000..7d905f749
+--- /dev/null
++++ b/products/almalinux10/profiles/cis_workstation_l2.profile
+@@ -0,0 +1,17 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - marcusburghardt
++
++reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/
++
++title: 'DRAFT - CIS AlmaLinux OS 10 Benchmark for Level 2 - Workstation'
++
++description: |-
++ This is a draft profile for experimental purposes.
++ It is based on the CIS AlmaLinux OS 9 profile, because an equivalent policy for AlmaLinux OS 10 didn't yet
++ exist at time of the release.
++
++selections:
++ - cis_rhel10:all:l2_workstation
+diff --git a/products/almalinux10/profiles/default.profile b/products/almalinux10/profiles/default.profile
+new file mode 100644
+index 000000000..1616e1bbe
+--- /dev/null
++++ b/products/almalinux10/profiles/default.profile
+@@ -0,0 +1,33 @@
++documentation_complete: true
++
++hidden: true
++
++title: Default Profile for AlmaLinux OS 10
++
++description: |-
++ This profile contains all the rules that once belonged to the rhel10
++ product. This profile won't be rendered into an XCCDF Profile entity,
++ nor it will select any of these rules by default. The only purpose of
++ this profile is to keep a rule in the product's XCCDF Benchmark.
++
++selections:
++ - grub2_nousb_argument
++ - audit_rules_kernel_module_loading_create
++ - grub2_uefi_admin_username
++ - grub2_uefi_password
++ - no_tmux_in_shells
++ - package_tmux_installed
++ - configure_tmux_lock_after_time
++ - configure_tmux_lock_command
++ - configure_tmux_lock_keybinding
++ - audit_rules_session_events
++ - enable_authselect
++ - audit_rules_login_events
++ - audit_rules_unsuccessful_file_modification
++ - configure_openssl_tls_crypto_policy
++ - audit_rules_privileged_commands_pt_chown
++ - package_iprutils_removed
++ - service_rlogin_disabled
++ - service_rsh_disabled
++ - service_rexec_disabled
++ - package_scap-security-guide_installed
+diff --git a/products/almalinux10/profiles/e8.profile b/products/almalinux10/profiles/e8.profile
+new file mode 100644
+index 000000000..e70330c0d
+--- /dev/null
++++ b/products/almalinux10/profiles/e8.profile
+@@ -0,0 +1,39 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - shaneboulden
++ - tjbutt58
++
++reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
++
++title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
++
++description: |-
++ This is a draft profile for experimental purposes.
++
++ This draft profile contains configuration checks for AlmaLinux OS 10
++ that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
++
++ A copy of the Essential Eight in Linux Environments guide can be found at the
++ ACSC website:
++
++ https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
++
++selections:
++ - e8:all
++ - '!enable_authselect'
++ # nosha1 crypto policy does not exist in RHEL 10
++ - var_system_crypto_policy=default_policy
++ # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
++ # https://github.com/ComplianceAsCode/content/issues/11285
++ - '!rpm_verify_permissions'
++ - '!rpm_verify_ownership'
++ # these packages do not exist in RHEL 10
++ - '!package_talk_removed'
++ - '!package_talk-server_removed'
++ - '!package_ypbind_removed'
++ - '!package_ypserv_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++ - '!security_patches_up_to_date'
+diff --git a/products/almalinux10/profiles/hipaa.profile b/products/almalinux10/profiles/hipaa.profile
+new file mode 100644
+index 000000000..ee39fc73f
+--- /dev/null
++++ b/products/almalinux10/profiles/hipaa.profile
+@@ -0,0 +1,68 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - jjaswanson4
++
++reference: https://www.hhs.gov/hipaa/for-professionals/index.html
++
++title: 'Health Insurance Portability and Accountability Act (HIPAA)'
++
++description: |-
++ This is a draft profile for experimental purposes.
++
++ The HIPAA Security Rule establishes U.S. national standards to protect individuals's
++ electronic personal health information that is created, received, used, or
++ maintained by a covered entity. The Security Rule requires appropriate
++ administrative, physical and technical safeguards to ensure the
++ confidentiality, integrity, and security of electronic protected health
++ information.
++
++ This draft profile configures AlmaLinux OS 10 to the HIPAA Security
++ Rule identified for securing of electronic protected health information.
++ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
++
++selections:
++ - hipaa:all
++
++ # RHEL 10 uses a different rule for auditing changes to selinux configuration
++ # HIPAA 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d) and 164.312(e)
++ - '!audit_rules_mac_modification'
++ - audit_rules_mac_modification_etc_selinux
++
++ - '!coreos_disable_interactive_boot'
++ - '!coreos_audit_option'
++ - '!coreos_nousb_kernel_argument'
++ - '!coreos_enable_selinux_kernel_argument'
++ - '!dconf_gnome_remote_access_credential_prompt'
++ - '!dconf_gnome_remote_access_encryption'
++ - '!enable_authselect'
++ - '!ensure_suse_gpgkey_installed'
++ - '!ensure_fedora_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
++ - '!grub2_uefi_admin_username'
++ - '!grub2_uefi_password'
++ - '!service_ypbind_disabled'
++ - '!service_zebra_disabled'
++ - '!package_talk-server_removed'
++ - '!package_talk_removed'
++ - '!sshd_use_approved_macs'
++ - '!sshd_use_approved_ciphers'
++ - '!accounts_passwords_pam_tally2'
++ - '!package_audit-audispd-plugins_installed'
++ - '!auditd_audispd_syslog_plugin_activated'
++ - '!package_ypserv_removed'
++ - '!package_ypbind_removed'
++ - '!package_xinetd_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++ - '!package_tcp_wrappers_removed'
++ - '!package_ypbind_removed'
++ - '!package_xinetd_removed'
++ - '!service_xinetd_disabled'
++ - '!sshd_allow_only_protocol2'
++ - '!sshd_disable_kerb_auth'
++ - '!sshd_disable_gssapi_auth'
++ - '!service_rlogin_disabled'
++ - '!service_rsh_disabled'
++ - '!service_rexec_disabled'
+diff --git a/products/almalinux10/profiles/ism_o.profile b/products/almalinux10/profiles/ism_o.profile
+new file mode 100644
+index 000000000..9021df832
+--- /dev/null
++++ b/products/almalinux10/profiles/ism_o.profile
+@@ -0,0 +1,50 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - shaneboulden
++ - wcushen
++ - eliseelk
++ - sashperso
++ - anjuskantha
++
++reference: https://www.cyber.gov.au/ism
++
++title: 'Australian Cyber Security Centre (ACSC) ISM Official - Base'
++
++description: |-
++ This draft profile contains configuration checks for AlmaLinux OS 10
++ that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
++
++ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
++ AlmaLinux OS security controls with the ISM, which can be used to select controls
++ specific to an organisation's security posture and risk profile.
++
++ A copy of the ISM can be found at the ACSC website:
++
++ https://www.cyber.gov.au/ism
++
++extends: e8
++
++selections:
++ - ism_o:all:base
++ # these rules do not work properly on RHEL 10 for now
++ - '!enable_authselect'
++ - '!enable_dracut_fips_module'
++ - '!firewalld_sshd_port_enabled'
++ - '!require_singleuser_auth'
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ - '!audit_rules_login_events_tallylog'
++ # lastlog is not used in RHEL 10
++ - '!audit_rules_login_events_lastlog'
++ # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
++ - '!rpm_verify_hashes'
++ # this rule should not be needed anymore on RHEL 10, but investigation is recommended
++ - '!openssl_use_strong_entropy'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
++ # This rule is not applicable for RHEL 10
++ - '!force_opensc_card_drivers'
++ - '!service_chronyd_or_ntpd_enabled'
+diff --git a/products/almalinux10/profiles/ism_o_secret.profile b/products/almalinux10/profiles/ism_o_secret.profile
+new file mode 100644
+index 000000000..a1ea6e884
+--- /dev/null
++++ b/products/almalinux10/profiles/ism_o_secret.profile
+@@ -0,0 +1,52 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - shaneboulden
++ - wcushen
++ - eliseelk
++ - sashperso
++ - anjuskantha
++
++reference: https://www.cyber.gov.au/ism
++
++title: 'Australian Cyber Security Centre (ACSC) ISM Official - Secret'
++
++description: |-
++ This is a draft profile for experimental purposes.
++
++ This draft profile contains configuration checks for AlmaLinux OS 10
++ that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
++
++ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
++ AlmaLinux OS security controls with the ISM, which can be used to select controls
++ specific to an organisation's security posture and risk profile.
++
++ A copy of the ISM can be found at the ACSC website:
++
++ https://www.cyber.gov.au/ism
++
++extends: e8
++
++selections:
++ - ism_o:all:secret
++ # these rules do not work properly on RHEL 10 for now
++ - '!enable_authselect'
++ - '!enable_dracut_fips_module'
++ - '!firewalld_sshd_port_enabled'
++ - '!require_singleuser_auth'
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ - '!audit_rules_login_events_tallylog'
++ # lastlog is not used in RHEL 10
++ - '!audit_rules_login_events_lastlog'
++ # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
++ - '!rpm_verify_hashes'
++ # this rule should not be needed anymore on RHEL 10, but investigation is recommended
++ - '!openssl_use_strong_entropy'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
++ # This rule is not applicable for RHEL 10
++ - '!force_opensc_card_drivers'
++ - '!service_chronyd_or_ntpd_enabled'
+diff --git a/products/almalinux10/profiles/ism_o_top_secret.profile b/products/almalinux10/profiles/ism_o_top_secret.profile
+new file mode 100644
+index 000000000..8c77e37d9
+--- /dev/null
++++ b/products/almalinux10/profiles/ism_o_top_secret.profile
+@@ -0,0 +1,50 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - shaneboulden
++ - wcushen
++ - eliseelk
++ - sashperso
++ - anjuskantha
++
++reference: https://www.cyber.gov.au/ism
++
++title: 'Australian Cyber Security Centre (ACSC) ISM Official - Top Secret'
++
++description: |-
++ This draft profile contains configuration checks for AlmaLinux OS 10
++ that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
++
++ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
++ AlmaLinux OS security controls with the ISM, which can be used to select controls
++ specific to an organisation's security posture and risk profile.
++
++ A copy of the ISM can be found at the ACSC website:
++
++ https://www.cyber.gov.au/ism
++
++extends: e8
++
++selections:
++ - ism_o:all:top_secret
++ # these rules do not work properly on RHEL 10 for now
++ - '!enable_authselect'
++ - '!enable_dracut_fips_module'
++ - '!firewalld_sshd_port_enabled'
++ - '!require_singleuser_auth'
++ # tally2 is deprecated, replaced by faillock
++ - '!accounts_passwords_pam_tally2_deny_root'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ - '!audit_rules_login_events_tallylog'
++ # lastlog is not used in RHEL 10
++ - '!audit_rules_login_events_lastlog'
++ # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
++ - '!rpm_verify_hashes'
++ # this rule should not be needed anymore on RHEL 10, but investigation is recommended
++ - '!openssl_use_strong_entropy'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
++ # This rule is not applicable for RHEL 10
++ - '!force_opensc_card_drivers'
++ - '!service_chronyd_or_ntpd_enabled'
+diff --git a/products/almalinux10/profiles/ospp.profile b/products/almalinux10/profiles/ospp.profile
+new file mode 100644
+index 000000000..fce0fd011
+--- /dev/null
++++ b/products/almalinux10/profiles/ospp.profile
+@@ -0,0 +1,29 @@
++documentation_complete: true
++hidden: true
++
++metadata:
++ version: 4.3
++ SMEs:
++ - ggbecker
++ - matusmarhefka
++
++reference: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=469&id=469
++
++title: 'DRAFT - Protection Profile for General Purpose Operating Systems'
++
++description: |-
++ This is draft profile is based on the Red Hat Enterprise Linux 9 Common Criteria Guidance as
++ guidance for Red Hat Enterprise Linux 10 was not available at the time of release.
++
++
++ Where appropriate, CNSSI 1253 or DoD-specific values are used for
++ configuration, based on Configuration Annex to the OSPP.
++
++selections:
++ - ospp:all
++ - '!package_screen_installed'
++ - '!package_dnf-plugin-subscription-manager_installed'
++ - '!package_scap-security-guide_installed'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
++ - '!enable_authselect'
+diff --git a/products/almalinux10/profiles/pci-dss.profile b/products/almalinux10/profiles/pci-dss.profile
+new file mode 100644
+index 000000000..b7a8eba3e
+--- /dev/null
++++ b/products/almalinux10/profiles/pci-dss.profile
+@@ -0,0 +1,85 @@
++documentation_complete: true
++
++metadata:
++ version: '4.0.1'
++ SMEs:
++ - marcusburghardt
++ - mab879
++ - vojtapolasek
++
++reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
++
++title: 'PCI-DSS v4.0.1 Control Baseline for Red Hat Enterprise Linux 10'
++
++description: |-
++ This is a draft profile for experimental purposes.
++
++ Payment Card Industry - Data Security Standard (PCI-DSS) is a set of
++ security standards designed to ensure the secure handling of payment card
++ data, with the goal of preventing data breaches and protecting sensitive
++ financial information.
++
++ This draft profile ensures Red Hat Enterprise Linux 10 is configured in alignment
++ with PCI-DSS v4.0.1 requirements.
++
++selections:
++ - pcidss_4:all
++ - var_password_hashing_algorithm=yescrypt
++ - var_password_hashing_algorithm_pam=yescrypt
++
++ # RHEL 10 uses a different rule for auditing changes to selinux configuration (PCI-DSSv4 - 10.3.4)
++ - '!audit_rules_mac_modification'
++ - audit_rules_mac_modification_etc_selinux
++
++ # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
++ # https://github.com/ComplianceAsCode/content/issues/11285
++ - '!rpm_verify_permissions'
++
++ # these rules do not apply to RHEL 10
++ - '!enable_authselect'
++ - '!package_audit-audispd-plugins_installed'
++ - '!package_dhcp_removed'
++ - '!package_ypserv_removed'
++ - '!package_ypbind_removed'
++ - '!package_talk_removed'
++ - '!package_talk-server_removed'
++ - '!package_xinetd_removed'
++ - '!package_rsh_removed'
++ - '!package_rsh-server_removed'
++
++ - '!service_ntp_enabled'
++ - '!service_ntpd_enabled'
++ - '!service_timesyncd_enabled'
++ - '!ntpd_specify_remote_server'
++ - '!ntpd_specify_multiple_servers'
++
++ - '!accounts_passwords_pam_tally2'
++ - '!accounts_passwords_pam_tally2_unlock_time'
++ - '!cracklib_accounts_password_pam_dcredit'
++ - '!cracklib_accounts_password_pam_lcredit'
++ - '!cracklib_accounts_password_pam_minlen'
++ - '!cracklib_accounts_password_pam_retry'
++ - '!ensure_firewall_rules_for_open_ports'
++ - '!ensure_shadow_group_empty'
++ - '!ensure_suse_gpgkey_installed'
++ - ensure_almalinux_gpgkey_installed
++ - '!install_PAE_kernel_on_x86-32'
++ - '!mask_nonessential_services'
++ - '!nftables_ensure_default_deny_policy'
++ - '!set_ipv6_loopback_traffic'
++ - '!set_ip6tables_default_rule'
++ - '!set_loopback_traffic'
++ - '!set_password_hashing_algorithm_commonauth'
++ # Following rule are excluded since, "so far" no CCEs were defined for them and maybe irrelevant for rhel10
++ - '!enable_dconf_user_profile'
++
++ # Following are incompatible with the rhel10 product (based on RHEL9)
++ - '!service_chronyd_or_ntpd_enabled'
++ - '!aide_periodic_checking_systemd_timer'
++ - '!gnome_gdm_disable_unattended_automatic_login'
++ - '!permissions_local_var_log'
++ - '!sshd_use_strong_kex'
++ - '!sshd_use_approved_macs'
++ - '!sshd_use_approved_ciphers'
++ - '!security_patches_up_to_date'
++ - '!kernel_module_dccp_disabled'
+diff --git a/products/almalinux10/profiles/stig.profile b/products/almalinux10/profiles/stig.profile
+new file mode 100644
+index 000000000..68cfac18e
+--- /dev/null
++++ b/products/almalinux10/profiles/stig.profile
+@@ -0,0 +1,25 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - mab879
++
++
++reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
++
++title: 'Red Hat STIG for Red Hat Enterprise Linux 10'
++
++description: |-
++ This is a profile based on what is expected in the RHEL 10 STIG.
++ It is not based on the DISA STIG for RHEL 10, because it was not available at time of
++ the release.
++
++ In addition to being applicable to Red Hat Enterprise Linux 10, this
++ configuration baseline is applicable to the operating system tier of
++ Red Hat technologies that are based on Red Hat Enterprise Linux 10.
++
++selections:
++ - srg_gpos:all
++ - '!enable_authselect'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
+diff --git a/products/almalinux10/profiles/stig_gui.profile b/products/almalinux10/profiles/stig_gui.profile
+new file mode 100644
+index 000000000..a7d4a1877
+--- /dev/null
++++ b/products/almalinux10/profiles/stig_gui.profile
+@@ -0,0 +1,40 @@
++documentation_complete: true
++
++metadata:
++ SMEs:
++ - mab879
++
++
++reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
++
++title: 'Red Hat STIG for Red Hat Enterprise Linux 10'
++
++description: |-
++ This is a profile based on what is expected in the RHEL 10 STIG.:
++ It is not based on the DISA STIG for RHEL 10, because it was not available at time of
++ the release.
++
++ In addition to being applicable to Red Hat Enterprise Linux 10, this
++ configuration baseline is applicable to the operating system tier of
++ Red Hat technologies that are based on Red Hat Enterprise Linux 10.
++
++extends: stig
++
++selections:
++ - '!xwindows_remove_packages'
++
++ - '!xwindows_runlevel_target'
++
++ - '!package_nfs-utils_removed'
++
++ - '!enable_authselect'
++ # Limiting user namespaces cause issues with user apps, such as Firefox and Cheese
++ # https://issues.redhat.com/browse/RHEL-10416
++ - '!sysctl_user_max_user_namespaces'
++ # locking of idle sessions is handled by screensaver when GUI is present, the following rule is therefore redundant
++ - '!logind_session_timeout'
++ # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
++ - '!enable_dracut_fips_module'
++
++ # Package gdm cannot be removed as it is required for GUI installation ('@Server with GUI' package group)
++ - '!package_gdm_removed'
+diff --git a/products/almalinux10/transforms/constants.xslt b/products/almalinux10/transforms/constants.xslt
+new file mode 100644
+index 000000000..1b1a67317
+--- /dev/null
++++ b/products/almalinux10/transforms/constants.xslt
+@@ -0,0 +1,13 @@
++
++
++AlmaLinux OS 10
++AL10
++AL_10_STIG
++almalinux10
++
++https://www.cisecurity.org/benchmark/almalinuxos_linux/
++
+diff --git a/products/almalinux10/transforms/table-style.xslt b/products/almalinux10/transforms/table-style.xslt
+new file mode 100644
+index 000000000..8b6caeab8
+--- /dev/null
++++ b/products/almalinux10/transforms/table-style.xslt
+@@ -0,0 +1,5 @@
++
++
++
+diff --git a/products/almalinux10/transforms/xccdf-apply-overlay-stig.xslt b/products/almalinux10/transforms/xccdf-apply-overlay-stig.xslt
+new file mode 100644
+index 000000000..4789419b8
+--- /dev/null
++++ b/products/almalinux10/transforms/xccdf-apply-overlay-stig.xslt
+@@ -0,0 +1,8 @@
++
++
++
++
+diff --git a/products/almalinux10/transforms/xccdf2table-cce.xslt b/products/almalinux10/transforms/xccdf2table-cce.xslt
+new file mode 100644
+index 000000000..f156a6695
+--- /dev/null
++++ b/products/almalinux10/transforms/xccdf2table-cce.xslt
+@@ -0,0 +1,9 @@
++
++
++
++
+diff --git a/products/almalinux10/transforms/xccdf2table-profileccirefs.xslt b/products/almalinux10/transforms/xccdf2table-profileccirefs.xslt
+new file mode 100644
+index 000000000..30419e92b
+--- /dev/null
++++ b/products/almalinux10/transforms/xccdf2table-profileccirefs.xslt
+@@ -0,0 +1,9 @@
++
++
++
++
+diff --git a/shared/checks/oval/installed_OS_is_almalinux10.xml b/shared/checks/oval/installed_OS_is_almalinux10.xml
+new file mode 100644
+index 000000000..34f942d90
+--- /dev/null
++++ b/shared/checks/oval/installed_OS_is_almalinux10.xml
+@@ -0,0 +1,34 @@
++
++
++
++ AlmaLinux OS 10
++
++ multi_platform_all
++
++ The operating system installed on the system is AlmaLinux OS 10
++
++
++
++
++
++
++
++
++ /etc/almalinux-release
++
++
++
++
++
++ /etc/almalinux-release
++ ^AlmaLinux release 10.[0-9]+ .*$
++ 1
++
++
++
+diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+index 42b866d3b..8560a7220 100644
+--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+@@ -16,6 +16,7 @@
+ multi_platform_ol
+ multi_platform_rhcos
+ multi_platform_rhel
++multi_platform_almalinux
+ multi_platform_rhv
+ multi_platform_sle
+ multi_platform_slmicro5
+diff --git a/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml b/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml
+index e83699662..1efabcf62 100644
+--- a/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml
++++ b/shared/references/disa-stig-ol7-v3r1-xccdf-manual.xml
+@@ -917,7 +917,7 @@ Check to see if an encrypted grub superusers password is set. On systems that us
+ $ sudo grep -iw grub2_password /boot/grub2/user.cfg
+ GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
+
+-If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> OL07-00-010491 Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Oracle Linux 7 DISA DPMS Target Oracle Linux 7 4089 V-99143 SV-108247 CCI-000213 Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
++If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding. SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> OL07-00-010491 Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Oracle Linux 7 DISA DPMS Target Oracle Linux 7 4089 V-99143 SV-108247 CCI-000213 Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
+
+ Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+@@ -929,7 +929,7 @@ For systems that are running a version of Oracle Linux prior to 7.2, this is Not
+
+ Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:
+
+-$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
++$ sudo grep -iw grub2_password /boot/efi/EFI/almalinux/user.cfg
+ GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
+
+ If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding. SRG-OS-000104-GPOS-00051 <GroupDescription></GroupDescription> OL07-00-010500 The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. <VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
+@@ -1809,7 +1809,7 @@ On BIOS-based machines, use the following command:
+
+ On UEFI-based machines, use the following command:
+
+-# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
++# grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg
+
+ If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:
+
+@@ -1840,7 +1840,7 @@ dracut-fips-033-360.el7_2.x86_64.rpm
+
+ If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command:
+
+-Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
++Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/almalinux/grub.cfg" file on UEFI machines.
+
+ # grep fips /boot/grub2/grub.cfg
+ /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet
+@@ -1912,23 +1912,23 @@ An example rule that includes the "sha512" rule follows:
+
+ If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding. SRG-OS-000364-GPOS-00151 <GroupDescription></GroupDescription> OL07-00-021700 The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved. <VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Oracle Linux 7 DISA DPMS Target Oracle Linux 7 4089 SV-108367 V-99263 CCI-001813 Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO. Verify the system is not configured to use a boot loader on removable media.
+
+-Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
++Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/almalinux/grub.cfg" file on UEFI machines.
+
+ Check for the existence of alternate boot loader configuration files with the following command:
+
+ # find / -name grub.cfg
+- /boot/efi/EFI/redhat/grub.cfg
++ /boot/efi/EFI/almalinux/grub.cfg
+
+-If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/redhat/", ask the system administrator (SA) if there is documentation signed by the information system security officer (ISSO) to approve the use of removable media as a boot loader.
++If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/almalinux/", ask the system administrator (SA) if there is documentation signed by the information system security officer (ISSO) to approve the use of removable media as a boot loader.
+
+ List the number of menu entries defined in the grub configuration file with the following command (the number will vary between systems):
+
+- # grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg
++ # grep -cw menuentry /boot/efi/EFI/almalinux/grub.cfg
+ 4
+
+ Check that the grub configuration file has the "set root" command for each menu entry with the following command ("set root" defines the disk and partition or directory where the kernel and GRUB 2 modules are stored):
+
+- # grep 'set root' /boot/efi/EFI/redhat/grub.cfg
++ # grep 'set root' /boot/efi/EFI/almalinux/grub.cfg
+ set root='hd0,gpt2'
+ set root='hd0,gpt2'
+ set root='hd0,gpt2'
+@@ -4453,12 +4453,12 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}
+
+ Generate a new grub.cfg file with the following command:
+
+-$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgFor systems that use BIOS, this is Not Applicable.
++$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable.
+
+ For systems that are running a version of Oracle Linux prior to 7.2, this is Not Applicable.
+ Verify that a unique name is set as the "superusers" account:
+
+-$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
++$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg
+ set superusers="[someuniquestringhere]"
+ export superusers
+
+diff --git a/shared/references/disa-stig-ol8-v2r4-xccdf-manual.xml b/shared/references/disa-stig-ol8-v2r4-xccdf-manual.xml
+index 3071029bd..41db6bc3c 100644
+--- a/shared/references/disa-stig-ol8-v2r4-xccdf-manual.xml
++++ b/shared/references/disa-stig-ol8-v2r4-xccdf-manual.xml
+@@ -425,7 +425,7 @@ SHA_CRYPT_MIN_ROUNDS 100000 SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> OL08-00-010140 OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Oracle Linux 8 DISA DPMS Target Oracle Linux 8 5416 CCI-000213 Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file.
++If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the value for either is below "100000", this is a finding. SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> OL08-00-010140 OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Oracle Linux 8 DISA DPMS Target Oracle Linux 8 5416 CCI-000213 Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/almalinux/user.cfg" file.
+
+ Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+@@ -435,7 +435,7 @@ Confirm password: For systems that use BIOS, this is Not Applicable.
++$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable.
+
+ Verify that a unique name is set as the "superusers" account:
+
+-$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
++$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg
+ set superusers="[someuniqueUserNamehere]"
+ export superusers
+
+diff --git a/shared/references/disa-stig-ol8-v2r4-xccdf-scap.xml b/shared/references/disa-stig-ol8-v2r4-xccdf-scap.xml
+index 3e1d42930..ec0e423c3 100644
+--- a/shared/references/disa-stig-ol8-v2r4-xccdf-scap.xml
++++ b/shared/references/disa-stig-ol8-v2r4-xccdf-scap.xml
+@@ -3389,7 +3389,7 @@ SHA_CRYPT_MIN_ROUNDS 100000
+
+ CCI-000213
+- Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file.
++ Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/almalinux/user.cfg" file.
+
+ Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+@@ -12636,8 +12636,8 @@ The "logind" service must be restarted for the changes to take effect. To restar
+
+-
+
+
+@@ -20409,11 +20409,11 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
+-
++
+
+-
++
+
+@@ -22349,12 +22349,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+ 1
+
+
+- /boot/efi/EFI/redhat/grub.cfg
++ /boot/efi/EFI/almalinux/grub.cfg
+ ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$
+ 1
+
+
+- /boot/efi/EFI/redhat/user.cfg
++ /boot/efi/EFI/almalinux/user.cfg
+ ^\s*GRUB2_PASSWORD=(\S+)\b
+ 1
+
+diff --git a/shared/references/disa-stig-rhel8-v2r2-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v2r2-xccdf-scap.xml
+index bbc44024b..ef94e40fa 100644
+--- a/shared/references/disa-stig-rhel8-v2r2-xccdf-scap.xml
++++ b/shared/references/disa-stig-rhel8-v2r2-xccdf-scap.xml
+@@ -3134,7 +3134,7 @@ SHA_CRYPT_MIN_ROUNDS 100000
+
+ CCI-000213
+- Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
++ Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
+
+ Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+@@ -12106,8 +12106,8 @@ $ sudo systemctl restart systemd-logind
+
+-
+
+
+@@ -19802,11 +19802,11 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s
+
+
+-
++
+
+-
++
+
+@@ -21745,12 +21745,12 @@ RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is s
+ 1
+
+
+- /boot/efi/EFI/redhat/grub.cfg
++ /boot/efi/EFI/almalinux/grub.cfg
+ ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$
+ 1
+
+
+- /boot/efi/EFI/redhat/user.cfg
++ /boot/efi/EFI/almalinux/user.cfg
+ ^\s*GRUB2_PASSWORD=(\S+)\b
+ 1
+
+diff --git a/shared/references/disa-stig-rhel8-v2r3-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v2r3-xccdf-manual.xml
+index 7fa5cfb17..4024119f2 100644
+--- a/shared/references/disa-stig-rhel8-v2r3-xccdf-manual.xml
++++ b/shared/references/disa-stig-rhel8-v2r3-xccdf-manual.xml
+@@ -370,7 +370,7 @@ SHA_CRYPT_MIN_ROUNDS 100000 SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> RHEL-08-010140 RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 8 DISA DPMS Target Red Hat Enterprise Linux 8 2921 CCI-000213 Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
++If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "100000", this is a finding. SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> RHEL-08-010140 RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 8 DISA DPMS Target Red Hat Enterprise Linux 8 2921 CCI-000213 Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
+
+ Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+@@ -380,7 +380,7 @@ Confirm password: For systems that use BIOS, this is Not Applicable.
++$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable.
+
+ Verify that a unique name is set as the "superusers" account:
+
+-$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
++$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg
+ set superusers="[someuniquestringhere]"
+ export superusers
+
+diff --git a/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh b/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
+index 8c002663d..c8d3ff1a4 100644
+--- a/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
++++ b/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ # This test only applies to platforms that check the pwquality.conf.d directory
+-# platform = Oracle Linux 8,multi_platform_rhel
++# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux
+ # variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
+
+ truncate -s 0 /etc/security/pwquality.conf
+diff --git a/shared/templates/accounts_password/tests/correct_value_directory.pass.sh b/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
+index 689093008..c25c13332 100644
+--- a/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
++++ b/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ # This test only applies to platforms that check the pwquality.conf.d directory
+-# platform = Oracle Linux 8,multi_platform_rhel
++# platform = Oracle Linux 8,multi_platform_rhel,multi_platform_almalinux
+ # variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
+
+ # This test will ensure that OVAL also checks the configuration in
+diff --git a/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_arch.fail.sh b/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_arch.fail.sh
+index deca23463..fb11356dc 100644
+--- a/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_arch.fail.sh
++++ b/shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_arch.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ # packages = audit
+-# platform = Red Hat Enterprise Linux 10
++# platform = Red Hat Enterprise Linux 10,AlmaLinux OS 10
+ source common.sh
+
+ {{{ setup_auditctl_environment() }}}
+diff --git a/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_arch.fail.sh b/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_arch.fail.sh
+index 5ac5acf32..b41e800a5 100644
+--- a/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_arch.fail.sh
++++ b/shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_arch.fail.sh
+@@ -1,5 +1,5 @@
+ #!/bin/bash
+-# platform = Red Hat Enterprise Linux 10
++# platform = Red Hat Enterprise Linux 10,AlmaLinux OS 10
+
+ source common.sh
+
+diff --git a/shared/templates/grub2_bootloader_argument/kickstart.template b/shared/templates/grub2_bootloader_argument/kickstart.template
+index c5051bcf7..846c0e661 100644
+--- a/shared/templates/grub2_bootloader_argument/kickstart.template
++++ b/shared/templates/grub2_bootloader_argument/kickstart.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
+ # reboot = true
+ # strategy = restrict
+ # complexity = medium
+diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
+index 4cc696340..7dcfe8e61 100644
+--- a/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
++++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+
+-# platform = multi_platform_fedora,multi_platform_rhel
++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
+ # packages = grub2,grubby
+
+ {{%- if ARG_VARIABLE %}}
+diff --git a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
+index c6d5b6b1b..0557b2f03 100644
+--- a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
++++ b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+
+-# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_fedora
++# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_fedora
+ # packages = grub2,grubby
+ {{%- if ARG_VARIABLE %}}
+ # variables = {{{ ARG_VARIABLE }}}=correct_value
+diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
+index b875737f2..9685f6abd 100644
+--- a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
++++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+
+-# platform = multi_platform_fedora,multi_platform_rhel
++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux
+ # packages = grub2,grubby
+ {{%- if ARG_VARIABLE %}}
+ # variables = {{{ ARG_VARIABLE }}}=correct_value
+diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh
+index fc3db8ccd..a12bef4b2 100644
+--- a/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh
++++ b/shared/templates/grub2_bootloader_argument_absent/tests/arg_there_etcdefaultgrub.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+
+-# platform = multi_platform_rhel
++# platform = multi_platform_rhel,multi_platform_almalinux
+ # packages = grub2-tools,grubby
+
+ # Adds argument from kernel command line in /etc/default/grub
+diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh
+index e51f669fd..00a74f76f 100644
+--- a/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh
++++ b/shared/templates/grub2_bootloader_argument_absent/tests/arg_value_there_etcdefaultgrub.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+
+-# platform = multi_platform_rhel
++# platform = multi_platform_rhel,multi_platform_almalinux
+ # packages = grub2-tools,grubby
+
+ # Adds argument with a value from kernel command line in /etc/default/grub
+diff --git a/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh
+index d5d39d91c..2b25d0659 100644
+--- a/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh
++++ b/shared/templates/grub2_bootloader_argument_absent/tests/mising_arg_invalid_rescue.pass.sh
+@@ -1,5 +1,5 @@
+ #!/bin/bash
+-# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10
++# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10
+ # packages = grub2,grubby
+
+ # Ensure the kernel command line for each installed kernel in the bootloader
+diff --git a/shared/templates/kernel_module_disabled/kubernetes.template b/shared/templates/kernel_module_disabled/kubernetes.template
+index c77cebfbb..2820e9745 100644
+--- a/shared/templates/kernel_module_disabled/kubernetes.template
++++ b/shared/templates/kernel_module_disabled/kubernetes.template
+@@ -1,5 +1,5 @@
+ ---
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
+ # reboot = true
+ # strategy = disable
+ # complexity = low
+diff --git a/shared/templates/mount/blueprint.template b/shared/templates/mount/blueprint.template
+index 56617467d..3cdacd4db 100644
+--- a/shared/templates/mount/blueprint.template
++++ b/shared/templates/mount/blueprint.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
+
+ [[customizations.filesystem]]
+ mountpoint = "{{{ MOUNTPOINT }}}"
+diff --git a/shared/templates/mount/kickstart.template b/shared/templates/mount/kickstart.template
+index fc2bdebd7..3c7833aa7 100644
+--- a/shared/templates/mount/kickstart.template
++++ b/shared/templates/mount/kickstart.template
+@@ -1,3 +1,3 @@
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
+
+ logvol {{{ MOUNTPOINT }}} {{{ MIN_SIZE_MB }}}
+diff --git a/shared/templates/package_installed/bootc.template b/shared/templates/package_installed/bootc.template
+index ddac8ef40..86cb91791 100644
+--- a/shared/templates/package_installed/bootc.template
++++ b/shared/templates/package_installed/bootc.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
+ # reboot = false
+ # strategy = enable
+ # complexity = low
+diff --git a/shared/templates/package_installed/kickstart.template b/shared/templates/package_installed/kickstart.template
+index be0fc1de8..8284a5711 100644
+--- a/shared/templates/package_installed/kickstart.template
++++ b/shared/templates/package_installed/kickstart.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
+ # reboot = false
+ # strategy = enable
+ # complexity = low
+diff --git a/shared/templates/package_removed/bootc.template b/shared/templates/package_removed/bootc.template
+index eef498941..255ac57a1 100644
+--- a/shared/templates/package_removed/bootc.template
++++ b/shared/templates/package_removed/bootc.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
+ # reboot = false
+ # strategy = disable
+ # complexity = low
+diff --git a/shared/templates/package_removed/kickstart.template b/shared/templates/package_removed/kickstart.template
+index 99f5e33b9..a0b930444 100644
+--- a/shared/templates/package_removed/kickstart.template
++++ b/shared/templates/package_removed/kickstart.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
+ # reboot = false
+ # strategy = disable
+ # complexity = low
+diff --git a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
+index 1e4ab26a7..88a935f88 100644
+--- a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
++++ b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ # packages = authselect,pam
+-# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
++# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_almalinux
+
+ {{{ tests_init_faillock_vars("correct") }}}
+
+diff --git a/shared/templates/service_disabled/kickstart.template b/shared/templates/service_disabled/kickstart.template
+index d1e39ae29..7ecd5523e 100644
+--- a/shared/templates/service_disabled/kickstart.template
++++ b/shared/templates/service_disabled/kickstart.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
+ # reboot = false
+ # strategy = disable
+ # complexity = low
+diff --git a/shared/templates/service_disabled/kubernetes.template b/shared/templates/service_disabled/kubernetes.template
+index 1ab456524..724e7b779 100644
+--- a/shared/templates/service_disabled/kubernetes.template
++++ b/shared/templates/service_disabled/kubernetes.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos,multi_platform_ubuntu
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos,multi_platform_ubuntu
+ # reboot = true
+ # strategy = disable
+ # complexity = low
+diff --git a/shared/templates/service_disabled_guard_var/bash.template b/shared/templates/service_disabled_guard_var/bash.template
+index 0afd3332d..62c4762e7 100644
+--- a/shared/templates/service_disabled_guard_var/bash.template
++++ b/shared/templates/service_disabled_guard_var/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+ # reboot = false
+ # strategy = disable
+ # complexity = low
+diff --git a/shared/templates/service_enabled/kickstart.template b/shared/templates/service_enabled/kickstart.template
+index 451af774a..27ac615a2 100644
+--- a/shared/templates/service_enabled/kickstart.template
++++ b/shared/templates/service_enabled/kickstart.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora
+ # reboot = false
+ # strategy = disable
+ # complexity = low
+diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
+index ab3f45c20..04b4f8cf8 100644
+--- a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
++++ b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+
+-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
++# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_ubuntu
+ {{%- if XCCDF_VARIABLE %}}
+ # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+ {{%- endif %}}
+diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
+index c5390ff13..9f596cf48 100644
+--- a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
++++ b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+
+-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
++# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_ubuntu
+
+ mkdir -p /etc/ssh/sshd_config.d
+ touch /etc/ssh/sshd_config.d/nothing
+diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
+index 7d55e3d0d..f8ea20e04 100644
+--- a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
++++ b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+
+-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
++# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_ubuntu
+
+
+ {{% if XCCDF_VARIABLE %}}
+diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
+index c68680483..6c35a7465 100644
+--- a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
++++ b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+
+-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
++# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_ubuntu
+
+ {{% if XCCDF_VARIABLE %}}
+ # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
+index 983eb3fda..176f386e7 100644
+--- a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
++++ b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+
+-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
++# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,AlmaLinux OS 10,multi_platform_ubuntu
+
+ {{% if XCCDF_VARIABLE %}}
+ # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+diff --git a/shared/templates/zipl_bls_entries_option/ansible.template b/shared/templates/zipl_bls_entries_option/ansible.template
+index 73810f216..54434bb42 100644
+--- a/shared/templates/zipl_bls_entries_option/ansible.template
++++ b/shared/templates/zipl_bls_entries_option/ansible.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel
++# platform = multi_platform_rhel,multi_platform_almalinux
+ # reboot = true
+ # strategy = configure
+ # complexity = medium
+diff --git a/shared/templates/zipl_bls_entries_option/bash.template b/shared/templates/zipl_bls_entries_option/bash.template
+index e14d59dfc..1b236a130 100644
+--- a/shared/templates/zipl_bls_entries_option/bash.template
++++ b/shared/templates/zipl_bls_entries_option/bash.template
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel
++# platform = multi_platform_rhel,multi_platform_almalinux
+
+ # Correct BLS option using grubby, which is a thin wrapper around BLS operations
+ grubby --update-kernel=ALL --args="{{{ ARG_NAME }}}={{{ ARG_VALUE }}}"
+diff --git a/ssg/constants.py b/ssg/constants.py
+index a0265a9d9..ebc8165aa 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -40,7 +40,7 @@ SSG_REF_URIS = {
+ product_directories = [
+ 'alinux2',
+ 'alinux3',
+- 'almalinux9',
++ 'almalinux10',
+ 'anolis8',
+ 'anolis23',
+ 'al2023',
+@@ -211,7 +211,7 @@ PKG_MANAGER_TO_CONFIG_FILE = {
+ FULL_NAME_TO_PRODUCT_MAPPING = {
+ "Alibaba Cloud Linux 2": "alinux2",
+ "Alibaba Cloud Linux 3": "alinux3",
+- "AlmaLinux OS 9": "almalinux9",
++ "AlmaLinux OS 10": "almalinux10",
+ "Anolis OS 8": "anolis8",
+ "Anolis OS 23": "anolis23",
+ "Amazon Linux 2023": "al2023",
+@@ -302,7 +302,7 @@ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+
+ MULTI_PLATFORM_MAPPING = {
+ "multi_platform_alinux": ["alinux2", "alinux3"],
+- "multi_platform_almalinux": ["almalinux9"],
++ "multi_platform_almalinux": ["almalinux10"],
+ "multi_platform_anolis": ["anolis8", "anolis23"],
+ "multi_platform_debian": ["debian11", "debian12"],
+ "multi_platform_example": ["example"],
+diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml
+index 27cf93dcc..16fc52311 100644
+--- a/tests/data/product_stability/ol7.yml
++++ b/tests/data/product_stability/ol7.yml
+@@ -30,7 +30,7 @@ groups:
+ dedicated_ssh_keyowner:
+ name: ssh_keys
+ grub2_boot_path: /boot/grub2
+-grub2_uefi_boot_path: /boot/efi/EFI/redhat
++grub2_uefi_boot_path: /boot/efi/EFI/almalinux
+ grub_helper_executable: grubby
+ init_system: systemd
+ major_version_ordinal: 7
+diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml
+index 169cd1991..f694d28f5 100644
+--- a/tests/data/product_stability/ol8.yml
++++ b/tests/data/product_stability/ol8.yml
+@@ -30,7 +30,7 @@ groups:
+ dedicated_ssh_keyowner:
+ name: ssh_keys
+ grub2_boot_path: /boot/grub2
+-grub2_uefi_boot_path: /boot/efi/EFI/redhat
++grub2_uefi_boot_path: /boot/efi/EFI/almalinux
+ grub_helper_executable: grubby
+ init_system: systemd
+ major_version_ordinal: 8
+diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml
+index 8f764c4d1..0cc1d40ec 100644
+--- a/tests/data/product_stability/rhel8.yml
++++ b/tests/data/product_stability/rhel8.yml
+@@ -81,7 +81,7 @@ groups:
+ dedicated_ssh_keyowner:
+ name: ssh_keys
+ grub2_boot_path: /boot/grub2
+-grub2_uefi_boot_path: /boot/efi/EFI/redhat
++grub2_uefi_boot_path: /boot/efi/EFI/almalinux
+ grub_helper_executable: grubby
+ init_system: systemd
+ journald_conf_dir_path: /etc/systemd/journald.conf.d
+diff --git a/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml b/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml
+index 849ab06f6..1a4927eec 100644
+--- a/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml
++++ b/tests/data/utils/disa-stig-rhel8-v1r6-xccdf-manual.xml
+@@ -368,7 +368,7 @@ $ sudo egrep "^SHA_CRYPT_" /etc/login.defs
+
+ If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding.
+
+-If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding. SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> RHEL-08-010140 RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 8 DISA DPMS Target Red Hat Enterprise Linux 8 2921 CCI-000213 Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
++If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding. SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> RHEL-08-010140 RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. <VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 8 DISA DPMS Target Red Hat Enterprise Linux 8 2921 CCI-000213 Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file.
+
+ Generate an encrypted grub2 password for the grub superusers account with the following command:
+
+@@ -378,7 +378,7 @@ Confirm password: For systems that use BIOS, this is Not Applicable.
++$ sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfgFor systems that use BIOS, this is Not Applicable.
+
+ Verify that a unique name is set as the "superusers" account:
+
+-$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
++$ sudo grep -iw "superusers" /boot/efi/EFI/almalinux/grub.cfg
+ set superusers="[someuniquestringhere]"
+ export superusers
+
+diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
+index 42abeb78e..fb99e71f2 100644
+--- a/tests/shared/grub2.sh
++++ b/tests/shared/grub2.sh
+@@ -11,10 +11,10 @@ function set_grub_uefi_root {
+ if grep VERSION /etc/os-release | grep -q '9\.'; then
+ GRUB_CFG_ROOT=/boot/grub2
+ else
+- GRUB_CFG_ROOT=/boot/efi/EFI/redhat
++ GRUB_CFG_ROOT=/boot/efi/EFI/almalinux
+ fi
+ elif grep NAME /etc/os-release | grep -iq "Oracle"; then
+- GRUB_CFG_ROOT=/boot/efi/EFI/redhat
++ GRUB_CFG_ROOT=/boot/efi/EFI/almalinux
+ elif grep NAME /etc/os-release | grep -iq "Ubuntu"; then
+ GRUB_CFG_ROOT=/boot/grub
+ fi
+diff --git a/tests/unit/ssg-module/data/product.yml b/tests/unit/ssg-module/data/product.yml
+index 540ab0181..191dde4ec 100644
+--- a/tests/unit/ssg-module/data/product.yml
++++ b/tests/unit/ssg-module/data/product.yml
+@@ -25,7 +25,7 @@ aux_pkg_version: "5a6340b3"
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "7E4624258C406535D56D6F135054E4A45A6340B3"
+
+-grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
++grub2_uefi_boot_path: "/boot/efi/EFI/almalinux"
+
+ cpes_root: "./applicability"
+ cpes:
+diff --git a/tests/unit/ssg_test_suite/data/correct.pass.sh b/tests/unit/ssg_test_suite/data/correct.pass.sh
+index 5a2bc1005..c3dfe6dce 100644
+--- a/tests/unit/ssg_test_suite/data/correct.pass.sh
++++ b/tests/unit/ssg_test_suite/data/correct.pass.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ # packages = sudo,authselect
+-# platform = multi_platform_rhel,Fedora
++# platform = multi_platform_rhel,multi_platform_almalinux,Fedora
+ # profiles = xccdf_org.ssgproject.content_profile_cis
+ # check = oval
+ # remediation = none
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index aabf622..149fc32 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -5,7 +5,7 @@
Name: scap-security-guide
Version: 0.1.77
-Release: 2%{?dist}
+Release: 2%{?dist}.alma.1
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/
@@ -17,6 +17,9 @@ Patch2: scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch
# fix wrong grub-mkconfig (should be grub2-mkconfig) command in rule descriptions
Patch3: scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch
+# AlmaLinux Patch
+Patch1000: scap-security-guide-add-almalinux10-product.patch
+
BuildArch: noarch
BuildRequires: libxslt
@@ -72,6 +75,9 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
%if 0%{?centos}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON -DSSG_SCE_ENABLED:BOOL=ON
%endif
+%if 0%{?almalinux}
+%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_ALMALINUX%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_SCE_ENABLED:BOOL=ON
+%endif
mkdir -p build
%build
@@ -104,6 +110,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif
%changelog
+* Tue Jul 15 2025 Andrew Lukoshko - 0.1.77-2.alma.1
+- Add AlmaLinux 10 support
+
* Fri Jun 27 2025 Vojtech Polasek - 0.1.77-2
- fix incorrect applicability of Grub2 UEFI specific rules
- replace grub-mkconfig with grub2-mkconfig in rule descriptions