From 7734060a3639f14c1180496251626fd9e03d385a Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Fri, 13 Oct 2023 14:26:38 +0000 Subject: [PATCH] Update AlmaLinux patch --- ...guide-0.1.69-add-almalinux9-product.patch} | 5664 ++++++++++------- SPECS/scap-security-guide.spec | 2 +- 2 files changed, 3482 insertions(+), 2184 deletions(-) rename SOURCES/{scap-security-guide-0.1.66-add-almalinux9-product.patch => scap-security-guide-0.1.69-add-almalinux9-product.patch} (88%) diff --git a/SOURCES/scap-security-guide-0.1.66-add-almalinux9-product.patch b/SOURCES/scap-security-guide-0.1.69-add-almalinux9-product.patch similarity index 88% rename from SOURCES/scap-security-guide-0.1.66-add-almalinux9-product.patch rename to SOURCES/scap-security-guide-0.1.69-add-almalinux9-product.patch index 94155a5..f943cd4 100644 --- a/SOURCES/scap-security-guide-0.1.66-add-almalinux9-product.patch +++ b/SOURCES/scap-security-guide-0.1.69-add-almalinux9-product.patch @@ -1,35 +1,35 @@ diff --git a/CMakeLists.txt b/CMakeLists.txt -index ab11e31f5..340cac565 100644 +index 52d841098..34a8d287c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -69,6 +69,7 @@ option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be bui +@@ -71,6 +71,7 @@ option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be bui # unless explicitly asked for. option(SSG_PRODUCT_ALINUX2 "If enabled, the Alibaba Cloud Linux 2 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_ALINUX3 "If enabled, the Alibaba Cloud Linux 3 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_ALMALINUX9 "If enabled, the AlmaLinux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_ANOLIS23 "If enabled, the Anolis OS 23 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) -@@ -267,6 +268,7 @@ message(STATUS " ") +@@ -283,6 +284,7 @@ message(STATUS " ") message(STATUS "Products:") message(STATUS "Alibaba Cloud Linux 2: ${SSG_PRODUCT_ALINUX2}") message(STATUS "Alibaba Cloud Linux 3: ${SSG_PRODUCT_ALINUX3}") +message(STATUS "AlmaLinux 9: ${SSG_PRODUCT_ALMALINUX9}") message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}") + message(STATUS "Anolis OS 23: ${SSG_PRODUCT_ANOLIS23}") message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}") - message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}") -@@ -333,6 +335,9 @@ endif() - if (SSG_PRODUCT_ALINUX3) +@@ -349,6 +351,9 @@ endif() + if(SSG_PRODUCT_ALINUX3) add_subdirectory("products/alinux3" "alinux3") endif() -+if (SSG_PRODUCT_ALMALINUX9) ++if(SSG_PRODUCT_ALMALINUX9) + add_subdirectory("products/almalinux9" "almalinux9") +endif() - if (SSG_PRODUCT_ANOLIS8) + if(SSG_PRODUCT_ANOLIS8) add_subdirectory("products/anolis8" "anolis8") endif() diff --git a/build_product b/build_product -index fc793cbe7..912aba627 100755 +index ba8fb5d68..8924a3e5c 100755 --- a/build_product +++ b/build_product @@ -307,6 +307,7 @@ set_explict_build_targets() { @@ -38,23 +38,23 @@ index fc793cbe7..912aba627 100755 ALINUX3 + ALMALINUX9 ANOLIS8 + ANOLIS23 CHROMIUM - DEBIAN10 diff --git a/controls/anssi.yml b/controls/anssi.yml -index 9e631d1de..2961e1526 100644 +index 35e111d11..6f813c160 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml -@@ -297,7 +297,7 @@ controls: +@@ -1155,7 +1155,7 @@ controls: - ensure_gpgcheck_never_disabled - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages - - ensure_redhat_gpgkey_installed + - ensure_almalinux_gpgkey_installed - ensure_oracle_gpgkey_installed - - ensure_suse_gpgkey_installed + - id: R60 diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml -index efc53d03f..254c5f0e4 100644 +index afa162a66..4584a123a 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -349,7 +349,7 @@ controls: @@ -67,10 +67,10 @@ index efc53d03f..254c5f0e4 100644 - id: 1.2.3 title: Ensure gpgcheck is globally activated (Automated) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml -index 30f7e8d18..1ff31a0c7 100644 +index b97ce59ea..0fbb5ffe3 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml -@@ -304,7 +304,7 @@ controls: +@@ -306,7 +306,7 @@ controls: - l1_workstation status: manual related_rules: @@ -80,28 +80,53 @@ index 30f7e8d18..1ff31a0c7 100644 - id: 1.2.2 title: Ensure gpgcheck is globally activated (Automated) diff --git a/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml b/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml -index ba143b86b..52b80a324 100644 +index 6d494547b..52b80a324 100644 --- a/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml +++ b/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml -@@ -12,8 +12,6 @@ controls: +@@ -12,9 +12,6 @@ controls: - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages - ensure_gpgcheck_never_disabled - {{% if 'rhel' in product %}} - - ensure_redhat_gpgkey_installed - {{% endif %}} +- - ensure_oracle_gpgkey_installed + - ensure_almalinux_gpgkey_installed status: automated +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml +index e88bbf4ef..ade250973 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: rhel7,rhel8,rhel9,almalinux9,sle12,sle15 + + title: 'Uninstall avahi-autoipd Server Package' + +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml +index ae6e5f38f..2b5ea514b 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Uninstall avahi Server Package' + diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -index 6d5ebf540..a9676e9cd 100644 +index 9994d5921..bf86a67aa 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Avahi Server Software' @@ -163,27 +188,27 @@ index ffa0e5d82..fd443c99e 100644 title: 'Disable Odd Job Daemon (oddjobd)' diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -index c71ce1b23..d638a9671 100644 +index 62bebd735..69e1d9202 100644 --- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml +++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml @@ -1,7 +1,7 @@ documentation_complete: true # package is unlikely to appear on a RHEL9 system, don't extend to RHEL10 --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,uos20 title: 'Disable Apache Qpid (qpidd)' diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -index 7ca16e386..0f8965ba0 100644 +index 3a9b0cd98..fde646ef2 100644 --- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml +++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,uos20 title: 'Disable Network Router Discovery Daemon (rdisc)' @@ -200,379 +225,391 @@ index 41571146d..c4e4f98eb 100644 title: 'Disable Red Hat Network Service (rhnsd)' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -index b56d06eae..b69404a1a 100644 +index 77b163e60..2b3093504 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -index 909b41757..312304ce7 100644 +index ff0443ac5..bc0f43113 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -index 16c756978..92fc319e6 100644 +index 63dd951d7..f78c5ae9b 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -index 2840534a5..6d9c20c7b 100644 +index 6d4493560..9af1b0474 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -index c9e039124..6f7c811b5 100644 +index 687b84698..12d707745 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -index 277c9c9d9..00e2f5112 100644 +index b980bc125..2736ad53d 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns Crontab' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -index c941caa5c..0f6722c2a 100644 +index c2d050d27..88df46f3c 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -index d0a6675fa..06c98be92 100644 +index 6024de5c6..e261fca99 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -index 65b3ba05a..f79ffd16e 100644 +index 46320b462..1bdc7e44c 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -index f72fb065e..4ca35d3a8 100644 +index 18afaf1da..3a00b40a4 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -index 80175dcca..9af4545ea 100644 +index d76c2031c..4941f09ae 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -index 3df7aba3f..8465bbe62 100644 +index b9c4bcce4..e9dc5a1f1 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on crontab' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -index e15a2f68b..b09f3d2c4 100644 +index bdc53cc7c..abf85de61 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -index ce3f09ada..52e396aed 100644 +index 24b4cf5e5..27732bccc 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -index fc59dfe62..7bddaf8d2 100644 +index 6e0da2bac..2deb5dfaf 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -index 1c78762ca..a0a46b5e9 100644 +index 5f5e5f6ec..c17983c4c 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -index 476a3125f..654f5890a 100644 +index c4ea83653..9572cae38 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -index 9d344b64b..7856ea1bb 100644 +index e29f65023..4e9e0284a 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on crontab' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml -index 51e2d97b1..dad847c7f 100644 +index 169db9bc0..84e8a111a 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 title: 'Ensure that /etc/at.deny does not exist' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml -index 132288177..d7b4509a5 100644 +index ff1fb5c57..9b710f9cf 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 title: 'Ensure that /etc/cron.deny does not exist' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml -index 6a1eff2d2..35cdbe774 100644 +index dfa5e7fc6..1f074661d 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml -index a74bf116b..80643d6e8 100644 +index 66b4a228b..0b320919a 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml -index ed08e6442..167324e2b 100644 +index 843e6af80..30c7498b9 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify User Who Owns /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml -index da7a2286e..90b334c72 100644 +index d0e6dfd0c..c398142ea 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml -index 42275f213..e7e8d76a9 100644 +index 2b5f5e207..a3a39bf10 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -index 91f458db0..88e400540 100644 +index 53b236464..87a341efa 100644 --- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml +++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,uos20 title: 'Disable At Service (atd)' diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -index ec390e36c..77174cb80 100644 +index b2f6cddb1..62fa61b3b 100644 --- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4 title: 'Enable cron Service' diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml -index 9fd433b7c..cee2b7bf0 100644 +index cd80412b3..4d08e7840 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall DHCP Server Package' diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -index 356f23677..94540cc84 100644 +index 0b54e6c74..749e33acb 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Disable DHCP Service' diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml -index eed8c2545..9851f5845 100644 +index 392785165..efeffb597 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204,uos20 title: 'Uninstall bind Package' diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -index ce858b1d8..40fe4e645 100644 +index 87843736d..48030e21c 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Disable named Service' +diff --git a/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml b/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml +index a053110a7..f7f5fdce0 100644 +--- a/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml ++++ b/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel9 ++prodtype: rhel9,almalinux9 + + title: 'Uninstall dnsmasq Package' + diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml -index 52c640e85..8832c02bc 100644 +index c2de306f6..ce71aac0b 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml @@ -1,6 +1,6 @@ @@ -608,7 +645,7 @@ index 57e01f723..a0014c7c1 100644 title: 'Enable the File Access Policy Service' diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml -index 1995163a1..7357573c4 100644 +index f88eea4f0..7aae82b4d 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml @@ -1,6 +1,6 @@ @@ -620,41 +657,65 @@ index 1995163a1..7357573c4 100644 title: 'Uninstall vsftpd Package' diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -index bd77bb3f1..ab7e67598 100644 +index dc79102fd..a1ee7bff7 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Disable vsftpd Service' +diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml +index 1129ce7f1..2f0d1eb2c 100644 +--- a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml ++++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel9 ++prodtype: rhel9,almalinux9 + + title: 'Remove ftp Package' + diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml -index 7462b9c7f..72bdd9ae2 100644 +index 044177ba3..5d03ff716 100644 --- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall httpd Package' diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -index d71d6003f..d3f605c97 100644 +index c650de2a3..c7448273d 100644 --- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sel12,sle15 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sel12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,sel12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,almalinux9,sel12,sle15 title: 'Disable httpd Service' +diff --git a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml +index 171b5262d..fc0ca780f 100644 +--- a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml ++++ b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel8,rhel9,ubuntu2004,ubuntu2204 ++prodtype: fedora,rhel8,rhel9,almalinux9,ubuntu2004,ubuntu2204 + + title: 'Uninstall nginx Package' + diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/rule.yml index d8631eb95..489b5b4bc 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/rule.yml @@ -691,27 +752,39 @@ index 1af8689b8..5b30b5bc3 100644 title: 'Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/' +diff --git a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml +index 9d039807d..0ab230c90 100644 +--- a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml ++++ b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel8,rhel9,ubuntu2004,ubuntu2204 ++prodtype: fedora,rhel8,rhel9,almalinux9,ubuntu2004,ubuntu2204 + + title: 'Uninstall cyrus-imapd Package' + diff --git a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml -index 27457df04..17cbf9b18 100644 +index 87b82fee6..0f5cf4705 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall dovecot Package' diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -index b5abe51d5..96cbc284f 100644 +index 5968c1a2f..20b9d7190 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Disable Dovecot Service' @@ -764,41 +837,55 @@ index 646e63f4b..cb346ebf4 100644 # Use LDAP for authentication diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -index 8244e0504..b913eac2d 100644 +index 2ec31a290..bc945e70f 100644 --- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -@@ -1,6 +1,6 @@ +@@ -8,7 +8,7 @@ + documentation_complete: true --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Ensure LDAP client is not installed' diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml -index 5cc0bd10d..14a703e67 100644 +index bf75fffce..e628dd08a 100644 --- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml -@@ -1,6 +1,6 @@ +@@ -11,7 +11,7 @@ + documentation_complete: true --prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 ++prodtype: rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Uninstall openldap-servers Package' diff --git a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml -index 8501b6286..47d03acda 100644 +index c94722d9e..b5ad70374 100644 --- a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml +++ b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel8,rhel9 -+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,almalinux9 +-prodtype: alinux2,alinux3,anolis23,anolis8,rhel8,rhel9 ++prodtype: alinux2,alinux3,anolis23,anolis8,rhel8,rhel9,almalinux9 title: 'Disable LDAP Server (slapd)' +diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml b/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml +index 565693471..974ace384 100644 +--- a/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml ++++ b/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 ++prodtype: rhel7,rhel8,rhel9,almalinux9,ubuntu2004,ubuntu2204 + + title: 'Ensure Mail Transfer Agent is not Listening on any non-loopback Address' + diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml index 3674a8609..dc926b106 100644 --- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml @@ -842,7 +929,7 @@ index c5e7ae18c..1ab2a0a40 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh -index 93a9e5878..5768cb749 100644 +index befe1acf3..e36b1fd3e 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/bash/shared.sh @@ -1,4 +1,4 @@ @@ -852,14 +939,14 @@ index 93a9e5878..5768cb749 100644 {{{ bash_instantiate_variables("var_postfix_inet_interfaces") }}} diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml -index 1c94cefa7..e4fe6bfa9 100644 +index 6366a2d1a..c93fb1488 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 +-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Postfix Network Listening' @@ -876,14 +963,14 @@ index 379999e33..6b7f19ae6 100644 title: 'Prevent Unrestricted Mail Relaying' diff --git a/linux_os/guide/services/mail/service_postfix_enabled/rule.yml b/linux_os/guide/services/mail/service_postfix_enabled/rule.yml -index 8120beda0..1366040cc 100644 +index 40e23a91d..ac643ddd6 100644 --- a/linux_os/guide/services/mail/service_postfix_enabled/rule.yml +++ b/linux_os/guide/services/mail/service_postfix_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 +-prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Postfix Service' @@ -900,38 +987,38 @@ index 1fc438cc4..48e546d99 100644 title: 'Uninstall rpcbind Package' diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -index 0b6c8d464..5c0ba9f71 100644 +index a85028384..824a4ed59 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Disable rpcbind Service' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -index 91f73abe9..a52cb7eb4 100644 +index 083e7b30e..e4cf444c5 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Disable Network File System (nfs)' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/rule.yml -index 9a95382a6..38d69416f 100644 +index a48edf779..ce176f114 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,rhel7,rhel8,rhel9 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,almalinux9 +-prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9 ++prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9 title: 'Mount Remote Filesystems with Kerberos Security' @@ -984,7 +1071,7 @@ index b666538f2..53e539d8a 100644 title: 'Use Kerberos Security on All Exports' diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml -index 2e7632b7e..3c07bfc8c 100644 +index 3de7c8db0..ade1efaed 100644 --- a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml @@ -1,6 +1,6 @@ @@ -1006,7 +1093,7 @@ index 524cdc7d0..2678708d2 100644 {{{ bash_replace_or_append(chrony_conf_path, '^port', '0', '%s %s') }}} diff --git a/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml -index a97cf1a9f..f285ebb44 100644 +index c435df983..b80ffbf7b 100644 --- a/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_client_only/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -1039,7 +1126,7 @@ index 25b768688..a1e46bc12 100644 {{{ bash_replace_or_append(chrony_conf_path, '^cmdport', '0', '%s %s') }}} diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml -index a97cf1a9f..f285ebb44 100644 +index c435df983..b80ffbf7b 100644 --- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -1061,28 +1148,8 @@ index 782106734..f3177b0c6 100644 title: 'Disable network management of chrony daemon' -diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml -index e571e6ee2..fa9118753 100644 ---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml -+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml -@@ -1,4 +1,4 @@ --# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel -+# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux - # reboot = false - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh -index f1bb759d9..a3d4dde5b 100644 ---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh -+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu -+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu - - {{{ bash_instantiate_variables("var_time_service_set_maxpoll") }}} - diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml -index a97cf1a9f..f285ebb44 100644 +index c435df983..b80ffbf7b 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -1105,7 +1172,7 @@ index b7bef7d30..15db9896f 100644 title: 'Configure Time Service Maxpoll Interval' diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml -index a97cf1a9f..f285ebb44 100644 +index c435df983..b80ffbf7b 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -1116,7 +1183,7 @@ index a97cf1a9f..f285ebb44 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml -index a97cf1a9f..f285ebb44 100644 +index c435df983..b80ffbf7b 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -1163,7 +1230,7 @@ index e1d712f25..1a6e10840 100644 {{%- endif %}} diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -index 0f3dfd4a2..6fb216346 100644 +index a1f8c234b..14f415da2 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml @@ -1,11 +1,11 @@ @@ -1398,14 +1465,14 @@ index 5f0ad2c6e..7c6175efb 100644 echo "server " > {{{ chrony_conf_path }}} diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml -index a602354c3..ea6ccfc66 100644 +index 4bef92d96..8f2ce0a4c 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall xinetd Package' @@ -1423,78 +1490,68 @@ index 06ffe16cb..dbcd37c7c 100644 title: 'Disable xinetd Service' diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -index 9be95ffed..0d13d9043 100644 +index c5f90c495..4da134625 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Remove NIS Client' diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -index 6ab9cdac3..b7c200783 100644 +index b057fc5a8..561647d42 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Uninstall ypserv Package' diff --git a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml -index 4f414d3af..e390c2d78 100644 +index b302496d1..79d2cceba 100644 --- a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel8,rhel9 -+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,almalinux9 +-prodtype: alinux2,alinux3,anolis23,anolis8,rhel8,rhel9 ++prodtype: alinux2,alinux3,anolis23,anolis8,rhel8,rhel9,almalinux9 title: 'Disable ypserv Service' diff --git a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml -index d3139b999..bd75d0867 100644 +index b7beb612c..2eff2429d 100644 --- a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml +++ b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml @@ -6,7 +6,7 @@ documentation_complete: true --prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall rsync Package' -diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/bash/shared.sh b/linux_os/guide/services/obsolete/r_services/no_host_based_files/bash/shared.sh -index 3a98b0947..bd5b8127e 100644 ---- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/bash/shared.sh -+++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle,multi_platform_ol -+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ol - - # Identify local mounts - MOUNT_LIST=$(df --local | awk '{ print $6 }') diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml -index 822b02f50..1ef919597 100644 +index 7ba8c1008..0fa5c255c 100644 --- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Remove Host-Based Authentication Files' diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/ansible/shared.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/ansible/shared.yml -index 6af0b5732..713381d73 100644 +index 9c6fc297c..7db8e8320 100644 --- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/ansible/shared.yml +++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -1513,49 +1570,39 @@ index e64838b15..baaa07631 100644 find /root -xdev -type f -name ".rhosts" -exec rm -f {} \; find /home -maxdepth 2 -xdev -type f -name ".rhosts" -exec rm -f {} \; -diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/bash/shared.sh b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/bash/shared.sh -index b7c88b077..a9c7c4e31 100644 ---- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/bash/shared.sh -+++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle,multi_platform_ol -+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ol - - # Identify local mounts - MOUNT_LIST=$(df --local | awk '{ print $6 }') diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml -index 43da70e0f..b67aa48dd 100644 +index 8eb7f2db5..9cbcf4b86 100644 --- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Remove User Host-Based Authentication Files' diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml -index b2e659932..2f7ae2774 100644 +index ccfe39dee..fbb7ec130 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall rsh-server Package' diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml -index e343810ac..963f48303 100644 +index 45e79f6de..3f8e33b24 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall rsh Package' @@ -1573,62 +1620,62 @@ index 1b5db8e51..6668c946a 100644 title: 'Disable rlogin Service' diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -index 315af3908..e4650d671 100644 +index 976fdaaec..153f295ce 100644 --- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Ensure rsyncd service is disabled' diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml -index 8ca257b6f..9c0c2de76 100644 +index 0331db92e..085131b9f 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Uninstall talk-server Package' diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml -index ea67a07fe..d4edbcd19 100644 +index 14317060b..4505ac061 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall talk Package' diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml -index 2780aafb9..40ae2cbdf 100644 +index 080785dd8..20714ac5f 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Uninstall telnet-server Package' diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml -index b1c974e80..f6ccd3538 100644 +index 2571d5072..31ffdf29a 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Remove telnet Clients' @@ -1645,38 +1692,38 @@ index a38c0cc48..9e69956ab 100644 title: 'Disable telnet Service' diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml -index f9328616a..0b076bccf 100644 +index 9268c850c..5e583ad07 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Uninstall tftp-server Package' diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml -index ac1bafde0..1680e87a8 100644 +index 35e0a2f93..b25f376f7 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Remove tftp Daemon' diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml -index dd0bd7983..2ce2a2b97 100644 +index 9dd7a8bdd..b809881ed 100644 --- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4 +-prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 ++prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4 title: 'Ensure tftp Daemon Uses Secure Mode' @@ -1693,38 +1740,38 @@ index df44086ff..2f164b1f9 100644 title: 'Uninstall CUPS Package' diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml -index 1c9a75bc5..1f086ff6a 100644 +index a32b94c36..30833a927 100644 --- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml +++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable the CUPS Service' diff --git a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml -index c0d33e434..f619440f7 100644 +index c2cc9410c..68b6343a1 100644 --- a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml +++ b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall squid Package' diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -index 9321e667b..1b49c8d41 100644 +index 2ca96be83..5aa0bcdc8 100644 --- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml +++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Disable Squid' @@ -1741,7 +1788,7 @@ index 7c01c09b4..496e4d67f 100644 title: 'Remove the FreeRadius Server Package' diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml -index 9993786dc..ca7a05feb 100644 +index 4e39496fc..fb72906c4 100644 --- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml +++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml @@ -1,6 +1,6 @@ @@ -1753,14 +1800,14 @@ index 9993786dc..ca7a05feb 100644 title: 'Enable the Hardware RNG Entropy Gatherer Service' diff --git a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml -index 4c37ae2f7..90b713ae0 100644 +index 40f9fa887..2ca019269 100644 --- a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml +++ b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,rhel7,rhel8,rhel9 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,almalinux9 +-prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9 ++prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9 title: 'Uninstall quagga Package' @@ -1809,31 +1856,31 @@ index 9e1f01f53..d7d4c2651 100644 #By Luke "Brisk-OH" Brisk #luke.brisk@boeing.com or luke.brisk@gmail.com diff --git a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml -index 1f75e60ce..8a3ebea95 100644 +index 1b633c648..bb416b331 100644 --- a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall Samba Package' diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -index 76303fa12..aab031a48 100644 +index 0370bdb36..692305f11 100644 --- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Disable Samba' diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml -index 271f1f27e..c5596b9d4 100644 +index 3f8d8cf5c..44b2e2343 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml @@ -1,6 +1,6 @@ @@ -1845,14 +1892,14 @@ index 271f1f27e..c5596b9d4 100644 title: 'Uninstall net-snmp Package' diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -index be039de1f..26a25c18c 100644 +index 47810df3f..a76327dff 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Disable snmpd Service' @@ -1881,38 +1928,180 @@ index 309efb9aa..6224d7923 100644 title: 'Configure SNMP Service to Use Only SNMPv3 or Newer' diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -index e393c6c2c..519b0379d 100644 +index 2262fb3b8..6e2a16ba0 100644 --- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns SSH Server config file' +diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh +index cd5171c1b..6301578ba 100644 +--- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh ++++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + if ! grep -q ssh_keys /etc/group; then + groupadd ssh_keys +diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh +index 840370623..c64f052be 100644 +--- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh ++++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + test_group="cac_testgroup" + groupadd $test_group +diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh +index 4964fe4a1..f5fd88dd3 100644 +--- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh ++++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + test_group="cac_testgroup" + groupadd $test_group +diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh +index 8028e0466..36ebda0b3 100644 +--- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh ++++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX.pub) + chgrp root "$FAKE_KEY" +diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh +index 56c713f3d..505f3adfb 100644 +--- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh ++++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + test_group="cac_testgroup" + groupadd $test_group +diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/missing_file_test.pass.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/missing_file_test.pass.sh +index 7cffa2c97..9c0f3a28b 100644 +--- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/missing_file_test.pass.sh ++++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/missing_file_test.pass.sh +@@ -1,4 +1,4 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + rm -f /etc/ssh/*.pub +diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh +index b6bef987d..799d5044b 100644 +--- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh ++++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + test_group="cac_testgroup" + groupadd $test_group diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -index fa43ddc59..3af3fc511 100644 +index 8785509dc..8812a43af 100644 --- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on SSH Server config file' +diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/correct_owner.pass.sh b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/correct_owner.pass.sh +index b36e8a3d7..494455df2 100644 +--- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/correct_owner.pass.sh ++++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/correct_owner.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key) + chown root "$FAKE_KEY" +diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/incorrect_owner.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/incorrect_owner.fail.sh +index 30da398eb..4ee3a3c1f 100644 +--- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/incorrect_owner.fail.sh ++++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/incorrect_owner.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + test_user="cac_testuser" + useradd $test_user +diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/multiple_keys.fail.sh +index 59f414be3..484da1eec 100644 +--- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/multiple_keys.fail.sh ++++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/multiple_keys.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + test_user="cac_testuser" + useradd $test_user +diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/correct_owner.pass.sh b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/correct_owner.pass.sh +index adc985a1a..489f65995 100644 +--- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/correct_owner.pass.sh ++++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/correct_owner.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX.pub) + chown root "$FAKE_KEY" +diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/incorrect_owner.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/incorrect_owner.fail.sh +index 4fa528fe3..bbc3c6147 100644 +--- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/incorrect_owner.fail.sh ++++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/incorrect_owner.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + test_user="cac_testuser" + useradd $test_user +diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/multiple_keys.fail.sh +index 16878dc1d..6c3983a9d 100644 +--- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/multiple_keys.fail.sh ++++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/multiple_keys.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + + test_user="cac_testuser" + useradd $test_user diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml -index 3d00dec4b..fa0d0ad12 100644 +index a69ba302e..1eb5a562c 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on SSH Server config file' @@ -1962,14 +2151,14 @@ index 36ac1f29d..cff318080 100644 title: 'Install OpenSSH client software' diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml -index 158df38e1..c6572b243 100644 +index 5d7fd206b..518c6ef32 100644 --- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 ++prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004 title: 'Enable the OpenSSH Service' @@ -1985,6 +2174,18 @@ index afc6d539c..8ebcfb5c1 100644 title: 'Configure session renegotiation for SSH client' +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_keys_passphrase_protected/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_keys_passphrase_protected/rule.yml +index 70d9bc7cc..12c9a37b5 100644 +--- a/linux_os/guide/services/ssh/ssh_client/ssh_keys_passphrase_protected/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_keys_passphrase_protected/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol9,rhel8,rhel9 ++prodtype: ol9,rhel8,rhel9,almalinux9 + + title: 'Verify the SSH Private Key Files Have a Passcode' + diff --git a/linux_os/guide/services/ssh/ssh_private_keys_have_passcode/rule.yml b/linux_os/guide/services/ssh/ssh_private_keys_have_passcode/rule.yml index d5f70f350..759e9d2b4 100644 --- a/linux_os/guide/services/ssh/ssh_private_keys_have_passcode/rule.yml @@ -2009,15 +2210,15 @@ index 5a97f74df..104b27f3f 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml -index d7c96665b..76afd3a55 100644 +index 280020823..582a114c6 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml @@ -53,7 +53,7 @@ -- {{% if product in ["fedora", "rhel9"] %}} -+ {{% if product in ["fedora", "rhel9", "almalinux9"] %}} +- {{% if product in ["fedora", "ol9", "rhel9"] %}} ++ {{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}} /etc/NetworkManager/system-connections .*\.nmconnection ^zone=(.*)$ @@ -2025,20 +2226,20 @@ index d7c96665b..76afd3a55 100644 -- {{% if product in ["fedora", "rhel9"] %}} -+ {{% if product in ["fedora", "rhel9", "almalinux9"] %}} +- {{% if product in ["fedora", "ol9", "rhel9"] %}} ++ {{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}} /etc/NetworkManager/system-connections .*\.nmconnection {{% else %}} diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml -index 7446a6237..ad8afbc05 100644 +index fb6956152..f7e55892b 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4 +-prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 ++prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4 title: 'Enable SSH Server firewalld Firewall Exception' @@ -2220,12 +2421,12 @@ index ead09cc23..c4dae825a 100644 SSHD_CONFIG_DIR="/etc/ssh/sshd_config.d" SSHD_CONFIG="${SSHD_CONFIG_DIR}/bad_config.conf" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml -index b280e21eb..8e1c18100 100644 +index c47506b42..0b8f7bd7f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu # reboot = false # strategy = restrict # complexity = low @@ -2302,6 +2503,82 @@ index fcdb800c2..77c3e82da 100644 #!/bin/bash SSHD_CONFIG="/etc/ssh/sshd_config" +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh +index d9775be43..8abd5c4ee 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle + + source common.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh +index 5e7246205..6de325120 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle + + source common.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh +index 11e8fe96d..00b69cd2c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle + + source common.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh +index a2528cb30..0c8dcf1ba 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle + + source common.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh +index 63213b5d1..7d20761ba 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh +@@ -1,4 +1,4 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle + + source common.sh +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh +index 59dee5b9e..b0f66c148 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle + + source common.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh +index 0e12d5a2a..d825167a3 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle + + source common.sh + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/default_correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/default_correct_value.pass.sh index edb2553d2..2bfd42c86 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/tests/default_correct_value.pass.sh @@ -2371,27 +2648,27 @@ index 5a98fc0eb..846cdd444 100644 sed -i 's/^\s*MACs\s/# &/i' /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml -index 69f4b7c74..b33087e8f 100644 +index f1e9853d6..15870678b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true # TODO: The plan is not to need this for RHEL>=8.4 # TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more --prodtype: ol8,rhel8,rhel9 -+prodtype: ol8,rhel8,rhel9,almalinux9 +-prodtype: fedora,ol8,rhel8,rhel9 ++prodtype: fedora,ol8,rhel8,rhel9,almalinux9 title: 'SSH server uses strong entropy to seed' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml -index 8aac236b7..84c188bd8 100644 +index 3a58720dd..a4e44202d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,ubuntu2004 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,ubuntu2004 title: 'Prevent remote hosts from connecting to the proxy display' @@ -2455,7 +2732,7 @@ index 564e32815..02bed6db8 100644 {{{ bash_sssd_ldap_config(parameter="ldap_id_use_start_tls", value="true") }}} diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml -index 0e2eefedf..5d4c828e0 100644 +index c93d7a59d..a6dff6f85 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -2465,7 +2742,7 @@ index 0e2eefedf..5d4c828e0 100644 # strategy = configure # complexity = low diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh -index c3ad7e882..dcee45546 100644 +index ea3c0946c..08e66dade 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh @@ -1,4 +1,4 @@ @@ -2499,15 +2776,15 @@ index ed8b1c4e1..e6b74a5ac 100644 title: 'Enable Certmap in SSSD' diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh -index d233bc61d..9e2c7d3bf 100644 +index 09e863e4a..ba1f546e9 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol - SSSD_CONF="/etc/sssd/sssd.conf" - SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf" + + diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml index f82c9e386..f4d8142ac 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml @@ -2522,12 +2799,12 @@ index f82c9e386..f4d8142ac 100644 ansible.builtin.stat: path: /usr/bin/authselect diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh -index 487b11b6b..6cb7712a8 100644 +index b51312601..a9d3d9d5d 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh -@@ -6,7 +6,7 @@ +@@ -13,7 +13,7 @@ umask u=rw,go= - {{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "pam", "pam_cert_auth", "True") }}} + umask $OLD_UMASK -{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}} +{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] %}} @@ -2557,7 +2834,7 @@ index c2ae4d39a..850809262 100644 comment="tests the presence of try_cert_auth or require_cert_auth in /etc/pam.d/smartcard-auth" id="test_sssd_enable_smartcards_allow_missing_name_smartcard_auth" version="2"> diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml -index eb3a99fb0..0e8592c2f 100644 +index 6ed233a70..f902a54c8 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml @@ -1,6 +1,6 @@ @@ -2680,14 +2957,14 @@ index 43e19d382..6c7a50002 100644 SSSD_FILE="/etc/sssd/sssd.conf" rm -f $SSSD_FILE diff --git a/linux_os/guide/services/sssd/sssd_has_trust_anchor/rule.yml b/linux_os/guide/services/sssd/sssd_has_trust_anchor/rule.yml -index 4733dae80..3fcf05c9a 100644 +index d71208630..21d24edcc 100644 --- a/linux_os/guide/services/sssd/sssd_has_trust_anchor/rule.yml +++ b/linux_os/guide/services/sssd/sssd_has_trust_anchor/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol8,ol9,rhel9 -+prodtype: ol8,ol9,rhel9,almalinux9 +-prodtype: ol8,ol9,rhel8,rhel9 ++prodtype: ol8,ol9,rhel8,rhel9,almalinux9 title: 'SSSD Has a Correct Trust Anchor' @@ -2702,7 +2979,7 @@ index 7cfba003b..fb36bb099 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh -index d749de10e..9ee217470 100644 +index e7d5d3916..ed768f876 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh @@ -1,4 +1,4 @@ @@ -2722,7 +2999,7 @@ index ebdf0136b..73916d8d1 100644 # strategy = configure # complexity = low diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh -index a7c8bedc0..f255d3dd9 100644 +index 890254c8e..2b6103e93 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh @@ -1,4 +1,4 @@ @@ -2732,7 +3009,7 @@ index a7c8bedc0..f255d3dd9 100644 # strategy = configure # complexity = low diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml -index 34d0ea06b..7ff342c6b 100644 +index 15ef6aa83..033bca316 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml @@ -1,6 +1,6 @@ @@ -2744,7 +3021,7 @@ index 34d0ea06b..7ff342c6b 100644 title: 'Configure SSSD to Expire Offline Credentials' diff --git a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh -index ffb443d70..4444d8afd 100644 +index 3da9609d7..06586bd8a 100644 --- a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh @@ -1,4 +1,4 @@ @@ -2764,7 +3041,7 @@ index 599683567..8fa06fa65 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh -index 21e0b485b..9658e047e 100644 +index f066ef1bd..01254fa6f 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh @@ -1,4 +1,4 @@ @@ -2783,7 +3060,7 @@ index 331627492..72a361b30 100644 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_rhcos {{{ kubernetes_usbguard_set(["xccdf_org.ssgproject.content_rule_package_usbguard_installed"]) }}} diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml -index 28780fb33..6ab520d14 100644 +index c20527bf1..faa280e68 100644 --- a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml +++ b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml @@ -1,6 +1,6 @@ @@ -2806,7 +3083,7 @@ index 9f18591b3..b49d5217a 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml -index 5b903676c..3a722afad 100644 +index 47a65aeb6..46b83c460 100644 --- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml @@ -1,6 +1,6 @@ @@ -2829,7 +3106,7 @@ index e9c55dfb0..9be805c13 100644 kind: MachineConfig metadata: diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml -index 6bae6e0fa..48998ef2a 100644 +index e382a886f..130a87454 100644 --- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml @@ -1,6 +1,6 @@ @@ -2888,7 +3165,7 @@ index a5ff52550..eda5cbf8b 100644 title: 'Authorize USB hubs in USBGuard daemon' diff --git a/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml b/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml -index aa7a3aa3f..099e3f475 100644 +index cca593262..5ac5c0678 100644 --- a/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml +++ b/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -2908,7 +3185,7 @@ index 88d55f160..f2f336700 100644 # strategy = configure # complexity = low diff --git a/linux_os/guide/services/usbguard/usbguard_generate_policy/rule.yml b/linux_os/guide/services/usbguard/usbguard_generate_policy/rule.yml -index 9e2e0102b..a7441071e 100644 +index 40d4e8fb3..00796b4be 100644 --- a/linux_os/guide/services/usbguard/usbguard_generate_policy/rule.yml +++ b/linux_os/guide/services/usbguard/usbguard_generate_policy/rule.yml @@ -1,6 +1,6 @@ @@ -2920,7 +3197,7 @@ index 9e2e0102b..a7441071e 100644 title: 'Generate USBGuard Policy' diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -index 360c61a3d..0dc5556e8 100644 +index 170f89fc0..6308fa768 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml @@ -1,6 +1,6 @@ @@ -2944,19 +3221,19 @@ index 607ed945c..12eecd4ca 100644 title: 'Disable graphical user interface' diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -index 2e32d3e90..82588fd3d 100644 +index ab3b7ccd5..3806444b2 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Disable X Windows Startup By Setting Default Target' diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml -index 4f6d64fd7..3c980eea0 100644 +index 1dea09b2f..cbc23c694 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -2966,7 +3243,7 @@ index 4f6d64fd7..3c980eea0 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -index cdfd9b994..b577881c9 100644 +index 63ceaaf88..e50ada3e4 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh @@ -1,4 +1,4 @@ @@ -2976,31 +3253,31 @@ index cdfd9b994..b577881c9 100644 {{{ bash_instantiate_variables("login_banner_text") }}} diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml -index 7585823b6..e93542999 100644 +index dbae8dd3a..b77c6ae92 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Modify the System Login Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml -index 19c03e6db..7ac3dccfa 100644 +index 2e79e27b8..1c4e483c2 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Modify the System Login Banner for Remote Connections' diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml -index d804a28c5..d2a1f1bc4 100644 +index 5735d2035..0ca7771ef 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -3010,132 +3287,132 @@ index d804a28c5..d2a1f1bc4 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh -index 1d9f92517..08b999cf4 100644 +index 4d77e8336..4ed727fc5 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu - {{{ bash_instantiate_variables("login_banner_text") }}} + {{{ bash_instantiate_variables("motd_banner_text") }}} diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -index 08fbad430..de64e17e7 100644 +index d501fe120..97a7a59f7 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Modify the System Message of the Day Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -index 5e6d02fcf..d527dcc70 100644 +index 48c86a69c..e9b46917f 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Ownership of System Login Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml -index f11e5b47d..10a30c5ae 100644 +index 92f7874d8..49cb31e41 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 +-prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Ownership of System Login Banner for Remote Connections' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -index 2e796ee3f..9d0413f0e 100644 +index 7b22f900c..ec3050b50 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Ownership of Message of the Day Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml -index 70b4f392c..3a8755f0f 100644 +index 634b03ae6..1afc26851 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify ownership of System Login Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml -index 1deff5952..abb7127a0 100644 +index cff8e3963..5b9f0bdb9 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 +-prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify ownership of System Login Banner for Remote Connections' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -index 16011b194..0a319e2c9 100644 +index 47c662016..40980af13 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify ownership of Message of the Day Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -index 9968c5cbf..c2f239b9e 100644 +index f80843991..b9bee27fe 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify permissions on System Login Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml -index dd4bbeb9f..680d51606 100644 +index cb8d9db77..b08ded9e5 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 +-prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify permissions on System Login Banner for Remote Connections' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -index 339274bcf..1f8dc8073 100644 +index 57ff52250..a17e58018 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify permissions on Message of the Day Banner' @@ -3150,7 +3427,7 @@ index 5814a30bd..aa4aa4c5c 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml -index 600cca3b1..1d68f8fb2 100644 +index b21996ff4..b9dcaa15a 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml @@ -1,6 +1,6 @@ @@ -3172,7 +3449,7 @@ index 86aff54f9..b295782b0 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml -index 513cdba67..9f193b3b9 100644 +index 649db8e37..1838fa0dc 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml @@ -1,6 +1,6 @@ @@ -3184,7 +3461,7 @@ index 513cdba67..9f193b3b9 100644 title: 'Set the GNOME3 Login Warning Banner Text' diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml -index c5b62c257..66d3473b3 100644 +index 215b978f2..37a8704dc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -3288,38 +3565,38 @@ index 510813790..15d7e9f61 100644 authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/rule.yml -index d34f78c56..88daeb584 100644 +index 74448292b..39b076c40 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: rhel8,rhel9 -+prodtype: rhel8,rhel9,almalinux9 +-prodtype: alinux2,alinux3,ol9,rhel8,rhel9 ++prodtype: alinux2,alinux3,ol9,rhel8,rhel9,almalinux9 title: 'Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/rule.yml -index a2e72e0de..e43b96283 100644 +index 912cd8c16..45711b865 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: rhel8,rhel9 -+prodtype: rhel8,rhel9,almalinux9 +-prodtype: ol9,rhel8,rhel9 ++prodtype: ol9,rhel8,rhel9,almalinux9 title: 'Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_selinux_faillock_dir/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_selinux_faillock_dir/rule.yml -index 4ef1e17f9..7b69b3585 100644 +index 61e58c8a0..85b7eb658 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_selinux_faillock_dir/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_selinux_faillock_dir/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol8,ol9,rhel8,rhel9 -+prodtype: ol8,ol9,rhel8,rhel9,almalinux9 +-prodtype: fedora,ol8,ol9,rhel8,rhel9 ++prodtype: fedora,ol8,ol9,rhel8,rhel9,almalinux9 title: 'An SELinux Context must be configured for the pam_faillock.so records directory' @@ -3389,14 +3666,14 @@ index 365006509..2a10d041b 100644 {{{ bash_instantiate_variables("var_password_pam_remember", "var_password_pam_remember_control_flag") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml -index d2b220ef9..bdfffeae6 100644 +index 6aaf7bf37..fe49dd7de 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4 title: 'Limit Password Reuse: password-auth' @@ -3529,14 +3806,14 @@ index a55f86dc3..5506f8c40 100644 {{{ bash_instantiate_variables("var_password_pam_remember", "var_password_pam_remember_control_flag") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml -index 97f05f5a3..d30fd3ed1 100644 +index aeb999b8d..07d1c6ef0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4 title: 'Limit Password Reuse: system-auth' @@ -3669,7 +3946,7 @@ index c830c07aa..3548b0341 100644 {{% if product in [ "sle12", "sle15" ] %}} {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -index 6f5f90fe0..d2c9297fd 100644 +index f3e6931ac..cb2328d43 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -1,6 +1,6 @@ @@ -3846,12 +4123,12 @@ index e1eb0a970..74c1da0a8 100644 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml -index fed1dea10..0c6a8c9be 100644 +index 8ab749d4f..00c16754b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low @@ -3866,14 +4143,14 @@ index 449d912d0..22f5dc375 100644 {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -index 06f9cd2de..03dbd87a1 100644 +index 0fa9fac37..f13d6f58f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle15,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2204 title: 'Lock Accounts After Failed Password Attempts' @@ -3961,34 +4238,34 @@ index 595b85192..f547b7431 100644 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/ansible/shared.yml -index 18f1a23f6..41d87be94 100644 +index 2a6868f38..70448df97 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/ansible/shared.yml @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/bash/shared.sh -index bf4938721..8c845063c 100644 +index 09d8aeee0..72b3aeacb 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/bash/shared.sh @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv {{{ bash_pam_faillock_enable() }}} {{{ bash_pam_faillock_parameter_value("even_deny_root", "") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml -index 2c28f825f..e64123dc8 100644 +index 94892c9d0..ce78d1fdf 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4 title: 'Configure the root Account for Failed Password Attempts' @@ -4052,7 +4329,7 @@ index 7c702d669..652c29b25 100644 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/rule.yml -index c87107985..318d8bd4f 100644 +index 28753f735..785fd2940 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/rule.yml @@ -1,6 +1,6 @@ @@ -4200,7 +4477,7 @@ index a49ddf559..41dc70b88 100644 {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml -index 7bcb4a51d..bf6901ab5 100644 +index 6a3f5b169..17b16d3e5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml @@ -1,6 +1,6 @@ @@ -4343,34 +4620,34 @@ index 514b2bb37..52f16f216 100644 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml -index 32bf2c480..63d101b61 100644 +index 230ff5eaa..c53da64d0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh -index 1587abf1d..e2f8c52a1 100644 +index 3a32aad36..d1f4a0327 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml -index 3f198e746..44df86c21 100644 +index f55ff2cef..66406f891 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle15,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2204 title: 'Set Lockout Time for Failed Password Attempts' @@ -4458,50 +4735,50 @@ index a57645eb1..641d38610 100644 authselect select sssd --force diff --git a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml -index 573b2b1a8..1d24c5b34 100644 +index 48798893e..18b59569e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 -+prodtype: rhel7,rhel8,rhel9,almalinux9,ubuntu2004,ubuntu2204 +-prodtype: rhel7,rhel8,rhel9,ubuntu2004 ++prodtype: rhel7,rhel8,rhel9,almalinux9,ubuntu2004 title: 'Install pam_pwquality Package' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml -index 88b8c7ca9..0d0144d91 100644 +index e67cd8835..d7d49e1d7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Digit Characters' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml -index d7e13fb53..fa853229d 100644 +index d41ca6c26..3d804a0e4 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol8,ol9,rhel8,rhel9,almalinux9,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004 ++prodtype: fedora,ol8,ol9,rhel8,rhel9,almalinux9,ubuntu2004 title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml -index 545079b59..ef10e196b 100644 +index e7fdf2e8b..11b69b5da 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004 title: 'Ensure PAM Enforces Password Requirements - Minimum Different Characters' @@ -4518,26 +4795,26 @@ index d94ecedae..810b3f4c5 100644 title: 'Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml -index 5b2a62342..3801b243e 100644 +index 198475c87..260ac3b78 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,rhel8,rhel9 -+prodtype: fedora,rhel8,rhel9,almalinux9 +-prodtype: fedora,ol9,rhel8,rhel9 ++prodtype: fedora,ol9,rhel8,rhel9,almalinux9 title: 'Ensure PAM Enforces Password Requirements - Enforce for root User' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml -index cdd2ed505..be1e27be2 100644 +index 5799a7b12..a6044143d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters' @@ -4566,38 +4843,38 @@ index 8984b63d9..17bc8eb97 100644 title: 'Set Password Maximum Consecutive Repeating Characters' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -index 45a8dfa01..98e29d583 100644 +index 64f091504..0f469cecb 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -index bdd681de5..f9dec4f75 100644 +index f75a68077..b1ae5b48e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Length' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml -index e90fe9fe9..5d18a90cf 100644 +index 632aa24dc..e9ad8a3cd 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Special Characters' @@ -4794,14 +5071,14 @@ index 36e9a27b9..fe1b603ab 100644 # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -index 113701f5e..d7f3ec9fb 100644 +index 73f5ec7a6..4d87174e6 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle15,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session' @@ -4877,14 +5154,14 @@ index ea2eb57fe..31e80535f 100644 source common.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml -index c4a5e5b0c..bb854990a 100644 +index 6c631ea37..d526d691a 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 ++prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters' @@ -4909,7 +5186,7 @@ index 115273566..bd94d707c 100644 LIBUSER_CONF="/etc/libuser.conf" CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml -index c4aba679e..3dbd663de 100644 +index cadfa1905..8f75a5fc3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml @@ -1,6 +1,6 @@ @@ -4931,24 +5208,24 @@ index 8dedf993c..51c76b11a 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh -index fb856a113..a440dba9f 100644 +index dcb9dd0af..98d2bbec9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_password_hashing_algorithm") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml -index df3ba0466..d7891075d 100644 +index e58180a1b..aa0052486 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set Password Hashing Algorithm in /etc/login.defs' @@ -4972,7 +5249,7 @@ index 55f43ef98..2b993b52b 100644 {{{ bash_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'sufficient', 'pam_unix.so', 'sha512', '', '') }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml -index dd8ba2c42..9e63b937a 100644 +index 8d7b14d4e..a09fb3fd7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml @@ -1,6 +1,6 @@ @@ -5032,14 +5309,14 @@ index f72c7bde2..25fd37ced 100644 authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -index 04854daa0..1682ef6cd 100644 +index 7a6a7f403..69d1d3405 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: "Set PAM''s Password Hashing Algorithm" @@ -5092,7 +5369,7 @@ index d4b163f24..819ad4b0a 100644 authselect create-profile hardening -b sssd CUSTOM_PROFILE="custom/hardening" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml -index de303199d..fefdbfba2 100644 +index 9a490a8be..fdd2e7e0c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml @@ -1,6 +1,6 @@ @@ -5103,16 +5380,6 @@ index de303199d..fefdbfba2 100644 title: 'Set Password Hashing Rounds in /etc/login.defs' -diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh -index 23edb3c90..daae24630 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu -+# platform = multi_platform_rhel,multi_platform_almalinux,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu - - - {{{ bash_replace_or_append('/etc/systemd/system.conf', '^CtrlAltDelBurstAction=', 'none', '%s=%s') }}} diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml index 3045574e5..7ce6bb466 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/kubernetes/shared.yml @@ -5136,15 +5403,6 @@ index 9c18a0c26..be97a6e6d 100644 title: 'Disable Ctrl-Alt-Del Burst Action' -diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh -index d919b9490..cdc902c52 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh -@@ -1,3 +1,3 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu - systemctl disable --now ctrl-alt-del.target - systemctl mask --now ctrl-alt-del.target diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml index 517c83c6e..041e9a29c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/kubernetes/shared.yml @@ -5157,7 +5415,7 @@ index 517c83c6e..041e9a29c 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml -index d0479d8e5..2c76c3459 100644 +index cdb3cbf45..a19af6ca6 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml @@ -1,6 +1,6 @@ @@ -5181,7 +5439,7 @@ index cf5da2ae1..02fa6e509 100644 title: 'Verify that Interactive Boot is Disabled' diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml -index 5fb6d2262..b3f447f8b 100644 +index 00e31fc21..646d6725c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml @@ -1,6 +1,6 @@ @@ -5193,25 +5451,25 @@ index 5fb6d2262..b3f447f8b 100644 title: "Configure Logind to terminate idle sessions after certain time of inactivity" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml -index 133df4a25..f4bd36daa 100644 +index a3490a60d..81831631c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml -@@ -9,7 +9,7 @@ +@@ -18,7 +18,7 @@ create: yes dest: /usr/lib/systemd/system/emergency.service regexp: "^#?ExecStart=" -- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9","sle12", "sle15"] -%}} -+ {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9","sle12", "sle15"] -%}} +- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] -%}} ++ {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9"] -%}} line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" {{%- else -%}} line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh -index 410d611cf..438ad0b9f 100644 +index 2a65ef992..641747e9e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh -@@ -2,7 +2,7 @@ - +@@ -7,7 +7,7 @@ service_dropin_file="${service_dropin_cfg_dir}/10-oscap.conf" service_file="/usr/lib/systemd/system/emergency.service" + {{% endif %}} -{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} +{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "almalinux9", "sle12", "sle15"] -%}} @@ -5219,10 +5477,10 @@ index 410d611cf..438ad0b9f 100644 {{%- else -%}} sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml -index a9c7188b6..1f7935189 100644 +index fadfa300c..e123d8735 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml -@@ -12,7 +12,7 @@ +@@ -24,7 +24,7 @@ /usr/lib/systemd/system/emergency.service @@ -5241,14 +5499,14 @@ index a9c7188b6..1f7935189 100644 {{%- else -%}} ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -index e3b3c1876..94980cb04 100644 +index 534b5a093..0f2c9560a 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Require Authentication for Emergency Systemd Target' @@ -5261,7 +5519,7 @@ index e3b3c1876..94980cb04 100644 ExecStart and /usr/lib/systemd/systemd-sulogin-shell. 
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
{{%- else -%}} -@@ -86,7 +86,7 @@ fixtext: |- +@@ -84,7 +84,7 @@ fixtext: |- Configure {{{ full_name }}} to require authentication for system emergency mode. Add or edit the following line in "/usr/lib/systemd/system/emergency.service": @@ -5293,7 +5551,7 @@ index d9fdc678f..a4f6ea6a9 100644 service_file="/usr/lib/systemd/system/emergency.service" sulogin="/bin/bash" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml -index 272fa2855..23b55765d 100644 +index 225a73f0b..3943c04f0 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml @@ -9,7 +9,7 @@ @@ -5341,14 +5599,14 @@ index 62fd1a76a..d4074b6b5 100644 {{%- else -%}} ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -index 6e4791236..5961bd7f4 100644 +index bd617f3e8..57cf588c0 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Require Authentication for Single User Mode' @@ -5361,7 +5619,7 @@ index 6e4791236..5961bd7f4 100644 ExecStart and /usr/lib/systemd/systemd-sulogin-shell. 
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
{{%- elif product in ["rhel7"] -%}} -@@ -95,7 +95,7 @@ fixtext: |- +@@ -93,7 +93,7 @@ fixtext: |- Configure {{{ full_name }}} to require authentication in single user mode. Add or update the following line in "/usr/lib/systemd/system/rescue.service": @@ -5392,8 +5650,18 @@ index 63b9b08b5..15abe6cec 100644 service_file="/usr/lib/systemd/system/rescue.service" sulogin="/bin/bash" +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml +index 8a64b5ea8..1e81d2e92 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol + # reboot = false + # strategy = configure + # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml -index 2aa4e7fb9..9faa5525f 100644 +index 2b2bf8871..b62b17fc0 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml @@ -1,6 +1,6 @@ @@ -5405,7 +5673,7 @@ index 2aa4e7fb9..9faa5525f 100644 title: 'Support session locking with tmux' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml -index bd7dbe984..f351ce62a 100644 +index f33344719..09c69b4e5 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -5425,7 +5693,7 @@ index dc63eb653..dc6931307 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml -index d67b6369c..76e8af083 100644 +index de8fab7e5..9a75f3fc4 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml @@ -1,6 +1,6 @@ @@ -5437,7 +5705,7 @@ index d67b6369c..76e8af083 100644 title: 'Configure tmux to lock session after inactivity' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml -index b24d68379..fda34d95f 100644 +index 80856b34d..5cffbff2c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml @@ -1,6 +1,6 @@ @@ -5460,7 +5728,7 @@ index 6b2d6cd5e..c20712c9f 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml -index 52cc12fc6..51a0ba7a1 100644 +index ec8fee18b..ed04283bd 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml @@ -1,6 +1,6 @@ @@ -5472,7 +5740,7 @@ index 52cc12fc6..51a0ba7a1 100644 title: 'Prevent user from disabling the screen lock' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml -index 006b51790..afd71adf2 100644 +index 14207a44c..2c975a940 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml @@ -1,6 +1,6 @@ @@ -5484,7 +5752,7 @@ index 006b51790..afd71adf2 100644 title: 'Install the tmux Package' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml -index c19e339e1..0904a94cf 100644 +index a1e6ae87e..bb9ae4d3d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml @@ -1,6 +1,6 @@ @@ -5496,7 +5764,7 @@ index c19e339e1..0904a94cf 100644 title: 'Configure opensc Smart Card Drivers' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml -index 2889de05c..ea07c0b9b 100644 +index 27d1884f2..82caf0779 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml @@ -1,6 +1,6 @@ @@ -5508,32 +5776,32 @@ index 2889de05c..ea07c0b9b 100644 title: 'Force opensc To Use Defined Smart Card Driver' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -index 635bb240c..e0cca650f 100644 +index a75f509a3..c7fb9b03d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml @@ -12,7 +12,7 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004 title: 'Install Smart Card Packages For Multifactor Authentication' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml -index 05ee175c6..68abd404c 100644 +index 56570f5c6..7009fc6dd 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004 title: 'Install the opensc Package For Multifactor Authentication' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml -index e0f2f1e0a..7efa5bff0 100644 +index f3b1ef07a..611d50bd3 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml @@ -1,6 +1,6 @@ @@ -5545,7 +5813,7 @@ index e0f2f1e0a..7efa5bff0 100644 title: 'Install the pcsc-lite package' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml -index 51d0c3183..01c94a4cc 100644 +index dcad70a82..48e796463 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml @@ -1,6 +1,6 @@ @@ -5557,7 +5825,7 @@ index 51d0c3183..01c94a4cc 100644 title: 'Enable the pcscd Service' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml -index 58299265d..2535b3460 100644 +index 18231e23a..c986f5c73 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -5611,7 +5879,7 @@ index ff493491e..082c8e61a 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml -index f232eb7e2..121bc4a27 100644 +index aad6ad4b6..0ea11661e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml @@ -1,6 +1,6 @@ @@ -5643,19 +5911,19 @@ index f299285d4..52e841b61 100644 {{{ bash_instantiate_variables("var_account_disable_post_pw_expiration") }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -index 55d39e5b6..5a4053d16 100644 +index da2a2d367..e1aed6fec 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set Account Expiration Following Inactivity' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml -index 0c207a85b..02dd02c0b 100644 +index 826119eaf..d6e707d6f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml @@ -1,6 +1,6 @@ @@ -5667,26 +5935,26 @@ index 0c207a85b..02dd02c0b 100644 title: 'Assign Expiration Date to Emergency Accounts' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml -index 676d43037..ffb7c138f 100644 +index 90045204c..ece6239ac 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004 title: 'Assign Expiration Date to Temporary Accounts' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml -index dc9ee170c..af63801bc 100644 +index 487bfd63a..b34d490ee 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure All Accounts on the System Have Unique User IDs' @@ -5714,14 +5982,14 @@ index aa147fdce..bb8288f5b 100644 var_accounts_authorized_local_users_regex="^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml -index f523c432b..69a9082bb 100644 +index 1ba8ed152..3a0b63e44 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure All Groups on the System Have Unique Group ID' @@ -5766,7 +6034,7 @@ index 23710faba..7f1f5642d 100644 {{{ bash_instantiate_variables("var_accounts_password_minlen_login_defs") }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml -index 0af6018b4..bcbcdffb7 100644 +index e387ed756..bcf05096d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -5776,7 +6044,7 @@ index 0af6018b4..bcbcdffb7 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh -index d8149ebbc..cc52efeba 100644 +index 8ff7cba19..14ece5d17 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh @@ -1,4 +1,4 @@ @@ -5786,39 +6054,41 @@ index d8149ebbc..cc52efeba 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml -index 93fd76aac..965ff7ac3 100644 +index d56b4e8c0..8274fcfd4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set Existing Passwords Maximum Age' -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh -index 7b4f2c3e0..ab46f84f9 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ubuntu - # reboot = false - # strategy = restrict - # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml -index a133b6e69..8c7dd93ba 100644 +index 5e1fe03a2..908f94abc 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,anolis23,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis23,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set Existing Passwords Minimum Age' +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml +index d99bded94..aeb6e584a 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: rhel7,rhel8,rhel9,almalinux9,sle12,sle15 + + title: "Set Existing Passwords Warning Age" + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml index 4994ff315..e8469b8e9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml @@ -5829,6 +6099,18 @@ index 4994ff315..e8469b8e9 100644 # reboot = false # strategy = restrict # complexity = low +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml +index f0bf9d696..2c184af24 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: rhel7,rhel8,rhel9,almalinux9,sle12,sle15 + + title: 'Set existing passwords a period of inactivity before they been locked' + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml index 25ec7a969..d5b38106c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml @@ -5862,7 +6144,7 @@ index a40010714..d244fc548 100644 {{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml -index 2fa454aba..ce9b24000 100644 +index f29320755..893fddd0e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml @@ -1,6 +1,6 @@ @@ -5954,7 +6236,7 @@ index 8316e495a..bf8a4c240 100644 {{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml -index 970241983..c138984ce 100644 +index c2c92fd71..dbb641111 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml @@ -1,6 +1,6 @@ @@ -6092,6 +6374,18 @@ index 9dc5d7677..f00e9272d 100644 SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +index c101f11ca..f250af62d 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 ++prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004 + + title: 'Verify No .forward Files Exist' + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml index 7241e77ea..03bca8fb9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml @@ -6128,6 +6422,30 @@ index 468158339..041364cef 100644 title: 'Ensure there are no legacy + NIS entries in /etc/shadow' +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml +index 04a2f562d..2c0e15313 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure the Group Used by pam_wheel Module Exists on System and is Empty' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml +index 98cc90fac..6e0cc2506 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel9,ubuntu2004,ubuntu2204 ++prodtype: rhel9,almalinux9,ubuntu2004,ubuntu2204 + + title: 'Ensure Authentication Required for Single User Mode' + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml index 8f87bf06e..6bed5ef5a 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/kubernetes/shared.yml @@ -6140,14 +6458,14 @@ index 8f87bf06e..6bed5ef5a 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml -index 24d698396..d3a1287ff 100644 +index 6a819ccd5..7bd66a55b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure that System Accounts Do Not Run a Shell Upon Login' @@ -6172,7 +6490,7 @@ index 945940087..c71e3c698 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml -index ce0eb9e09..ccaec7a24 100644 +index e7f5c730c..8f06c6cfa 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -6192,19 +6510,31 @@ index cf672ee28..ea4326138 100644 # uncomment the option if commented sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml -index a8b964a26..a9b72bb72 100644 +index 3320b393c..caa81bd57 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Enforce usage of pam_wheel for su authentication' +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml +index d425057a3..c5b9fa2cc 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 + + title: 'Enforce Usage of pam_wheel with Group Parameter for su Authentication' + diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml -index d4b0fac40..f66256b63 100644 +index 9a8332e38..9a567824d 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml @@ -1,6 +1,6 @@ @@ -6255,37 +6585,27 @@ index 0005b2ccb..0329d6cdf 100644 {{{ bash_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}} -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml -index a44509922..ba1e4ed7e 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle - # reboot = false - # strategy = restrict - # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -index 335bb5dbe..c453f0968 100644 +index e91ae0493..75a3d622d 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set Interactive Session Timeout' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml -index 09117cedf..c2cbd071c 100644 +index e56be2792..1156b8b1f 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 -+prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 title: 'User Initialization Files Must Not Run World-Writable Programs' @@ -6302,7 +6622,7 @@ index 56fc415f9..6b9b3de28 100644 title: 'Ensure that Users Path Contains Only Local Directories' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml -index 64f21a988..10171a5c6 100644 +index b90ef5d7d..6f3b1467d 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml @@ -1,6 +1,6 @@ @@ -6314,28 +6634,28 @@ index 64f21a988..10171a5c6 100644 title: 'All Interactive Users Must Have A Home Directory Defined' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -index 430b07e70..479cea499 100644 +index 6811bb1c2..6cabdee89 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive Users Home Directories Must Exist' diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -index 0e45130ca..78a813967 100644 +index 94c513327..395be0d3d 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 -+prodtype: alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 +-prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 - title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary User' + title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary Group' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index 5bfdd4a14..3af680a4f 100644 @@ -6350,19 +6670,19 @@ index 5bfdd4a14..3af680a4f 100644 title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml -index f124193f1..90a821cdf 100644 +index bda4bfd36..503f5dd85 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive User Home Directories Must Have mode 0750 Or Less Permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml -index 86a49dd9b..dacd49f2e 100644 +index 5bfb963a1..77807dbfb 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -6372,14 +6692,14 @@ index 86a49dd9b..dacd49f2e 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -index ceed76c5a..40392ae64 100644 +index 8293b72ad..4b4778b29 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure the Default Bash Umask is Set Correctly' @@ -6405,26 +6725,6 @@ index 21238691a..b32ebb548 100644 title: 'Ensure the Default C Shell Umask is Set Correctly' -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml -index 678f568fa..be583d14b 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle - # reboot = false - # strategy = restrict - # complexity = low -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh -index acb272c05..4582a801b 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu -+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu - - {{{ bash_instantiate_variables("var_accounts_user_umask") }}} - diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml index ded8284be..f1d84c863 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml @@ -6437,8 +6737,41 @@ index ded8284be..f1d84c863 100644 title: 'Ensure the Default Umask is Set Correctly For Interactive Users' +diff --git a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh +index ec75bf6d2..eb2aa2ea1 100644 +--- a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh ++++ b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + # remediation = none + + mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac +diff --git a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh +index a545d9791..383a6ee76 100644 +--- a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh ++++ b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + # remediation = none + + touch /etc/pam.d/{password,system}-auth-{mycustomconfig,ac} +diff --git a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh +index 82fb5d543..2dbee752d 100644 +--- a/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh ++++ b/linux_os/guide/system/accounts/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + # remediation = none + + mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml -index 6a7324a7a..9467ad15f 100644 +index ef7e5cc46..af22bbce4 100644 --- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml +++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -6448,7 +6781,7 @@ index 6a7324a7a..9467ad15f 100644 # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml -index 2fd90cf19..4fba8bd8e 100644 +index e60ba5955..457a80d0c 100644 --- a/linux_os/guide/system/accounts/enable_authselect/rule.yml +++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml @@ -1,6 +1,6 @@ @@ -6490,7 +6823,7 @@ index 3bd07c62e..e328ca74c 100644 rm -f /etc/pam.d/{fingerprint-auth,password-auth,postlogin,smartcard-auth,system-auth} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml -index 8376f7386..6a80d52da 100644 +index 1dc43e75f..f1c518f50 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -11,13 +11,13 @@ description: |- @@ -6526,7 +6859,7 @@ index 8376f7386..6a80d52da 100644 {{%- endif %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml -index 8aa2a0ca8..f56db6830 100644 +index 261433ef9..356c6b915 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -9,24 +9,24 @@ description: |- @@ -6559,7 +6892,7 @@ index 8aa2a0ca8..f56db6830 100644 {{%- endif %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml -index a7e1a9fba..e72ba9f50 100644 +index abe8228aa..b69180b41 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -11,13 +11,13 @@ description: |- @@ -6595,7 +6928,7 @@ index a7e1a9fba..e72ba9f50 100644 {{%- endif %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml -index 7f52404cb..efc63c3e1 100644 +index f855dd32b..406d2846a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -9,24 +9,24 @@ description: |- @@ -6628,7 +6961,7 @@ index 7f52404cb..efc63c3e1 100644 {{%- endif %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml -index cef263eea..1f132a8c0 100644 +index 63d3490a4..d46e891f4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -10,13 +10,13 @@ description: |- @@ -6664,7 +6997,7 @@ index cef263eea..1f132a8c0 100644 {{%- endif %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml -index c27328bc2..8b9a3f844 100644 +index ab4c0226e..00eb429aa 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -9,24 +9,24 @@ description: |- @@ -6697,31 +7030,31 @@ index c27328bc2..8b9a3f844 100644 {{%- endif %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml -index acb382faa..4ada595b6 100644 +index 2a15e8610..70b63bcf8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: ol8,ol9,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Any Attempts to Run chacl' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml -index 7a3a6ffd0..f558161bb 100644 +index 8c1cec42e..805dd26ce 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: ol8,ol9,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Any Attempts to Run setfacl' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml -index c43b0ca72..23bfb8bf1 100644 +index 4f4194fe8..a442db27a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml @@ -1,10 +1,10 @@ @@ -6732,13 +7065,13 @@ index c43b0ca72..23bfb8bf1 100644 documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Any Attempts to Run chcon' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml -index 5b50548cb..64633f40d 100644 +index 786df6b45..03f695c90 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml @@ -1,10 +1,10 @@ @@ -6755,7 +7088,7 @@ index 5b50548cb..64633f40d 100644 title: 'Record Any Attempts to Run restorecon' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml -index cc1d64c57..7606ba2ea 100644 +index 43a9ae184..5b3e5de73 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml @@ -1,10 +1,10 @@ @@ -6772,7 +7105,7 @@ index cc1d64c57..7606ba2ea 100644 title: 'Record Any Attempts to Run semanage' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml -index 20b8aeaed..3da57d899 100644 +index 359326710..aa91706ca 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml @@ -1,10 +1,10 @@ @@ -6789,7 +7122,7 @@ index 20b8aeaed..3da57d899 100644 title: 'Record Any Attempts to Run setfiles' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml -index a86532dbf..d80763268 100644 +index 810d62838..1009e7641 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml @@ -1,10 +1,10 @@ @@ -6806,7 +7139,7 @@ index a86532dbf..d80763268 100644 title: 'Record Any Attempts to Run setsebool' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml -index ef551f5f4..3d1bc39f8 100644 +index 54f8d69cf..fad2c3062 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml @@ -1,11 +1,11 @@ @@ -6834,14 +7167,14 @@ index 53e61fb25..e9a0edcde 100644 # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml -index 6366b9690..e593e79e5 100644 +index f3e0836c8..227015d9d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 title: 'Ensure auditd Collects File Deletion Events by User' @@ -7204,19 +7537,19 @@ index 8a48783f6..b846f8113 100644 # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -index f4ad2ed39..b0e5b597c 100644 +index 631c277ee..b7a2cf7e2 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml -index cb0b6500f..d6932ec49 100644 +index c2530e143..ada8e4ae5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml @@ -1,6 +1,6 @@ @@ -7228,7 +7561,7 @@ index cb0b6500f..d6932ec49 100644 title: 'Record Unsuccessful Permission Changes to Files - chmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml -index 45fc20288..cb9371bfa 100644 +index b5857ab4f..bf38eb6ff 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml @@ -1,6 +1,6 @@ @@ -7240,19 +7573,19 @@ index 45fc20288..cb9371bfa 100644 title: 'Record Unsuccessful Ownership Changes to Files - chown' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -index 075566988..1ed59773b 100644 +index a3e663e12..41676e668 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - creat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml -index e30a1d2f4..bb3efc08e 100644 +index 8edd48b30..c3c416abc 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml @@ -1,6 +1,6 @@ @@ -7264,7 +7597,7 @@ index e30a1d2f4..bb3efc08e 100644 title: 'Record Unsuccessful Permission Changes to Files - fchmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml -index e3c7fa19c..268e29920 100644 +index d253410ea..e0050f140 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml @@ -1,6 +1,6 @@ @@ -7276,7 +7609,7 @@ index e3c7fa19c..268e29920 100644 title: 'Record Unsuccessful Permission Changes to Files - fchmodat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml -index 59da9d0a5..36d81aeed 100644 +index 58b032454..ab8e01d0c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml @@ -1,6 +1,6 @@ @@ -7288,7 +7621,7 @@ index 59da9d0a5..36d81aeed 100644 title: 'Record Unsuccessful Ownership Changes to Files - fchown' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml -index 0fb28cfa9..f57a5d62b 100644 +index ef76fd58a..3ff338858 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml @@ -1,6 +1,6 @@ @@ -7300,7 +7633,7 @@ index 0fb28cfa9..f57a5d62b 100644 title: 'Record Unsuccessful Ownership Changes to Files - fchownat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml -index ec572f511..ee094b722 100644 +index fa0448df4..6515fe803 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml @@ -1,6 +1,6 @@ @@ -7312,7 +7645,7 @@ index ec572f511..ee094b722 100644 title: 'Record Unsuccessful Permission Changes to Files - fremovexattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml -index 66fc4c747..50d3b4124 100644 +index c0bf31449..fdc913a3f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml @@ -1,6 +1,6 @@ @@ -7324,19 +7657,19 @@ index 66fc4c747..50d3b4124 100644 title: 'Record Unsuccessful Permission Changes to Files - fsetxattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -index a12fe0c0a..f27de5f28 100644 +index d088d91bc..706bbe595 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - ftruncate' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml -index 4a5d13bb1..dd97a89ce 100644 +index 3ad9634f5..d0c9648db 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml @@ -1,6 +1,6 @@ @@ -7348,7 +7681,7 @@ index 4a5d13bb1..dd97a89ce 100644 title: 'Record Unsuccessful Ownership Changes to Files - lchown' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml -index 38e0558c0..042740edd 100644 +index cdadbe887..6d1f3032f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml @@ -1,6 +1,6 @@ @@ -7360,7 +7693,7 @@ index 38e0558c0..042740edd 100644 title: 'Record Unsuccessful Permission Changes to Files - lremovexattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml -index b91a2e54b..f1efa2c55 100644 +index 249c0169c..a86b0ba90 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml @@ -1,6 +1,6 @@ @@ -7372,26 +7705,26 @@ index b91a2e54b..f1efa2c55 100644 title: 'Record Unsuccessful Permission Changes to Files - lsetxattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -index dbcad7da9..d17747369 100644 +index de8897a2c..236258921 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - open' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -index 34f9b308f..ddc5eda28 100644 +index 7b303e092..ce311256a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at' @@ -7405,7 +7738,7 @@ index c1352ae38..31de43746 100644 {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml -index 29cc51e5e..db0d85296 100644 +index ffc509c50..900cb7bd8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml @@ -1,6 +1,6 @@ @@ -7426,7 +7759,7 @@ index c1352ae38..31de43746 100644 {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml -index 1139d3d4c..edeedbe5a 100644 +index f179706b3..7a7b7a6c5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml @@ -1,6 +1,6 @@ @@ -7447,7 +7780,7 @@ index c944fb9e6..b506644af 100644 {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/rule.yml -index f6778ff2e..9d64944de 100644 +index 8a24ab1aa..7444bdc6c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/rule.yml @@ -1,6 +1,6 @@ @@ -7468,7 +7801,7 @@ index c1352ae38..31de43746 100644 {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml -index fc832a32d..a4969dfb3 100644 +index 35ddbc326..1d8db3fcc 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml @@ -1,6 +1,6 @@ @@ -7489,7 +7822,7 @@ index c1352ae38..31de43746 100644 {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml -index 77c90c55b..f46669996 100644 +index d4dc5611f..7bf5a6a80 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml @@ -1,6 +1,6 @@ @@ -7510,7 +7843,7 @@ index c944fb9e6..b506644af 100644 {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml -index 1cf66b9e1..2cf84fbdc 100644 +index 0da3156af..2ae183269 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml @@ -1,6 +1,6 @@ @@ -7522,14 +7855,14 @@ index 1cf66b9e1..2cf84fbdc 100644 title: 'Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -index eb740982f..70da9bb2f 100644 +index c85d6d55c..c150d27b5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - openat' @@ -7543,7 +7876,7 @@ index c1352ae38..31de43746 100644 {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml -index e699454e5..0e6183228 100644 +index d3fb5e8c2..138fe02f6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml @@ -1,6 +1,6 @@ @@ -7564,7 +7897,7 @@ index c1352ae38..31de43746 100644 {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml -index b9aa00b65..47b069542 100644 +index cd573dc71..8fb2fabec 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml @@ -1,6 +1,6 @@ @@ -7585,7 +7918,7 @@ index c944fb9e6..b506644af 100644 {{{ bash_create_audit_remediation_unsuccessful_file_modification_detailed("/etc/audit/rules.d/30-ospp-v42-remediation.rules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/rule.yml -index 46851bf6a..9043dd841 100644 +index 5a16683de..aa3ede10c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/rule.yml @@ -1,6 +1,6 @@ @@ -7597,7 +7930,7 @@ index 46851bf6a..9043dd841 100644 title: 'Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml -index 73941532d..0b9f7477a 100644 +index 7d0ef046a..8aaa0f225 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml @@ -1,6 +1,6 @@ @@ -7609,31 +7942,31 @@ index 73941532d..0b9f7477a 100644 title: 'Record Unsuccessful Permission Changes to Files - removexattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml -index e99c78599..28c4d91f4 100644 +index ef40c036b..5a2292f86 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Record Unsuccessful Delete Attempts to Files - rename' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml -index 94091c132..e569dc966 100644 +index 5b52aec1a..f1f6dad56 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Record Unsuccessful Delete Attempts to Files - renameat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml -index 3b6ce3839..96bece7fa 100644 +index 094ab0e07..6449d4ab5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml @@ -1,6 +1,6 @@ @@ -7645,60 +7978,60 @@ index 3b6ce3839..96bece7fa 100644 title: 'Record Unsuccessful Permission Changes to Files - setxattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -index 043d5f70b..b5b3353de 100644 +index b7e17951e..3a0b5cd01 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - truncate' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml -index 96906848c..200b45b89 100644 +index 0d26a2f0d..ce54dd96c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Record Unsuccessful Delete Attempts to Files - unlink' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml -index cc76dfeec..c419b69eb 100644 +index 38b174793..1e7dd1f9b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Record Unsuccessful Delete Attempts to Files - unlinkat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index 5c616a0dd..a498e4795 100644 +index 590a5ff6b..5ceb15d9b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -index 0cf4bd984..a18d10b09 100644 +index 18778fd6d..36ae06b60 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading' @@ -7713,8 +8046,20 @@ index bdf3015c4..658327033 100644 apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml +index 81da90162..2bba878ac 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux3,ol7,rhel7,rhel8,rhel9 ++prodtype: alinux3,ol7,rhel7,rhel8,rhel9,almalinux9 + + title: 'Ensure auditd Collects Information on Kernel Module Unloading - create_module' + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml -index 423f67054..af9b30c74 100644 +index 369b1efa7..6178f245a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -7724,7 +8069,7 @@ index 423f67054..af9b30c74 100644 # complexity = low # disruption = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/kubernetes/shared.yml -index 51a610284..71df13a42 100644 +index 7c8e520c1..e5c1d9d93 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -7735,19 +8080,19 @@ index 51a610284..71df13a42 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -index e71d5bd44..07cc5ae74 100644 +index d7973aed9..f854ab093 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml -index 586ba8187..731d773ec 100644 +index 104426d89..58d592d3b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -7757,7 +8102,7 @@ index 586ba8187..731d773ec 100644 # complexity = low # disruption = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml -index 90d7d43d5..818c3cade 100644 +index 639d76a21..7f4d463d6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -7768,19 +8113,19 @@ index 90d7d43d5..818c3cade 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -index fa08613fe..02e14c381 100644 +index 57bf26f06..e2f9b0221 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml -index 8765a6a7a..1dcb1e8e4 100644 +index c4915eac1..6fd747807 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -7790,7 +8135,7 @@ index 8765a6a7a..1dcb1e8e4 100644 # complexity = low # disruption = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml -index 2fb9a7ff5..7cef862dc 100644 +index 083a612a0..3228b89b7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -7801,17 +8146,40 @@ index 2fb9a7ff5..7cef862dc 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -index 76c509df2..5ce101707 100644 +index 4392f855f..ca118c200 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml +index ffb320b1a..ecee81136 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhel9 ++prodtype: rhel8,rhel9,almalinux9 + + title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/tests/missing_auid_filter.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/tests/missing_auid_filter.fail.sh +index 009564309..784bba987 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/tests/missing_auid_filter.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/tests/missing_auid_filter.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 ++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 + # packages = audit + + rm -f /etc/audit/rules.d/* diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh index d58a5ee62..c6d928bbd 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh @@ -7823,7 +8191,7 @@ index d58a5ee62..c6d928bbd 100644 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml -index 52196f41a..537a57f49 100644 +index bee62126a..7736292d4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml @@ -1,6 +1,6 @@ @@ -7848,7 +8216,7 @@ index 9c69bc099..2c577274f 100644 {{% else %}} {{% set faillock_path="/var/run/faillock" %}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -index 2fa41de54..c0e16a104 100644 +index 4dcd32e2c..089f82beb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml @@ -1,6 +1,6 @@ @@ -7860,7 +8228,7 @@ index 2fa41de54..c0e16a104 100644 title: 'Record Attempts to Alter Logon and Logout Events - faillock' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -index c5723981d..8bacec94f 100644 +index 45c08e4c4..fa08cd80f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -1,6 +1,6 @@ @@ -7872,7 +8240,7 @@ index c5723981d..8bacec94f 100644 title: 'Record Attempts to Alter Logon and Logout Events - lastlog' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml -index e41c80469..d95a44687 100644 +index 96f6e645f..c8a01d3a2 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml @@ -1,6 +1,6 @@ @@ -7884,27 +8252,193 @@ index e41c80469..d95a44687 100644 title: 'Record Attempts to Alter Logon and Logout Events - tallylog' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml -index 15380184a..29ef1af23 100644 +index 8f306736e..c6273db3d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false - # strategy = restrict + # strategy = configure # complexity = low -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh -index 3d7bcfa88..1df0dff7a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh +index 8615165ec..002902145 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - {{{ bash_perform_audit_rules_privileged_commands_remediation("auditctl", auid) }}} + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh +index bc3f67c9c..a37ccd0bf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/audit.rules + sed -i '/newgrp/d' /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh +index ed2cc6c29..13cbaac12 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged" >> /etc/audit/audit.rules + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh +index e1d5d05df..6a758969a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/audit.rules + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh +index ec89d9ce8..81e0062b1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_without_perm_x.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/audit.rules + sed -i -E 's/^(.*path=[[:graph:]]+) -F perm=x(.*$)/\1\2/' /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh +index ee36da807..bd848737d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + # augenrules is default for rhel7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh +index b6aabf247..8405f0ba1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # packages = audit + # remediation = none +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /tmp/privileged.rules + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh +index 711bae803..617ff1b33 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules + sed -i '/newgrp/d' /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh +index d272fd1d5..f7c0fec7d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh +index ecda20ef9..115487067 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh +index 51482922f..4ac366ec9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules + # change key of rules for binaries in /usr/sbin +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh +index 79c0bb972..2968492ac 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_without_perm_x.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + ./generate_privileged_commands_rule.sh {{{ uid_min }}} privileged /etc/audit/rules.d/privileged.rules + sed -i -E 's/^(.*path=[[:graph:]]+) -F perm=x(.*$)/\1\2/' /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh +index a8667bbfb..471d2aff2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules + echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh +index b2e18d1cd..5c56cdb6d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/priv.rules + echo "-a always,exit -F path=/usr/bin/notrelevant -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/priv.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh +index 81fc6dd16..9c3f84ef8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash + # packages = audit +-# platform = multi_platform_fedora,multi_platform_rhel,Oracle Linux 7,Oracle Linux 8 ++# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,Oracle Linux 7,Oracle Linux 8 + + ./generate_privileged_commands_rule.sh {{{ uid_min }}} own_key /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml -index 8c8048e51..02b897a42 100644 +index 639e61446..6df3021a6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml @@ -1,10 +1,10 @@ @@ -7921,24 +8455,24 @@ index 8c8048e51..02b897a42 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - at' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml -index 42fbf78be..04b2575f1 100644 +index bc240650e..51f49e210 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml @@ -1,10 +1,10 @@ --{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} -+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - chage' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml -index 8b16dfa54..bd4d145bc 100644 +index 8603087c3..d0e113083 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml @@ -1,10 +1,10 @@ @@ -7949,13 +8483,13 @@ index 8b16dfa54..bd4d145bc 100644 documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - chsh' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml -index ef97a5a77..5357b8426 100644 +index 0846706f2..daea0305e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml @@ -1,10 +1,10 @@ @@ -7971,23 +8505,63 @@ index ef97a5a77..5357b8426 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - crontab' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml +index ac8b4c104..7d68bec7d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_dbus_daemon_launch_helper/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml +index 329e48377..61d9dbb52 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml +index 6ac08b082..d4816e8cb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_fusermount3/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml -index a3f444ba8..0b07d956b 100644 +index 347eaee25..0f5e28e69 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml @@ -1,10 +1,10 @@ --{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} -+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml +index 0b7ad4110..a67caf2b7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_grub2_set_bootflag/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml index 5baa999e7..cb49a4d71 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/ansible/shared.yml @@ -8009,21 +8583,21 @@ index 29bfc7be7..d0910b1c6 100644 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/insmod", "x", "modules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml -index d30ab819a..d74b9be77 100644 +index 1f40fde77..4995a7473 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["ol7", "rhel7", "rhel8", "rhel9"] %}} +{{%- if product in ["ol7", "rhel7", "rhel8", "rhel9", "almalinux9"] %}} - {{%- set kmod_audit="-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" %}} + {{%- set kmod_audit="-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=privileged" %}} {{%- elif product in ["ubuntu2004", "ubuntu2204"] %}} {{%- set kmod_audit="-w /bin/kmod -p x -k modules" %}} @@ -8,7 +8,7 @@ documentation_complete: true --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - kmod' @@ -8048,12 +8622,12 @@ index ed9771d0d..665d2cc0f 100644 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/modprobe", "x", "modules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml -index b9b07a651..56c99db45 100644 +index 602518ad8..2211f6234 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml @@ -1,10 +1,10 @@ --{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} -+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -8064,8 +8638,18 @@ index b9b07a651..56c99db45 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - mount' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml +index 3c645c96c..b9a08458e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount_nfs/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml -index 7b74b66e0..673dc9adc 100644 +index 83c1c812f..f5975167e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml @@ -1,10 +1,10 @@ @@ -8082,24 +8666,24 @@ index 7b74b66e0..673dc9adc 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml -index b25bd8fcc..31e3ee7bc 100644 +index 59b4dcfbb..7364c6d0f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml @@ -1,10 +1,10 @@ --{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} -+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - newgrp' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml -index 58c4f297a..3aa165da3 100644 +index 41f9fc3de..450bbcd5d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml @@ -1,10 +1,10 @@ @@ -8116,12 +8700,12 @@ index 58c4f297a..3aa165da3 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml -index 9e02c8012..86a6e8f09 100644 +index 0bda87b7d..23057f37a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml @@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} -+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -8129,18 +8713,18 @@ index 9e02c8012..86a6e8f09 100644 documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml -index 57b222a83..c6b210251 100644 +index 19b6623a7..6ea58745c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml @@ -1,10 +1,10 @@ --{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} -+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -8151,8 +8735,28 @@ index 57b222a83..c6b210251 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - passwd' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml +index 126c855e7..e73741e77 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml +index aae180149..570630d86 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_polkit_helper/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml -index efcd8ecbf..8bfeee1d2 100644 +index 8408a93d0..0e2f11f15 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml @@ -1,10 +1,10 @@ @@ -8169,7 +8773,7 @@ index efcd8ecbf..8bfeee1d2 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - postdrop' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml -index 183447d37..705788b4e 100644 +index bbeabeb8d..f68603e67 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml @@ -1,10 +1,10 @@ @@ -8186,7 +8790,7 @@ index 183447d37..705788b4e 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - postqueue' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml -index dbd96c253..9dd1e5ee2 100644 +index 9a8daf680..e5e09445c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml @@ -1,10 +1,10 @@ @@ -8197,8 +8801,8 @@ index dbd96c253..9dd1e5ee2 100644 documentation_complete: true --prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9 -+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9 +-prodtype: ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9 ++prodtype: ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown' @@ -8235,7 +8839,7 @@ index e1d848144..0da4b277d 100644 title: 'Record Any Attempts to Run ssh-agent' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml -index 45c313ae0..0bb0efcf2 100644 +index fd3983b53..bc40e55bc 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml @@ -1,4 +1,4 @@ @@ -8253,13 +8857,53 @@ index 45c313ae0..0bb0efcf2 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml +index 4ad68bc25..0ece194bd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_krb5_child/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml +index 7d16f4d07..18eb7874f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_ldap_child/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml +index 2526442fe..330508472 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_proxy_child/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml +index 7c3c4c64a..978ee75ef 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sssd_selinux_child/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml -index f0e518047..2472b7c35 100644 +index 7a02e6220..aa0366661 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml @@ -1,10 +1,10 @@ --{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} -+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -8271,12 +8915,12 @@ index f0e518047..2472b7c35 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - su' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -index 867878942..013adf90d 100644 +index 55e5e24bd..14301e740 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -1,10 +1,10 @@ --{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} -+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -8288,7 +8932,7 @@ index 867878942..013adf90d 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudo' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml -index 3d3dd8a5a..783992385 100644 +index ed40c3d03..b9548cd10 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml @@ -1,10 +1,10 @@ @@ -8305,12 +8949,12 @@ index 3d3dd8a5a..783992385 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml -index 5c4d045a2..b4d27623a 100644 +index 4ba40efd0..24875d8ca 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml @@ -1,10 +1,10 @@ --{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} -+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -8322,12 +8966,12 @@ index 5c4d045a2..b4d27623a 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - umount' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml -index 8b5bab8ed..68463c536 100644 +index 53d21d2c8..b453a93ed 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml @@ -1,10 +1,10 @@ --{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} -+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} @@ -8351,7 +8995,7 @@ index 6ad48696d..a48487a53 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - unix_update' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml -index 5ce90cbe6..4fc5f02c1 100644 +index b1994fa98..b90c80334 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml @@ -1,10 +1,10 @@ @@ -8368,19 +9012,19 @@ index 5ce90cbe6..4fc5f02c1 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - userhelper' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml -index eff534c34..98ffc5900 100644 +index 8af435987..d7f4105b0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: ol8,ol9,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - usermod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml -index 4909928c6..57e2af1e5 100644 +index e3d68c134..765699343 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml @@ -1,10 +1,10 @@ @@ -8396,6 +9040,26 @@ index 4909928c6..57e2af1e5 100644 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml +index abd867e50..79e2bd347 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_utempter/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml +index c04fda277..2e7efec26 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml +@@ -1,4 +1,4 @@ +-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} ++{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "almalinux9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml index 4fd5bef0f..c582d4398 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml @@ -8592,7 +9256,7 @@ index 79440e79b..614a4e09c 100644 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/etc/selinux/", "wa", "MAC-policy") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml -index 4534624b4..7d1db5bb1 100644 +index 889f83178..7896d4cb1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -8602,6 +9266,26 @@ index 4534624b4..7d1db5bb1 100644 # reboot = true # strategy = restrict # complexity = low +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml +index 496670fad..a9cce0a56 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle + # reboot = true + # strategy = restrict + # complexity = low +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh +index b61368c0c..eb3bf47f9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification_usr_share/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + {{{ bash_fix_audit_watch_rule("auditctl", "/usr/share/selinux/", "wa", "MAC-policy") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml index ac5c84c87..bf549f47f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml @@ -8643,7 +9327,7 @@ index caf49d4f8..f2ba8f9f1 100644 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/var/run/utmp", "wa", "session") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml -index 1decbff93..083f80bd9 100644 +index 8b2377d44..39c2bba69 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -8654,31 +9338,63 @@ index 1decbff93..083f80bd9 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml -index 65cd15d0b..f174961b9 100644 +index 628dc4fd8..470dda95e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol8,ol9,rhel8,rhel9 -+prodtype: ol8,ol9,rhel8,rhel9,almalinux9 +-prodtype: fedora,ol8,ol9,rhel8,rhel9 ++prodtype: fedora,ol8,ol9,rhel8,rhel9,almalinux9 title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml -index 7f32fc3d0..e0d2e4fc4 100644 +index a8b33956b..d7810237a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol8,ol9,rhel8,rhel9 -+prodtype: ol8,ol9,rhel8,rhel9,almalinux9 +-prodtype: fedora,ol8,ol9,rhel8,rhel9 ++prodtype: fedora,ol8,ol9,rhel8,rhel9,almalinux9 title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml +index 64e8dde85..3d4f65278 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel ++# platform = multi_platform_rhel,multi_platform_almalinux + # reboot = false + # strategy = restrict + # complexity = low +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh +index 15d6fa4e2..7f98c9915 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel ++# platform = multi_platform_rhel,multi_platform_almalinux + + # First perform the remediation of the syscall rule + # Retrieve hardware architecture of the underlying system +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/rule.yml +index 866445695..757f46893 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8,rhel9 ++prodtype: rhel8,rhel9,almalinux9 + + title: 'Record Events When Executables Are Run As Another User' + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml -index c46cbbe39..acbd8ad2c 100644 +index 252ed0ca6..980a260ae 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -8697,8 +9413,19 @@ index 8fdd7e75a..9c16b41cc 100644 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml +index 323a798b1..46fad7416 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml +@@ -1,5 +1,5 @@ + --- +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos + # reboot = true + # strategy = restrict + # complexity = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml -index 327d07fb2..96d7a531a 100644 +index 49a665ded..6bbfe47d5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml @@ -1,6 +1,6 @@ @@ -8720,7 +9447,7 @@ index fcde9d3aa..6477bc85e 100644 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/etc/sudoers", "wa", "actions") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml -index 5c99e72f4..88c36f80d 100644 +index 336beb2b7..26c47e462 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -8731,7 +9458,7 @@ index 5c99e72f4..88c36f80d 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml -index 57dc24fcd..4fc247ac8 100644 +index 339a4846f..d28dabf18 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml @@ -1,6 +1,6 @@ @@ -8753,7 +9480,7 @@ index 07965e2c7..908fa6e54 100644 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/etc/group", "wa", "audit_rules_usergroup_modification") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml -index a17b62a24..725b036b1 100644 +index b213979b4..4de076a87 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -1,6 +1,6 @@ @@ -8765,7 +9492,7 @@ index a17b62a24..725b036b1 100644 title: 'Record Events that Modify User/Group Information - /etc/group' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml -index 82339f74a..08b3262e8 100644 +index 0bb5e2238..d2927742d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml @@ -1,6 +1,6 @@ @@ -8777,7 +9504,7 @@ index 82339f74a..08b3262e8 100644 title: 'Record Events that Modify User/Group Information - /etc/gshadow' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml -index 3d3a8a8cc..3d248dc9b 100644 +index 946cd6104..d8df5fc36 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -1,6 +1,6 @@ @@ -8789,7 +9516,7 @@ index 3d3a8a8cc..3d248dc9b 100644 title: 'Record Events that Modify User/Group Information - /etc/security/opasswd' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml -index fd297cce7..d766f4d0a 100644 +index 46cf595dd..4cbb92902 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml @@ -1,6 +1,6 @@ @@ -8801,7 +9528,7 @@ index fd297cce7..d766f4d0a 100644 title: 'Record Events that Modify User/Group Information - /etc/passwd' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml -index 8c61d1f92..1110a493f 100644 +index a4e780a39..79ae71305 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -1,6 +1,6 @@ @@ -8813,14 +9540,14 @@ index 8c61d1f92..1110a493f 100644 title: 'Record Events that Modify User/Group Information - /etc/shadow' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml -index 95546923d..3c4f7e024 100644 +index b00fb3856..1fa0a6039 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: rhel8,rhel9,ubuntu2004,ubuntu2204 -+prodtype: rhel8,rhel9,almalinux9,ubuntu2004,ubuntu2204 +-prodtype: fedora,rhel8,rhel9,ubuntu2004,ubuntu2204 ++prodtype: fedora,rhel8,rhel9,almalinux9,ubuntu2004,ubuntu2204 title: 'Record Attempts to perform maintenance activities' @@ -8834,7 +9561,7 @@ index b7f44ab38..e6b1d1856 100644 {{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml -index 3fbd4948a..27378a924 100644 +index 49c97e395..51f48c0f9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -8855,7 +9582,7 @@ index f0783ec4f..a4cc0d84c 100644 # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml -index 18bb26716..8f0bffdd8 100644 +index ec76157d4..0f9e9f7cc 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -8875,7 +9602,7 @@ index b7f44ab38..e6b1d1856 100644 {{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml -index e2f2d6494..bd5c24342 100644 +index 3f43030e9..85e9a47c8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -8895,7 +9622,7 @@ index b7f44ab38..e6b1d1856 100644 {{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml -index 7ea72adfa..28662fe80 100644 +index 8a58bbc38..1a73014dc 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -8916,7 +9643,7 @@ index 4983b503e..b4db73bce 100644 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/etc/localtime", "wa", "audit_time_rules") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/kubernetes/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/kubernetes/shared.yml -index ac72267a2..67ee86593 100644 +index 140506b60..4290a051f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9031,7 +9758,7 @@ index b93254a4b..c7d66ccbb 100644 source common_0700.sh diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml -index b2cba263a..bb1fd0e70 100644 +index 399e4ea76..8bcc896a6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml @@ -1,6 +1,6 @@ @@ -9099,7 +9826,7 @@ index 1879113b8..8798ae1ae 100644 sed -i "/^\s*log_file.*/d" /etc/audit/auditd.conf diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml -index bb0ae821f..1b84683ce 100644 +index 81e471f4e..c1e9bbb15 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -9109,7 +9836,7 @@ index bb0ae821f..1b84683ce 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh -index f97a559e6..de9777988 100644 +index 0b42da512..013401d8c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh @@ -1,4 +1,4 @@ @@ -9119,7 +9846,7 @@ index f97a559e6..de9777988 100644 if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml -index e5c0e1eda..0ee50d747 100644 +index a7aa67de4..e4af05d51 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml @@ -1,6 +1,6 @@ @@ -9195,7 +9922,7 @@ index 53a56e255..554799735 100644 {{{ bash_instantiate_variables("var_audispd_remote_server") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml -index 85fd8e388..88f38e2e2 100644 +index 9ec973546..54470bf57 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml @@ -1,6 +1,6 @@ @@ -9382,7 +10109,7 @@ index d0065b38c..7027992a4 100644 {{{ bash_instantiate_variables("var_auditd_disk_error_action") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9444,7 +10171,7 @@ index ce4f4d029..6ab8e06dd 100644 {{{ bash_instantiate_variables("var_auditd_disk_full_action") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9526,7 +10253,7 @@ index e05250cea..e04d721a4 100644 {{{ bash_instantiate_variables("var_auditd_admin_space_left_action") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9537,7 +10264,7 @@ index c865ad76e..f226ae349 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml -index 5f10393b4..723aa4bb1 100644 +index 01c5df5d6..8baf0d0ad 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml @@ -1,6 +1,6 @@ @@ -9569,7 +10296,7 @@ index 79b916559..40632d099 100644 {{{ bash_instantiate_variables("var_auditd_flush") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9684,7 +10411,7 @@ index 8a53bf847..95c5446b6 100644 {{{ bash_instantiate_variables("var_auditd_max_log_file") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9715,7 +10442,7 @@ index 5007f965f..4c06ea831 100644 {{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9767,7 +10494,7 @@ index 7deaa0607..748a59d80 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9798,7 +10525,7 @@ index a53f062b5..e0200450d 100644 {{{ bash_instantiate_variables("var_auditd_space_left") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9809,7 +10536,7 @@ index c865ad76e..f226ae349 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml -index 54462480d..254b34890 100644 +index d9b97fbfb..19520c5bf 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -1,6 +1,6 @@ @@ -9841,7 +10568,7 @@ index 870f6619e..a1dc8844a 100644 {{{ bash_instantiate_variables("var_auditd_space_left_action") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9852,7 +10579,7 @@ index c865ad76e..f226ae349 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml -index aef2ffe8a..3cc31ff93 100644 +index c82d0d370..1e0e809ff 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml @@ -1,6 +1,6 @@ @@ -9864,7 +10591,7 @@ index aef2ffe8a..3cc31ff93 100644 title: 'Configure auditd space_left on Low Disk Space' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9875,7 +10602,7 @@ index c865ad76e..f226ae349 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9886,7 +10613,7 @@ index c865ad76e..f226ae349 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9917,7 +10644,7 @@ index 67a1203dd..12a94396c 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9948,7 +10675,7 @@ index f308bd675..e9789ea24 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml -index c865ad76e..f226ae349 100644 +index 55f407e01..b9084af21 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -9959,7 +10686,7 @@ index c865ad76e..f226ae349 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -index 9948a25c9..643112795 100644 +index e81a90bc6..7f97fd716 100644 --- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml @@ -1,6 +1,6 @@ @@ -10006,7 +10733,7 @@ index e33140501..603abfb90 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -index 992bf062a..60e5c9213 100644 +index cefc04f50..27159513f 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml @@ -1,6 +1,6 @@ @@ -10029,7 +10756,7 @@ index f29a4afc6..26ac0688c 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_aarch64/rule.yml -index 54bfe2a21..1f65bfb76 100644 +index a672f2102..814199f4e 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10052,7 +10779,7 @@ index 412c67f15..ec1467404 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml -index 222290c9d..d3db3edf0 100644 +index 83ebfec20..3630ed45c 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10075,7 +10802,7 @@ index 413293083..3f8c50a39 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -index 8000a1a6d..529eb7156 100644 +index 9c2495c3c..5513c9d11 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml @@ -1,6 +1,6 @@ @@ -10098,7 +10825,7 @@ index 1d08bae3a..3e2300448 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_aarch64/rule.yml -index f6e23bb23..51e350783 100644 +index cfc93bb7e..5444267b0 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_access_success_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10121,7 +10848,7 @@ index 372b7c27c..4e2ce77e9 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml -index 0091db466..11f78d835 100644 +index d0b31f1e4..344b25f85 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10167,7 +10894,7 @@ index 981a0c861..ab7d657c3 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -index 08bff7139..d4b1922bb 100644 +index 6121df242..828053ca1 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml @@ -1,6 +1,6 @@ @@ -10190,7 +10917,7 @@ index c26dc39be..d32b854fd 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_aarch64/rule.yml -index b7c973215..40e07db9e 100644 +index 795037c0a..3b91ece71 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10213,7 +10940,7 @@ index 08c8dc855..e9277f263 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml -index c85274a35..29db3860d 100644 +index ef8fce5d7..8e17d8c0d 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10225,7 +10952,7 @@ index c85274a35..29db3860d 100644 title: 'Configure auditing of unsuccessful file creations (ppc64le)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -index 7532b0bf1..211e0d29a 100644 +index 8dca6a682..4581682c7 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml @@ -1,6 +1,6 @@ @@ -10237,7 +10964,7 @@ index 7532b0bf1..211e0d29a 100644 title: 'Configure auditing of successful file creations' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success_aarch64/rule.yml -index b79b80055..cf1eee86b 100644 +index 39f2d4ab2..8eeebe39a 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_create_success_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10249,7 +10976,7 @@ index b79b80055..cf1eee86b 100644 title: 'Configure auditing of successful file creations (AArch64)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml -index 54eb4be97..f86acf238 100644 +index 2c6ee5d36..4a2afb873 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10272,7 +10999,7 @@ index 023388b66..655883afe 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -index 6280008f2..3bb2f8c8b 100644 +index f687fd864..e24916fb2 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml @@ -1,6 +1,6 @@ @@ -10295,7 +11022,7 @@ index 22d3990f0..ed4f8bce8 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_aarch64/rule.yml -index 1a8d1edaa..69fd62d46 100644 +index de2598b53..b3aa832f6 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10318,7 +11045,7 @@ index 2fb2c25aa..e182781c4 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml -index 123a38cc0..66b59b5db 100644 +index a6553bdb9..398ec3c77 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10330,7 +11057,7 @@ index 123a38cc0..66b59b5db 100644 title: 'Configure auditing of unsuccessful file deletions (ppc64le)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml -index 6c42b726a..1da7bb5fe 100644 +index bff04fe4c..a56d7f18f 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -10339,9 +11066,9 @@ index 6c42b726a..1da7bb5fe 100644 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos {{% set file_contents = """## Successful file delete - -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -index c95d8aabe..2a150e6ab 100644 +index 45419ec17..379c130a1 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml @@ -1,6 +1,6 @@ @@ -10353,7 +11080,7 @@ index c95d8aabe..2a150e6ab 100644 title: 'Configure auditing of successful file deletions' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml -index 0314988d4..25f2c5ae8 100644 +index 37b8b3676..d1be71273 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_aarch64/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -10362,9 +11089,9 @@ index 0314988d4..25f2c5ae8 100644 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos {{% set file_contents = """## Successful file delete - -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_aarch64/rule.yml -index 2859e69b6..0f1f12c2d 100644 +index 41330f52a..37e3cd0ad 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10376,7 +11103,7 @@ index 2859e69b6..0f1f12c2d 100644 title: 'Configure auditing of successful file deletions (AArch64)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml -index 3734328c9..1ff00c4e6 100644 +index a46066d62..731636c7f 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -10385,9 +11112,9 @@ index 3734328c9..1ff00c4e6 100644 +# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_rhcos {{% set file_contents = """## Successful file delete - -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete""" -%}} + -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete""" -%}} diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml -index f127ee471..0e7f89422 100644 +index 3dc41765d..e8368c602 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10433,7 +11160,7 @@ index 2d9279849..ec6477378 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -index 23d3209cc..087b82a10 100644 +index c6c9cc56c..8effdfbfc 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml @@ -1,6 +1,6 @@ @@ -10456,7 +11183,7 @@ index dae466002..527bc8489 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_aarch64/rule.yml -index 6aa7b2088..75e9a8d2c 100644 +index 8e5bf91e2..9ef4dfbe0 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10479,7 +11206,7 @@ index f07ff3607..62de7826c 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml -index 22a90d645..00b3a6535 100644 +index 633e5e442..5ac46f97c 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10502,7 +11229,7 @@ index c6f796967..7a6e545c4 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -index 82ac32264..f05e04f09 100644 +index 888a33657..9082b11ab 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml @@ -1,6 +1,6 @@ @@ -10525,7 +11252,7 @@ index 212ec4ba5..62e1ee6de 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_aarch64/rule.yml -index 69bfae6ac..277604349 100644 +index 807325aa2..f3e4aa738 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10548,7 +11275,7 @@ index 92310b977..e76e314a6 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml -index 94b15c57c..966a7d784 100644 +index ee8ec2ec3..059addaf3 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10617,7 +11344,7 @@ index a93771e85..22e9b17b9 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -index 878b95eab..616e9d45c 100644 +index fbe8d9fae..71bfb7779 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml @@ -1,6 +1,6 @@ @@ -10629,7 +11356,7 @@ index 878b95eab..616e9d45c 100644 title: 'Perform general configuration of Audit for OSPP' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml -index 6b943ce05..5b19b70bb 100644 +index c122b209f..d1f676a94 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -10640,7 +11367,7 @@ index 6b943ce05..5b19b70bb 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/rule.yml -index 80447e62e..b7e90dcb4 100644 +index 6c8900d43..d76c2131e 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10663,7 +11390,7 @@ index fa81ece03..7a26684d2 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml -index cb712714c..7572ecf3a 100644 +index a3200d050..d2daf89f5 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10675,7 +11402,7 @@ index cb712714c..7572ecf3a 100644 title: 'Perform general configuration of Audit for OSPP (ppc64le)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -index 9e8afab03..e2c7d9cb5 100644 +index 55ad31393..5f6b89d34 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml @@ -1,6 +1,6 @@ @@ -10687,7 +11414,7 @@ index 9e8afab03..e2c7d9cb5 100644 title: 'Configure auditing of unsuccessful ownership changes' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_aarch64/rule.yml -index a68a2ba7f..beb9ead48 100644 +index 29c89aabf..1fa0a56de 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10699,7 +11426,7 @@ index a68a2ba7f..beb9ead48 100644 title: 'Configure auditing of unsuccessful ownership changes (AArch64)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml -index f0a7c78dd..ccbdef33d 100644 +index b10dd36e8..309c68937 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10711,7 +11438,7 @@ index f0a7c78dd..ccbdef33d 100644 title: 'Configure auditing of unsuccessful ownership changes (ppc64le)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -index 7ba36791c..ec26a753e 100644 +index fc419001f..9e0a13eaf 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml @@ -1,6 +1,6 @@ @@ -10723,7 +11450,7 @@ index 7ba36791c..ec26a753e 100644 title: 'Configure auditing of successful ownership changes' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_aarch64/rule.yml -index a5dbe26ef..681425098 100644 +index 594bd629f..52d549435 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10735,7 +11462,7 @@ index a5dbe26ef..681425098 100644 title: 'Configure auditing of successful ownership changes (AArch64)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml -index dd0cf8d7c..4f3fbd68c 100644 +index 8a923282a..8f2ff4019 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10747,7 +11474,7 @@ index dd0cf8d7c..4f3fbd68c 100644 title: 'Configure auditing of successful ownership changes (ppc64le)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -index 414cfba0b..6091bc28c 100644 +index f0c9a0c44..8840a60e3 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml @@ -1,6 +1,6 @@ @@ -10759,7 +11486,7 @@ index 414cfba0b..6091bc28c 100644 title: 'Configure auditing of unsuccessful permission changes' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_aarch64/rule.yml -index 95fd956ed..d1f0feeac 100644 +index b3296d39f..e6e55335e 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10771,7 +11498,7 @@ index 95fd956ed..d1f0feeac 100644 title: 'Configure auditing of unsuccessful permission changes (AArch64)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml -index 71e535475..79f78c192 100644 +index 4e7531069..9f244f803 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10783,7 +11510,7 @@ index 71e535475..79f78c192 100644 title: 'Configure auditing of unsuccessful permission changes (ppc64le)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -index c01c37bd0..4b8ddb33c 100644 +index 7ea158505..f2f64b80f 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml @@ -1,6 +1,6 @@ @@ -10795,7 +11522,7 @@ index c01c37bd0..4b8ddb33c 100644 title: 'Configure auditing of successful permission changes' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_aarch64/rule.yml -index edc95c19e..64561b4e8 100644 +index 8300b148f..c8ae462e6 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_aarch64/rule.yml @@ -1,6 +1,6 @@ @@ -10807,7 +11534,7 @@ index edc95c19e..64561b4e8 100644 title: 'Configure auditing of successful permission changes (AArch64)' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml -index 282a2e316..1825b6f34 100644 +index c633e1833..f6da5070f 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml @@ -1,6 +1,6 @@ @@ -10902,7 +11629,7 @@ index 9c8723e7a..afc2a1b32 100644 title: 'Enable randomization of the page allocator' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml -index c455abcfd..c4401eb24 100644 +index 70251f709..fb0fcd90b 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml @@ -1,6 +1,6 @@ @@ -10926,19 +11653,19 @@ index 9a0f0d212..51ec8d39d 100644 title: 'Disable vsyscalls' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml -index 2ee32d03d..87aeb50f6 100644 +index d0bdf2523..bc500e1ba 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Group Ownership' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml -index 6a9cb33f7..3e22fb7e3 100644 +index b7557c41f..5baf05fef 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml @@ -1,6 +1,6 @@ @@ -10950,19 +11677,19 @@ index 6a9cb33f7..3e22fb7e3 100644 title: 'Verify {{{ grub2_boot_path }}}/user.cfg Group Ownership' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml -index 5bf4ae355..8d9bea5be 100644 +index 2ef41b1c5..7cc14e6d3 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify {{{ grub2_boot_path }}}/grub.cfg User Ownership' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml -index ca2bc1ec8..f659b1d87 100644 +index 5df579a97..877e4fc64 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml @@ -1,6 +1,6 @@ @@ -10974,19 +11701,19 @@ index ca2bc1ec8..f659b1d87 100644 title: 'Verify {{{ grub2_boot_path }}}/user.cfg User Ownership' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml -index 491718273..f6160a9a6 100644 +index 10fe57233..22d623bd2 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Permissions' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml -index 7a23d0885..23e55d82d 100644 +index 8de6ef356..533ecca7d 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml @@ -1,6 +1,6 @@ @@ -10998,7 +11725,7 @@ index 7a23d0885..23e55d82d 100644 title: 'Verify {{{ grub2_boot_path }}}/user.cfg Permissions' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -index 4def1608b..a242099de 100644 +index 05e2deae0..5b2ff8875 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -1,6 +1,6 @@ @@ -11010,31 +11737,31 @@ index 4def1608b..a242099de 100644 title: 'Set the Boot Loader Admin Username to a Non-Default Value' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -index 9acb58b33..ff92a0791 100644 +index 03031cd11..27be45e21 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set Boot Loader Password in grub2' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml -index 9ff70429d..a743c2138 100644 +index 8a10defce..cdd1282da 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9 title: 'Verify the UEFI Boot Loader grub.cfg Group Ownership' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml -index 32ccd5de1..e4c7c7c94 100644 +index 1fa0facd5..647a3f73b 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml @@ -1,6 +1,6 @@ @@ -11046,14 +11773,14 @@ index 32ccd5de1..e4c7c7c94 100644 title: 'Verify {{{ grub2_uefi_boot_path }}}/user.cfg Group Ownership' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml -index 2e51fbb41..97a1e1149 100644 +index 9f5bb2745..09efb2bb2 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9 title: 'Verify the UEFI Boot Loader grub.cfg User Ownership' @@ -11070,19 +11797,19 @@ index 104fa81e8..6e1aa9007 100644 title: 'Verify {{{ grub2_uefi_boot_path }}}/user.cfg User Ownership' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml -index 3a23fbac6..b18fc0449 100644 +index ee5bdcaf8..21a810d76 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9 title: 'Verify the UEFI Boot Loader grub.cfg Permissions' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml -index 9fe66afd0..8f91aea69 100644 +index bfea4e047..0bfbf2936 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml @@ -1,6 +1,6 @@ @@ -11106,14 +11833,14 @@ index a277f209f..6cf0dd77c 100644 title: 'Set the UEFI Boot Loader Admin Username to a Non-Default Value' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -index 47c92fd24..f7738144c 100644 +index cdaa2b573..58edc1ec0 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set the UEFI Boot Loader Password' @@ -11303,7 +12030,7 @@ index 9d645c887..c5dd01bc9 100644 title: 'Disable vsyscalls in zIPL' diff --git a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_latent_entropy/rule.yml b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_latent_entropy/rule.yml -index 0eec9c5b7..d6a71fe56 100644 +index ef617d152..3b8762a23 100644 --- a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_latent_entropy/rule.yml +++ b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_latent_entropy/rule.yml @@ -1,6 +1,6 @@ @@ -11315,7 +12042,7 @@ index 0eec9c5b7..d6a71fe56 100644 title: 'Generate some entropy during boot and runtime' diff --git a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_randstruct/rule.yml b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_randstruct/rule.yml -index b50ba51b5..6e7164465 100644 +index f73121dfa..7f44074e1 100644 --- a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_randstruct/rule.yml +++ b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_randstruct/rule.yml @@ -1,6 +1,6 @@ @@ -11327,7 +12054,7 @@ index b50ba51b5..6e7164465 100644 title: 'Randomize layout of sensitive kernel structures' diff --git a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_stackleak/rule.yml b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_stackleak/rule.yml -index 9a0a9794c..334ec5024 100644 +index 3e32dead8..76da91007 100644 --- a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_stackleak/rule.yml +++ b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_stackleak/rule.yml @@ -1,6 +1,6 @@ @@ -11339,7 +12066,7 @@ index 9a0a9794c..334ec5024 100644 title: 'Poison kernel stack before returning from syscalls' diff --git a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak/rule.yml b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak/rule.yml -index 49a147518..4f658e217 100644 +index 6a19eb78d..2d31401e9 100644 --- a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak/rule.yml +++ b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak/rule.yml @@ -1,6 +1,6 @@ @@ -11351,7 +12078,7 @@ index 49a147518..4f658e217 100644 title: 'Force initialization of variables containing userspace addresses' diff --git a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak_byref_all/rule.yml b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak_byref_all/rule.yml -index f65fcd760..4c278013b 100644 +index 4e8433978..77c777262 100644 --- a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak_byref_all/rule.yml +++ b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak_byref_all/rule.yml @@ -1,6 +1,6 @@ @@ -11363,7 +12090,7 @@ index f65fcd760..4c278013b 100644 title: 'zero-init everything passed by reference' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_arm64_sw_ttbr0_pan/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_arm64_sw_ttbr0_pan/rule.yml -index 58e688458..a7b59a95c 100644 +index 8ca4e0962..7d42032e2 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_arm64_sw_ttbr0_pan/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_arm64_sw_ttbr0_pan/rule.yml @@ -1,6 +1,6 @@ @@ -11375,7 +12102,7 @@ index 58e688458..a7b59a95c 100644 title: 'Emulate Privileged Access Never (PAN)' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_bug_on_data_corruption/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_bug_on_data_corruption/rule.yml -index 33e0ef488..7965df64b 100644 +index 7c85b7efe..4a5483b9e 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_bug_on_data_corruption/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_bug_on_data_corruption/rule.yml @@ -1,6 +1,6 @@ @@ -11387,7 +12114,7 @@ index 33e0ef488..7965df64b 100644 title: 'Trigger a kernel BUG when data corruption is detected' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_wx/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_wx/rule.yml -index 96344b8b7..37acfd3d9 100644 +index e09a87043..f74d9255b 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_wx/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_wx/rule.yml @@ -1,6 +1,6 @@ @@ -11399,7 +12126,7 @@ index 96344b8b7..37acfd3d9 100644 title: 'Warn on W+X mappings found at boot' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_fortify_source/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_fortify_source/rule.yml -index d9ba9ef4d..e8421eea1 100644 +index b380e43cf..973dd3505 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_fortify_source/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_fortify_source/rule.yml @@ -1,6 +1,6 @@ @@ -11411,7 +12138,7 @@ index d9ba9ef4d..e8421eea1 100644 title: 'Harden common str/mem functions against buffer overflows' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml -index 41bc3b9b7..6147c40e2 100644 +index 0fd7014cc..28b148ad7 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml @@ -1,6 +1,6 @@ @@ -11423,7 +12150,7 @@ index 41bc3b9b7..6147c40e2 100644 title: 'Harden memory copies between kernel and userspace' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy_fallback/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy_fallback/rule.yml -index f0437d60f..a0ef6f9ec 100644 +index 785d3d9c2..b5874f68b 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy_fallback/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy_fallback/rule.yml @@ -1,6 +1,6 @@ @@ -11435,7 +12162,7 @@ index f0437d60f..a0ef6f9ec 100644 title: 'Do not allow usercopy whitelist violations to fallback to object size' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_emulate/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_emulate/rule.yml -index af38cc1c0..79880ffe3 100644 +index a88d80076..772794c48 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_emulate/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_emulate/rule.yml @@ -1,6 +1,6 @@ @@ -11447,7 +12174,7 @@ index af38cc1c0..79880ffe3 100644 title: 'Disable vsyscall emulation' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_none/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_none/rule.yml -index fa2b3b6dc..2679651b9 100644 +index 7976cd56c..8c672eda6 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_none/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_none/rule.yml @@ -1,6 +1,6 @@ @@ -11459,7 +12186,7 @@ index fa2b3b6dc..2679651b9 100644 title: 'Disable vsyscall mapping' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_xonly/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_xonly/rule.yml -index 5868bb342..157c8a3e3 100644 +index dbc5966e1..0a717b587 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_xonly/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_xonly/rule.yml @@ -1,6 +1,6 @@ @@ -11471,7 +12198,7 @@ index 5868bb342..157c8a3e3 100644 title: 'Disable vsyscall emulate execution only' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_modify_ldt_syscall/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_modify_ldt_syscall/rule.yml -index ab30078a6..c4f72870c 100644 +index 35f88e89d..9dad78b62 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_modify_ldt_syscall/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_modify_ldt_syscall/rule.yml @@ -1,6 +1,6 @@ @@ -11483,7 +12210,7 @@ index ab30078a6..c4f72870c 100644 title: 'Disable the LDT (local descriptor table)' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning/rule.yml -index 016c1e2cf..447217122 100644 +index db2575974..10704f264 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning/rule.yml @@ -1,6 +1,6 @@ @@ -11495,7 +12222,7 @@ index 016c1e2cf..447217122 100644 title: 'Enable poison of pages after freeing' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml -index 8868e1738..89c780974 100644 +index 6b0fb3a20..fc7c939d8 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml @@ -1,6 +1,6 @@ @@ -11507,7 +12234,7 @@ index 8868e1738..89c780974 100644 title: 'Perform full reference count validation' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_sched_stack_end_check/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_sched_stack_end_check/rule.yml -index 6a891f41a..408fada0f 100644 +index 2753a98ec..0ad181380 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_sched_stack_end_check/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_sched_stack_end_check/rule.yml @@ -1,6 +1,6 @@ @@ -11519,7 +12246,7 @@ index 6a891f41a..408fada0f 100644 title: 'Detect stack corruption on calls to schedule()' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_hardened/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_hardened/rule.yml -index 53c970470..fa1e62f44 100644 +index 78b5db286..bcff96510 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_hardened/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_hardened/rule.yml @@ -1,6 +1,6 @@ @@ -11531,7 +12258,7 @@ index 53c970470..fa1e62f44 100644 title: 'Harden slab freelist metadata' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_random/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_random/rule.yml -index 6813ea28f..3ca5c6c87 100644 +index 5c93226b1..33e6c1b5a 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_random/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_random/rule.yml @@ -1,6 +1,6 @@ @@ -11543,7 +12270,7 @@ index 6813ea28f..3ca5c6c87 100644 title: 'Randomize slab freelist' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_slab_merge_default/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_slab_merge_default/rule.yml -index 7518f1d0c..336a5d163 100644 +index 3dd3de678..cecf0bdd2 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_slab_merge_default/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_slab_merge_default/rule.yml @@ -1,6 +1,6 @@ @@ -11555,7 +12282,7 @@ index 7518f1d0c..336a5d163 100644 title: 'Disallow merge of slab caches' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector/rule.yml -index 50ef83cc8..39912cfdb 100644 +index ce52a1198..6b8389ca8 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector/rule.yml @@ -1,6 +1,6 @@ @@ -11567,7 +12294,7 @@ index 50ef83cc8..39912cfdb 100644 title: 'Stack Protector buffer overlow detection' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector_strong/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector_strong/rule.yml -index b9c47058a..d3fb20b74 100644 +index 87e6828d1..820a19d30 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector_strong/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector_strong/rule.yml @@ -1,6 +1,6 @@ @@ -11579,7 +12306,7 @@ index b9c47058a..d3fb20b74 100644 title: 'Strong Stack Protector' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_strict_kernel_rwx/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_strict_kernel_rwx/rule.yml -index 1ff97ebfc..f7935fce3 100644 +index a585ee932..f79829b23 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_strict_kernel_rwx/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_strict_kernel_rwx/rule.yml @@ -1,6 +1,6 @@ @@ -11591,7 +12318,7 @@ index 1ff97ebfc..f7935fce3 100644 title: 'Make the kernel text and rodata read-only' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_strict_module_rwx/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_strict_module_rwx/rule.yml -index 6a6fdb043..c4fce2389 100644 +index 2c34a6816..5d5d90aeb 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_strict_module_rwx/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_strict_module_rwx/rule.yml @@ -1,6 +1,6 @@ @@ -11603,7 +12330,7 @@ index 6a6fdb043..c4fce2389 100644 title: 'Make the module text and rodata read-only' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_vmap_stack/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_vmap_stack/rule.yml -index a406bbe45..4d09b6901 100644 +index 0f575cad3..6aac87dd6 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_vmap_stack/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_vmap_stack/rule.yml @@ -1,6 +1,6 @@ @@ -11656,6 +12383,18 @@ index 3933f28b4..d71a075f1 100644 # reboot = false # strategy = configure # complexity = low +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +index 76f0e4b38..581668b67 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: rhel7,rhel8,rhel9,almalinux9,sle12,sle15 + + title: 'Ensure logging is configured' + diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml index bea5ed470..9585a0ad3 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml @@ -11669,43 +12408,55 @@ index bea5ed470..9585a0ad3 100644 title: 'Ensure remote access methods are monitored in Rsyslog' diff --git a/linux_os/guide/system/logging/journald/journald_compress/rule.yml b/linux_os/guide/system/logging/journald/journald_compress/rule.yml -index 040db3d99..c381ccf9e 100644 +index 1d7cf6b6f..f1ef3c848 100644 --- a/linux_os/guide/system/logging/journald/journald_compress/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_compress/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 +-prodtype: alinux3,anolis23,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis23,anolis8,fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: Ensure journald is configured to compress large log files diff --git a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml -index 4586e0dde..755273fff 100644 +index 602e2601a..14058fd2a 100644 --- a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 ++prodtype: alinux3,anolis23,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004 title: Ensure journald is configured to send logs to rsyslog diff --git a/linux_os/guide/system/logging/journald/journald_storage/rule.yml b/linux_os/guide/system/logging/journald/journald_storage/rule.yml -index 91cbbb694..11c96a8d8 100644 +index b4348b10b..377f88620 100644 --- a/linux_os/guide/system/logging/journald/journald_storage/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_storage/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 +-prodtype: alinux3,anolis23,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis23,anolis8,fedora,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: Ensure journald is configured to write log files to persistent disk +diff --git a/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml b/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml +index 8510c91a5..077b108a1 100644 +--- a/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml ++++ b/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel8,rhel9,ubuntu2204 ++prodtype: fedora,rhel8,rhel9,almalinux9,ubuntu2204 + + title: 'Disable systemd-journal-remote Socket' + diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml -index 859ea93ee..9b9ea07f7 100644 +index 892523fc4..9fbba1ccb 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/kubernetes/shared.yml @@ -1,5 +1,5 @@ @@ -11716,7 +12467,7 @@ index 859ea93ee..9b9ea07f7 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml -index fe112b716..dccd491ea 100644 +index 0abe60b2d..052486096 100644 --- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml +++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml @@ -1,6 +1,6 @@ @@ -11724,38 +12475,50 @@ index fe112b716..dccd491ea 100644 -prodtype: fedora,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: fedora,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 - title: 'Ensure rsyslog-gnutls is installed' + description: |- diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml -index 7eafd1ec2..0d9bbbba2 100644 +index 1ff4d159c..dd709d38f 100644 --- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 title: 'Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server' +diff --git a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml +index f37af583d..0c0e1e1f6 100644 +--- a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 ++prodtype: rhel7,rhel8,rhel9,almalinux9,ubuntu2004,ubuntu2204 + + title: 'Ensure rsyslog Default File Permissions Configured' + diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml -index 45825e0e9..fd9b17d97 100644 +index f42709ef5..8b35da68b 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml @@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_sle,multi_platform_ol -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ol +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh -index b80e47d30..35dc00501 100644 +index f2019bb9a..a12ceb5c1 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh @@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_ubuntu ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_ubuntu {{{ bash_instantiate_variables("rsyslog_remote_loghost_address") }}} @@ -11792,7 +12555,7 @@ index 86c0988cf..51f084a36 100644 title: 'Configure TLS for rsyslog remote logging' diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml -index 618c6c43d..74d85870b 100644 +index 1030537bd..15dbfaa69 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml @@ -1,6 +1,6 @@ @@ -11804,7 +12567,7 @@ index 618c6c43d..74d85870b 100644 title: 'Configure CA certificate for rsyslog remote logging' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld-backend/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld-backend/rule.yml -index 3bfa85008..357c4cc2d 100644 +index cdf4f0eff..5cb39ffc4 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld-backend/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld-backend/rule.yml @@ -1,6 +1,6 @@ @@ -11816,31 +12579,31 @@ index 3bfa85008..357c4cc2d 100644 title: 'Configure Firewalld to Use the Nftables Backend' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml -index 2b6853afd..8ac7311b9 100644 +index fd1fe1494..04b6a045d 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 +-prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 ++prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15 title: 'Install firewalld Package' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -index cd2259434..353653594 100644 +index 52bc3288f..998b64efc 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Verify firewalld Enabled' diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml -index 5075f1e7e..5303289c7 100644 +index 18e51cc42..4082f8b21 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml @@ -1,6 +1,6 @@ @@ -11852,31 +12615,55 @@ index 5075f1e7e..5303289c7 100644 title: 'Configure the Firewalld Ports' diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configured_firewalld_default_deny/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configured_firewalld_default_deny/rule.yml -index b92f6f56d..8bfedc192 100644 +index 2c0820d66..c18bf90c1 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configured_firewalld_default_deny/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configured_firewalld_default_deny/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: rhel8,rhel9 -+prodtype: rhel8,rhel9,almalinux9 +-prodtype: alinux2,ol8,ol9,rhel8,rhel9 ++prodtype: alinux2,ol8,ol9,rhel8,rhel9,almalinux9 title: 'Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems' +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml +index 2522e7ec4..31c6f23de 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel9 ++prodtype: rhel9,almalinux9 + + title: 'Configure Firewalld to Restrict Loopback Traffic' + +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml +index d151f4d20..7b660a392 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel9 ++prodtype: rhel9,almalinux9 + + title: 'Configure Firewalld to Trust Loopback Traffic' + diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml -index 96215be8c..27db28174 100644 +index d7cd7bc83..14f1269ac 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 -+prodtype: alinux2,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle15 +-prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15 ++prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle15 title: 'Set Default firewalld Zone for Incoming Packets' diff --git a/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml b/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml -index 707eb3ba5..2b4e8ea7f 100644 +index 995b046df..fb83e3418 100644 --- a/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml @@ -1,6 +1,6 @@ @@ -11888,17 +12675,39 @@ index 707eb3ba5..2b4e8ea7f 100644 title: 'Verify Any Configured IPSec Tunnel Connections' diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml -index 24cea91a8..1b873b23e 100644 +index 9427aee63..90a5b50a8 100644 --- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 title: 'Install libreswan Package' +diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh +index ccfb8db79..e41d9c2d8 100644 +--- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh ++++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/ip6tables_rules_for_open_ports/sce/shared.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_rhel,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu + # check-import = stdout + + result=$XCCDF_RESULT_PASS +diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh +index b2a8e350c..e97d0f4a5 100644 +--- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh ++++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_rules_for_open_ports/sce/shared.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_rhel,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu + # check-import = stdout + + result=$XCCDF_RESULT_PASS diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/bash/shared.sh b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/bash/shared.sh index d787fbbbf..d209806d8 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/bash/shared.sh @@ -11921,19 +12730,19 @@ index 87306fedb..88e2884bc 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml -index 948151483..fd3b11924 100644 +index f9728d7dc..09a217ed2 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Configure Accepting Router Advertisements on All IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml -index b10be0ff2..6a852a596 100644 +index 1d1d0c692..db3f1ced0 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml @@ -1,6 +1,6 @@ @@ -11945,7 +12754,7 @@ index b10be0ff2..6a852a596 100644 title: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml -index b03379b67..6f4f44b0a 100644 +index d61211712..1e009df36 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml @@ -1,6 +1,6 @@ @@ -11957,7 +12766,7 @@ index b03379b67..6f4f44b0a 100644 title: Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml -index dd8c7c884..83f2b20f2 100644 +index 6cfdfe692..ade4b1f33 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml @@ -1,6 +1,6 @@ @@ -11980,14 +12789,14 @@ index 8792fc668..2c7c4b025 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml -index ae79bcbe8..86d12a07f 100644 +index 2d8036595..b0d0e01bf 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces' @@ -12003,19 +12812,19 @@ index e222b1c88..85b92ce90 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml -index 92d5ddb81..a178b8008 100644 +index 834c8c2c1..56792a6a0 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml -index f2bf2f038..edcd78070 100644 +index eb1264282..004cfa19b 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml @@ -1,6 +1,6 @@ @@ -12027,19 +12836,19 @@ index f2bf2f038..edcd78070 100644 title: Configure Auto Configuration on All IPv6 Interfaces diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml -index 2629d9322..e1a689273 100644 +index 7373f9a7d..d3e9a26dc 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for IPv6 Forwarding' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml -index 424a0b2c0..f8d383657 100644 +index 5323d1473..bc9dfd126 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml @@ -1,6 +1,6 @@ @@ -12074,19 +12883,19 @@ index 4ed2c480c..f59b6d7c3 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml -index ee39a00ca..e1cb747cb 100644 +index 68083fac1..e1bba091b 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Accepting Router Advertisements on all IPv6 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml -index 34f8d0d2a..a89951e33 100644 +index e5b1d3405..0c95002cd 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml @@ -1,6 +1,6 @@ @@ -12098,7 +12907,7 @@ index 34f8d0d2a..a89951e33 100644 title: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml -index 2ebd8ca45..12294c662 100644 +index 561bf545a..a951a2832 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml @@ -1,6 +1,6 @@ @@ -12110,7 +12919,7 @@ index 2ebd8ca45..12294c662 100644 title: Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml -index 8add0b633..060960965 100644 +index 67e3ac551..b4af80978 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml @@ -1,6 +1,6 @@ @@ -12133,14 +12942,14 @@ index 845b013ed..063776b85 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml -index 98f2787a6..260b79d45 100644 +index 1fa3ff038..c6592d804 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces' @@ -12156,19 +12965,19 @@ index e2951d845..0335df123 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml -index bf84b2f7a..7b30d1070 100644 +index 6f29e358d..f861df29d 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml -index f25bf50e2..520c980ed 100644 +index 0362586d3..3ff82a4b4 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml @@ -1,6 +1,6 @@ @@ -12180,7 +12989,7 @@ index f25bf50e2..520c980ed 100644 title: Configure Auto Configuration on All IPv6 Interfaces By Default diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml -index 089a68d3c..3e9ab2b09 100644 +index 145dd2df5..2adef9a05 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml @@ -1,6 +1,6 @@ @@ -12192,7 +13001,7 @@ index 089a68d3c..3e9ab2b09 100644 title: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml -index 623294f9f..b220af724 100644 +index b46af1bf7..8b4add63a 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml @@ -1,6 +1,6 @@ @@ -12204,7 +13013,7 @@ index 623294f9f..b220af724 100644 title: 'Configure Denying Router Solicitations on All IPv6 Interfaces By Default' diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml -index 7333c6a6d..18f3a3904 100644 +index 284850ced..1d568c303 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml @@ -1,6 +1,6 @@ @@ -12259,14 +13068,14 @@ index 6bb6de134..1f0664a02 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml -index 8756e21dc..beec2a09f 100644 +index 643403856..ce0e453a4 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces' @@ -12282,26 +13091,26 @@ index b3d72bb4a..b89b8a35a 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml -index 2ccc27899..9d0e9078d 100644 +index 2620e4288..ca5e52e2c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml -index 55a35774c..4c2a763c5 100644 +index 977a5770b..1138e69c9 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,rhel8,rhel9 -+prodtype: fedora,rhel8,rhel9,almalinux9 +-prodtype: fedora,ol8,ol9,rhel8,rhel9 ++prodtype: fedora,ol8,ol9,rhel8,rhel9,almalinux9 title: 'Drop Gratuitious ARP frames on All IPv4 Interfaces' @@ -12329,14 +13138,14 @@ index 70e767cc4..fbe1a27a2 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml -index 9d84eab4d..a5c8b05ab 100644 +index 11dc1ce81..1f97eb364 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces' @@ -12352,14 +13161,14 @@ index c64da37a3..08535e5a1 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -index e3b2b18f0..dbc42a332 100644 +index 3a4507eff..b31b2ec1d 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces' @@ -12397,14 +13206,14 @@ index 8b075d55e..0dd17a34b 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml -index 849ae47b1..1fcfd5c35 100644 +index 092fd29ce..ac2872ad4 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces' @@ -12420,14 +13229,14 @@ index 2bfbd9e46..8ea37100a 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml -index 7bcccbb1f..093afdb54 100644 +index 4184bfc83..7b497bb4e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces' @@ -12443,14 +13252,14 @@ index aa7d1562b..08668d03c 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml -index 9a54bbc13..b05751042 100644 +index 0de834a15..8accee775 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default' @@ -12466,14 +13275,14 @@ index 3a60ab17c..728ddb817 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml -index 6fa5a7340..164bb90aa 100644 +index 84b4b78e7..e3ff71f60 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default' @@ -12489,14 +13298,14 @@ index b6e53de36..0b652c7cf 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml -index b688a15db..bd8fb4129 100644 +index 2de023866..4256e78dc 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default' @@ -12512,14 +13321,14 @@ index aeb67c4e0..f47a8ab67 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml -index 90ef90f2a..8f78651be 100644 +index 363dcf7d4..4605a9309 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default' @@ -12535,14 +13344,14 @@ index 52d74441b..08c8c256d 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml -index 5b12a1b34..9033fe35c 100644 +index 6aa5a30a5..2e2b1af62 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces' @@ -12558,14 +13367,14 @@ index 9e3a85af9..d4f4d31cb 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml -index a5fb5f4b9..7b66d42fd 100644 +index 5e9c18bcb..c318e704c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces' @@ -12582,14 +13391,14 @@ index e5bb48138..7edcd8e6b 100644 title: 'Set Kernel Parameter to Increase Local Port Range' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml -index 3104be903..58518f416 100644 +index 59462471b..00c5bb472 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15 -+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle15 +-prodtype: ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle15 ++prodtype: ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle15 title: 'Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments' @@ -12617,14 +13426,14 @@ index 0c8dae788..a26df0c5a 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml -index 31e76dd05..cad5b3f79 100644 +index 0b4f36272..fd0845768 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces' @@ -12640,14 +13449,14 @@ index ea1db12fe..5d8b19f68 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml -index 5c4347b97..0bdb3582c 100644 +index 3bdc1dfea..7718e89dc 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces' @@ -12663,41 +13472,76 @@ index b54e3d12b..125464d7a 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -index fc30851a2..2a2452503 100644 +index d456a9de6..4b7ad9c09 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -index 55b91f12d..348a69419 100644 +index 3b4f06fef..501013f5a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml b/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml -index b3b75c819..074a40230 100644 +index bce0bf37f..15687597e 100644 --- a/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml +++ b/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: rhel8,rhel9,sle15,ubuntu2004,ubuntu2204 -+prodtype: rhel8,rhel9,almalinux9,sle15,ubuntu2004,ubuntu2204 +-prodtype: rhel7,rhel8,rhel9,sle15,ubuntu2004,ubuntu2204 ++prodtype: rhel7,rhel8,rhel9,almalinux9,sle15,ubuntu2004,ubuntu2204 title: 'Install nftables Package' +diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml +index 983065df5..ac46166e2 100644 +--- a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux3,fedora,rhel7,rhel8,rhel9,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,rhel7,rhel8,rhel9,almalinux9,sle15,ubuntu2004,ubuntu2204 + + title: 'Verify nftables Service is Disabled' + +diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml +index 7dc9a9212..b31a0d356 100644 +--- a/linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml ++++ b/linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhel9,sle15,ubuntu2004,ubuntu2204 ++prodtype: rhel7,rhel8,rhel9,almalinux9,sle15,ubuntu2004,ubuntu2204 + + title: 'Ensure a Table Exists for Nftables' + +diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh b/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh +index 89d344c4f..1a926adaa 100644 +--- a/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh ++++ b/linux_os/guide/system/network/network-nftables/set_nftables_table/sce/shared.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_rhel,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_ubuntu + # check-import = stdout + + tbl_output=$(nft list tables | grep inet) diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml index f995e2795..58aba3312 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml @@ -12723,14 +13567,14 @@ index 420485c11..3d4606979 100644 title: 'Disable CAN Support' diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml -index 8ca0279e9..4c5989796 100644 +index 2f556b8ec..c7014dce5 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable DCCP Support' @@ -12758,14 +13602,14 @@ index 0522abc15..8743e2011 100644 title: 'Disable IEEE 1394 (FireWire) Support' diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml -index 58260bba6..2bd25ccd1 100644 +index 0da8cd9fe..7cae68668 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable SCTP Support' @@ -12830,14 +13674,14 @@ index 409baf905..c56beebe1 100644 title: 'Disable Kernel mac80211 Module' diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -index fa61a9233..b664122d9 100644 +index cb5749653..f9eb61cc0 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Deactivate Wireless Network Interfaces' @@ -12897,7 +13741,7 @@ index 6970bbdba..316f72ea8 100644 title: 'Ensure System is Not Acting as a Network Sniffer' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml -index 175927b3b..c773f8402 100644 +index 678b06d33..3cc2960ec 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml @@ -1,6 +1,6 @@ @@ -12906,10 +13750,10 @@ index 175927b3b..c773f8402 100644 -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 - title: 'Ensure All World-Writable Directories Are Owned by root user' + title: 'Ensure All World-Writable Directories Are Owned by root User' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/ansible/shared.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/ansible/shared.yml -index e807cbfed..79482556b 100644 +index 63827dff3..41c0ed380 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -12953,45 +13797,45 @@ index ec3bba5b8..67a6224b2 100644 title: 'Verify Permissions on /etc/audit/rules.d/*.rules' diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -index 5683f30bc..7c2b4f40c 100644 +index b3e2a1a00..6754d4f55 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Ensure All SGID Executables Are Authorized' --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,uos20 +-prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 ++prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,uos20 description: |- The SGID (set group id) bit should be set only on files that were diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -index 249f97174..95e0b95bd 100644 +index 7d1ac5d38..7fc8727f7 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Ensure All SUID Executables Are Authorized' --prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,uos20 +-prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 ++prodtype: alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,uos20 description: |- The SUID (set user id) bit should be set only on files that were diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -index 7ba335626..00985417c 100644 +index d2aa53a98..f6a39047a 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure All Files Are Owned by a Group' diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -index 71c8dad9a..d9fce17a8 100644 +index 13650fcea..bc89f2697 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -1,6 +1,6 @@ @@ -13003,7 +13847,7 @@ index 71c8dad9a..d9fce17a8 100644 title: 'Ensure All Files Are Owned by a User' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml -index 8831095b9..170ab232c 100644 +index 8f41e6219..3ea6ebc74 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml @@ -1,6 +1,6 @@ @@ -13075,7 +13919,7 @@ index ebaf9b766..858020d51 100644 for dirPath in $DIRS; do mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme" diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml -index e8c2cfa13..dd02e9d6f 100644 +index 607aba3c6..b47f9842f 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml @@ -1,6 +1,6 @@ @@ -13171,7 +14015,7 @@ index 02867684c..8b274eded 100644 useradd user_test for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh -index 0e380cb21..ef3993070 100644 +index 81d8a339e..70345d4e7 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh @@ -1,4 +1,4 @@ @@ -13203,7 +14047,7 @@ index f87b5094a..979a946a5 100644 title: 'Verify that audit tools Have Mode 0755 or less' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/ansible/shared.yml -index 33196965d..b0572f9da 100644 +index aeaa1f058..b69b5cd7a 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -13223,7 +14067,7 @@ index ab89b277a..f4a7c33a9 100644 for dirPath in $DIRS; do find "$dirPath" -perm /022 -exec chmod go-w '{}' \; diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml -index 539b42740..4f01ba624 100644 +index 662778c70..0ee65e6c2 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml @@ -1,6 +1,6 @@ @@ -13361,7 +14205,7 @@ index b311a36be..bb5cdaac4 100644 title: 'Disable Mounting of jffs2' diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml -index 54f0218f3..e556455b3 100644 +index 67bc619a3..63fad6c98 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml @@ -1,6 +1,6 @@ @@ -13373,7 +14217,7 @@ index 54f0218f3..e556455b3 100644 title: 'Disable Mounting of squashfs' diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml -index 7b1f0c300..2df5d2cc6 100644 +index f36e2b226..4bcb148fb 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml @@ -1,6 +1,6 @@ @@ -13385,7 +14229,7 @@ index 7b1f0c300..2df5d2cc6 100644 title: 'Disable Mounting of udf' diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml -index 8cbcf66dc..9f1ddade2 100644 +index 144d855a0..f34a4fa4f 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -1,6 +1,6 @@ @@ -13420,19 +14264,19 @@ index 41352695f..8b69802ab 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -index 86c428a68..5a9456134 100644 +index 27f23dd29..e3449671c 100644 --- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204,uos20 title: 'Disable the Automounter' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml -index 310f0de84..7816b1de6 100644 +index c6901e86d..edc580c6e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml @@ -1,6 +1,6 @@ @@ -13444,7 +14288,7 @@ index 310f0de84..7816b1de6 100644 title: 'Add nosuid Option to /boot/efi' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml -index e7e5ef074..9a2eee488 100644 +index e3d538abf..82685e46e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml @@ -1,6 +1,6 @@ @@ -13456,7 +14300,7 @@ index e7e5ef074..9a2eee488 100644 title: 'Add noauto Option to /boot' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml -index 9ea1c41ed..e46e1e765 100644 +index 9ac722d0e..a16bac464 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml @@ -1,6 +1,6 @@ @@ -13468,7 +14312,7 @@ index 9ea1c41ed..e46e1e765 100644 title: 'Add nodev Option to /boot' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml -index 64df08b9e..e015e4be6 100644 +index 56a22ce45..0412db1ee 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml @@ -1,6 +1,6 @@ @@ -13480,7 +14324,7 @@ index 64df08b9e..e015e4be6 100644 title: 'Add noexec Option to /boot' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml -index bd05306ce..6385faebc 100644 +index 583dd2b60..685116ad1 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml @@ -1,6 +1,6 @@ @@ -13492,7 +14336,7 @@ index bd05306ce..6385faebc 100644 title: 'Add nosuid Option to /boot' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml -index fec79aeca..27dae0d35 100644 +index ea5701f9b..300331de2 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml @@ -1,6 +1,6 @@ @@ -13504,7 +14348,7 @@ index fec79aeca..27dae0d35 100644 title: 'Add noexec Option to /dev/shm' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml -index b045cd942..07898fa71 100644 +index dfc449d17..9b76163ce 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml @@ -1,6 +1,6 @@ @@ -13516,19 +14360,19 @@ index b045cd942..07898fa71 100644 title: 'Add grpquota Option to /home' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml -index e7416dec1..964217943 100644 +index d454139b4..7a8beb2c1 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2204 -+prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nodev Option to /home' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml -index 85bebc775..44e39278c 100644 +index bee3a60e8..392ea6217 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml @@ -1,6 +1,6 @@ @@ -13540,19 +14384,19 @@ index 85bebc775..44e39278c 100644 title: 'Add noexec Option to /home' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml -index 24af2ab93..b7ea0ca06 100644 +index 5e42ac0a7..4dddea527 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 -+prodtype: alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2204 title: 'Add nosuid Option to /home' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml -index 7ffa9379d..8494d9104 100644 +index 86536b375..48d19ff8b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml @@ -1,6 +1,6 @@ @@ -13612,7 +14456,7 @@ index 2ae9f064c..e83e27ae5 100644 title: 'Add nosuid Option to Removable Media Partitions' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml -index 3d417e40c..66c60fc95 100644 +index b7ec9c569..f5daeed49 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml @@ -1,6 +1,6 @@ @@ -13624,7 +14468,7 @@ index 3d417e40c..66c60fc95 100644 title: 'Add nosuid Option to /opt' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml -index 9d56bdd57..a812c5a70 100644 +index a85e9d12c..b6b926251 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml @@ -1,6 +1,6 @@ @@ -13636,7 +14480,7 @@ index 9d56bdd57..a812c5a70 100644 title: 'Add hidepid Option to /proc' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml -index eb4d1422c..d3b34b088 100644 +index 5ff970bd7..70cfb541f 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml @@ -1,6 +1,6 @@ @@ -13648,43 +14492,43 @@ index eb4d1422c..d3b34b088 100644 title: 'Add nosuid Option to /srv' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -index eee06e09d..9c7b9d2bb 100644 +index 105a4549d..78363f750 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nodev Option to /tmp' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -index 09b7aec4a..b2d2fdbba 100644 +index d4105fd2b..6a873abd9 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Add noexec Option to /tmp' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -index 77ef92a5a..95b339b57 100644 +index e8f8b86b6..b449266f8 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2204 -+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nosuid Option to /tmp' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml -index 289511bfa..353d01661 100644 +index 844f31d18..2c5607901 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml @@ -1,6 +1,6 @@ @@ -13696,7 +14540,7 @@ index 289511bfa..353d01661 100644 title: 'Add nodev Option to /var/log/audit' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml -index b58554891..0e2a08bf1 100644 +index f5c55f7d4..2f969b513 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml @@ -1,6 +1,6 @@ @@ -13708,7 +14552,7 @@ index b58554891..0e2a08bf1 100644 title: 'Add noexec Option to /var/log/audit' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml -index 5ae834740..dcc8890e6 100644 +index 38c807ee5..59eb94efd 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml @@ -1,6 +1,6 @@ @@ -13720,7 +14564,7 @@ index 5ae834740..dcc8890e6 100644 title: 'Add nosuid Option to /var/log/audit' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml -index 2da6e25a8..60b71cd46 100644 +index b59aeba7f..464f2e2bb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml @@ -1,6 +1,6 @@ @@ -13732,7 +14576,7 @@ index 2da6e25a8..60b71cd46 100644 title: 'Add nodev Option to /var/log' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml -index b8f0be9b2..973d1c6ee 100644 +index e3885b497..1a0629c46 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml @@ -1,6 +1,6 @@ @@ -13744,7 +14588,7 @@ index b8f0be9b2..973d1c6ee 100644 title: 'Add noexec Option to /var/log' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml -index a1c4a5b46..c9f991e74 100644 +index c46396311..f000bd827 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml @@ -1,6 +1,6 @@ @@ -13756,7 +14600,7 @@ index a1c4a5b46..c9f991e74 100644 title: 'Add nosuid Option to /var/log' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml -index a178cd462..3ba77db21 100644 +index d2723fd05..fa99b9edc 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml @@ -1,6 +1,6 @@ @@ -13768,7 +14612,7 @@ index a178cd462..3ba77db21 100644 title: 'Add nodev Option to /var' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml -index 1c8c7ab5e..13d913d88 100644 +index d617a3b2e..9db79d8b1 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml @@ -1,6 +1,6 @@ @@ -13780,7 +14624,7 @@ index 1c8c7ab5e..13d913d88 100644 title: 'Add noexec Option to /var' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml -index e6e912b01..771b73d4c 100644 +index 09646acc0..ea3356629 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml @@ -1,6 +1,6 @@ @@ -13802,7 +14646,7 @@ index 59e39270d..5c154d333 100644 # Delete particular /etc/fstab's row if /var/tmp is already configured to # represent a mount point (for some device or filesystem other than /tmp) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml -index 05992df4b..0eccadb2c 100644 +index 0d5c5a8c2..04578b145 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml @@ -1,6 +1,6 @@ @@ -13814,38 +14658,38 @@ index 05992df4b..0eccadb2c 100644 title: 'Bind Mount /var/tmp To /tmp' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -index b870dee01..b5caad355 100644 +index 0496b5523..c9f255adc 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2204 -+prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nodev Option to /var/tmp' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -index 22b8d6ad5..fb1d26977 100644 +index 355ed84dd..2d6d50493 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2204 -+prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add noexec Option to /var/tmp' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -index 5414eba58..9ae7d5c71 100644 +index 6a5862650..7cfc53ea6 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2204 -+prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2204 +-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nosuid Option to /var/tmp' @@ -13893,19 +14737,19 @@ index 41cbd1197..481afa583 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -index 96ccbe728..c8f436338 100644 +index 4de1534fb..4f7474688 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Core Dumps for All Users' diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml -index 61030d4d2..bd5153d12 100644 +index 6d62d139a..4c717b72f 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml @@ -1,6 +1,6 @@ @@ -13917,14 +14761,14 @@ index 61030d4d2..bd5153d12 100644 title: 'Disable acquiring, saving, and processing core dumps' diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml -index febe85cac..472694864 100644 +index 461484337..34a311d57 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: fedora,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 +-prodtype: fedora,rhel7,rhel8,rhel9,rhv4,sle12,sle15 ++prodtype: fedora,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 title: 'Enable ExecShield via sysctl' @@ -13973,14 +14817,14 @@ index 7a4c107b2..22e209120 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml -index c09aefe25..c2fcfd305 100644 +index 9bc399fc3..baf960e8a 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable NX or XD Support in the BIOS' @@ -14007,7 +14851,7 @@ index 3260539b3..29d22d491 100755 cp /proc/cpuinfo /tmp/cpuinfo diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml -index f35b9537d..b8c8523fa 100644 +index 78c982211..b2c427397 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml @@ -1,6 +1,6 @@ @@ -14019,7 +14863,7 @@ index f35b9537d..b8c8523fa 100644 title: 'Enable page allocator poisoning' diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml -index a9605bf9b..4738903d1 100644 +index ea3560cec..e802f057e 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml @@ -1,6 +1,6 @@ @@ -14098,7 +14942,7 @@ index 36e025cc3..e97acde11 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml -index 8dab1d048..632cab928 100644 +index b7acaf128..ada8a741a 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -1,6 +1,6 @@ @@ -14180,7 +15024,7 @@ index 0541e59a7..50020c28c 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml -index 05535b7b5..57cea7842 100644 +index a39ff72ee..855c75717 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml @@ -1,6 +1,6 @@ @@ -14227,7 +15071,7 @@ index 2e24d9211..7b706bb32 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml -index 9e5920b09..061ebe236 100644 +index ca51c5534..e563cdfbc 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml @@ -1,6 +1,6 @@ @@ -14329,7 +15173,7 @@ index 7519b7740..af6c30abd 100644 kind: MachineConfig spec: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml -index 1c1907f05..2cd9ed6a2 100644 +index 323fef1e6..7bd70d304 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml @@ -1,6 +1,6 @@ @@ -14376,7 +15220,7 @@ index ba7269b99..f37e0f6f3 100644 title: 'Prevent applications from mapping low portion of virtual memory' diff --git a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml -index 352e1c4e7..411a0651f 100644 +index cd65b5921..d8c613625 100644 --- a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml +++ b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml @@ -1,6 +1,6 @@ @@ -14408,7 +15252,7 @@ index 735354a2d..0c13b196e 100644 sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml -index 04547b496..1c5702df4 100644 +index 5c94eafa2..96a748fa4 100644 --- a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml +++ b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml @@ -1,6 +1,6 @@ @@ -14420,7 +15264,7 @@ index 04547b496..1c5702df4 100644 title: 'Ensure SELinux Not Disabled in /etc/default/grub' diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml -index 21702856f..79a92d93e 100644 +index 622ccb2a2..e71313e56 100644 --- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml +++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml @@ -1,6 +1,6 @@ @@ -14432,7 +15276,7 @@ index 21702856f..79a92d93e 100644 title: 'Install libselinux Package' diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh b/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh -index ea0437f5b..8759a6ce0 100644 +index 2520d3dcc..ed0bc9538 100644 --- a/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh +++ b/linux_os/guide/system/selinux/package_libselinux_installed/tests/custom-package-removed.fail.sh @@ -1,5 +1,5 @@ @@ -16987,7 +17831,7 @@ index 36c8756dd..29a33a738 100644 title: 'Disable the secure_mode SELinux Boolean' diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml -index 0e36376e1..a0f91c7dd 100644 +index 17babc7f3..5535c3637 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml @@ -1,6 +1,6 @@ @@ -17047,7 +17891,7 @@ index 46f76ce22..9aed537c3 100644 title: 'Enable the selinuxuser_execmod SELinux Boolean' diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml -index 440b1f859..36bf30a74 100644 +index 446c8225b..3fef4a858 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml @@ -1,6 +1,6 @@ @@ -17056,7 +17900,7 @@ index 440b1f859..36bf30a74 100644 -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15 - title: 'disable the selinuxuser_execstack SELinux Boolean' + title: 'Disable the selinuxuser_execstack SELinux Boolean' diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml index 88a2a92d6..b238e78f4 100644 @@ -18075,7 +18919,7 @@ index 0b33e5768..c9b647b8e 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml -index 4b7e17987..3c33fd928 100644 +index d84bae70e..b09c1f884 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -1,6 +1,6 @@ @@ -18119,7 +18963,7 @@ index d4c211c10..11a0f1318 100644 title: 'Map System Users To The Appropriate SELinux Role' diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml -index de1dc56c8..618552b65 100644 +index a7b2c5bcc..37bb0c032 100644 --- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml @@ -1,6 +1,6 @@ @@ -18142,17 +18986,8 @@ index 65cde9418..a1eebc3cd 100644 title: 'Ensure /var/tmp Located On Separate Partition' -diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh -index d24ad6130..78e4f65cc 100644 ---- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh -+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh -@@ -1,3 +1,3 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle - - dconf update diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml -index a99dad73d..5a69ca005 100644 +index 814a0103c..476d0c026 100644 --- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml +++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml @@ -1,6 +1,6 @@ @@ -18164,7 +18999,7 @@ index a99dad73d..5a69ca005 100644 title: 'Make sure that the dconf databases are up-to-date with regards to respective keyfiles' diff --git a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml -index 48d446249..86b56d374 100644 +index fd69a8620..6f7601b29 100644 --- a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml +++ b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml @@ -1,6 +1,6 @@ @@ -18186,36 +19021,36 @@ index c3baa1b80..be83f158f 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml -index 3165c09fc..4042bd825 100644 +index b5bf2b998..ae67a6374 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9 title: 'Disable the GNOME3 Login Restart and Shutdown Buttons' diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml -index ca6beab0d..8e18147dd 100644 +index 917fc7dc4..bc1d7c63c 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml @@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml -index a90829993..ec00bf89b 100644 +index 50a8651ab..f385e5e0b 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,ubuntu2004,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable the GNOME3 Login User List' @@ -18328,7 +19163,7 @@ index 60417ff4e..0af05e798 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml -index cd57e209c..fc5c7799c 100644 +index f969464a3..cd0b7082f 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml @@ -1,6 +1,6 @@ @@ -18350,14 +19185,14 @@ index ac168ef9f..69ecfa6a7 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml -index 55b8d324b..4e593a465 100644 +index 429314038..44e8b7dce 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,ubuntu2204 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,ubuntu2204 title: 'Disable GNOME3 Automount Opening' @@ -18372,14 +19207,14 @@ index 51e4063c3..3591b7266 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml -index 749be00a4..118c678e6 100644 +index b7662be6f..b301fefaa 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,ubuntu2204 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,ubuntu2204 title: 'Disable GNOME3 Automount running' @@ -18504,7 +19339,7 @@ index f7c7b4379..95781d5ab 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml -index fdf6551b4..e6e7a38cb 100644 +index 89d2ecdff..0a2f9fa85 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml @@ -1,6 +1,6 @@ @@ -18548,7 +19383,7 @@ index 5b08acff4..d1af90b16 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml -index ed96f970a..5e446b6ad 100644 +index 58488e8aa..84c6287bd 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml @@ -1,6 +1,6 @@ @@ -18570,14 +19405,14 @@ index 9d034e519..2c45806b4 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml -index 00f1fc20c..1d95e124a 100644 +index 99c897f17..96a479d15 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,ubuntu2204 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,ubuntu2204 title: 'Set GNOME3 Screensaver Lock Delay After Activation Period' @@ -18592,7 +19427,7 @@ index d04e6893f..5b9cba007 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml -index 32429a8de..239867b68 100644 +index 8a86e3806..f412ea1c5 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml @@ -1,6 +1,6 @@ @@ -18614,14 +19449,14 @@ index 34ff91ab3..875abf68d 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml -index 1beba66d0..f3d3be107 100644 +index 92ddf0d12..f8eb67a4c 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9 title: 'Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period' @@ -18636,7 +19471,7 @@ index 4dbe2b3c8..7313b6bcd 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml -index 95dc7bc27..998b3583f 100644 +index 48735e16a..760ddd915 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml @@ -1,6 +1,6 @@ @@ -18680,14 +19515,14 @@ index ed7d98843..a41cb7151 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml -index 5b2580d5a..21b8f009e 100644 +index a1169934f..ca6fbec61 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,almalinux9 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9 title: 'Ensure Users Cannot Change GNOME3 Screensaver Settings' @@ -18702,7 +19537,7 @@ index aae97c962..18c7ec75f 100644 # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml -index d28caa117..998fdd17f 100644 +index 762e8c789..42306ba2c 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml @@ -1,6 +1,6 @@ @@ -18782,11 +19617,11 @@ index 592f85584..218caaa41 100644 title: 'Disable User Administration in GNOME3' diff --git a/linux_os/guide/system/software/gnome/group.yml b/linux_os/guide/system/software/gnome/group.yml -index 6a2233156..a2c2b6983 100644 +index c7617bc43..7de8de33c 100644 --- a/linux_os/guide/system/software/gnome/group.yml +++ b/linux_os/guide/system/software/gnome/group.yml @@ -12,7 +12,7 @@ description: |- - {{% if product in ['ol7', 'ol8'] %}} + {{% if 'ol' in product %}} Oracle Linux Graphical environment. {{% else %}} - Red Hat Graphical environment. @@ -18795,19 +19630,19 @@ index 6a2233156..a2c2b6983 100644

For more information on GNOME and the GNOME Project, see {{{ weblink(link="https://www.gnome.org") }}}. diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml -index e2aeef7c1..4946447e0 100644 +index 205adaf50..c610627ed 100644 --- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml +++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 -+prodtype: fedora,rhel7,rhel8,rhel9,almalinux9,rhv4,ubuntu2004,ubuntu2204 +-prodtype: fedora,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: fedora,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Remove the GDM Package Group' diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml -index fdafdbfa1..28ce5863f 100644 +index d7610c432..20eee3265 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml @@ -1,6 +1,6 @@ @@ -18831,7 +19666,7 @@ index 16c3847ad..fe79866e1 100644 diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml -index 1a6b2c7a7..ef0a1ae24 100644 +index 234eb42b8..95d0d85aa 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -1,6 +1,6 @@ @@ -18853,14 +19688,14 @@ index 1a6b2c7a7..ef0a1ae24 100644 Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches. diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml -index 03e830776..eb2086f77 100644 +index cafd1940a..ad85c5f08 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,uos20 title: 'Configure BIND to use System Crypto Policy' @@ -18877,7 +19712,7 @@ index c7385d2c3..7f6cb14e7 100644 BIND_CONF='/etc/named.conf' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh -index 06307a5c9..5deae2342 100644 +index b00bbfe21..1769e27e5 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/bind_not_installed.pass.sh @@ -1,4 +1,4 @@ @@ -18885,7 +19720,7 @@ index 06307a5c9..5deae2342 100644 -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 - yum remove -y bind || true + {{{ bash_package_remove("bind") }}} diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh index 4f9c749eb..9330f1f53 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/tests/no_config_file.fail.sh @@ -18935,14 +19770,14 @@ index dd096ab41..b180ed3b3 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml -index e3b95bc95..e20a1d2db 100644 +index d1aec7744..51b86c1eb 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,sle15,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,sle15,uos20 title: 'Configure System Cryptography Policy' @@ -19102,14 +19937,14 @@ index 12ca11e55..bcc51e9da 100644 title: 'Configure GnuTLS library to use DoD-approved TLS Encryption' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml -index 3a2df056e..3585d7a03 100644 +index 094beadb3..4dbc00505 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,uos20 title: 'Configure Kerberos to use System Crypto Policy' @@ -19146,19 +19981,19 @@ index 4eb5348f2..42201408e 100644 rm -f /etc/krb5.conf.d/crypto-policies ln -s /etc/crypto-policies/back-ends/openssh.config /etc/krb5.conf.d/crypto-policies diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml -index 5fe513be6..619b492be 100644 +index 5c8655c92..24cdf79db 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle12,sle15,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 title: 'Configure Libreswan to use System Crypto Policy' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh -index a1a66e747..c922b06a9 100644 +index 9379b5ff3..dabf4b06b 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/libreswan_not_installed.pass.sh @@ -1,4 +1,4 @@ @@ -19166,7 +20001,7 @@ index a1a66e747..c922b06a9 100644 -# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,AlmaLinux 9 - yum remove -y libreswan || true + {{{ bash_package_remove("libreswan") }}} diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh index 439da4978..927540f2c 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/tests/line_commented.fail.sh @@ -19215,15 +20050,41 @@ index 2863c6102..425d537a5 100644 cp ipsec.conf /etc +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +index 3dd7e1ed8..3067ffe9f 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +@@ -11,7 +11,7 @@ + {{%- set openssl_cnf_dir="/etc/pki/tls" %}} + {{% endif %}} + +-{{% if product in ["fedora", "ol9", "rhel9"] %}} ++{{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}} + {{% set ansible_openssl_include_directive = ".include = /etc/crypto-policies/back-ends/opensslcnf.config" %}} + {{% else %}} + {{% set ansible_openssl_include_directive = ".include /etc/crypto-policies/back-ends/opensslcnf.config" %}} +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh +index 4e77718c8..d73aa3a79 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh +@@ -2,7 +2,7 @@ + + OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' + OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' +-{{% if product in ["fedora", "ol9", "rhel9"] %}} ++{{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}} + OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config' + {{% else %}} + OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml -index f914174f3..19aa08da9 100644 +index 8cf86b739..4d8219512 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle12,sle15,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 title: 'Configure OpenSSL library to use System Crypto Policy' @@ -19231,8 +20092,8 @@ index f914174f3..19aa08da9 100644 {{%- set openssl_cnf_path="/etc/pki/tls/openssl.cnf" %}} {{%- endif %}} --{{% if product in ["fedora", "rhel9"] %}} -+{{% if product in ["fedora", "rhel9", "almalinux9"] %}} +-{{% if product in ["fedora", "ol9", "rhel9"] %}} ++{{% if product in ["fedora", "ol9", "rhel9", "almalinux9"] %}} {{% set include_directive = ".include = /etc/crypto-policies/back-ends/opensslcnf.config" %}} {{% else %}} {{% set include_directive = ".include /etc/crypto-policies/back-ends/opensslcnf.config" %}} @@ -19304,14 +20165,14 @@ index 767481d1e..709402bb7 100644 title: 'Configure OpenSSL library to use TLS Encryption' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -index 0902a5011..686186447 100644 +index 2373c03c3..a332ccbd8 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle12,sle15,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 title: 'Configure SSH to use System Crypto Policy' @@ -19412,7 +20273,7 @@ index 8736e39af..f1b8e7bd8 100644 title: 'Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config' diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml -index ad52c2a4e..fb4cbfc97 100644 +index f08f120f9..e81ea7532 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml @@ -1,6 +1,6 @@ @@ -19436,7 +20297,7 @@ index 68dc260a8..c5d2357ad 100644 title: 'Install crypto-policies package' diff --git a/linux_os/guide/system/software/integrity/disable_prelink/ansible/shared.yml b/linux_os/guide/system/software/integrity/disable_prelink/ansible/shared.yml -index 511a96ea2..6b28b90c5 100644 +index 0447bf2c4..43627ebd3 100644 --- a/linux_os/guide/system/software/integrity/disable_prelink/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/disable_prelink/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -19446,7 +20307,7 @@ index 511a96ea2..6b28b90c5 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml -index d10cfa3b2..f4d6a89da 100644 +index a1dbb727a..e35c1dd9b 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml @@ -1,6 +1,6 @@ @@ -19503,7 +20364,7 @@ index 5da0c99e6..57ac7592b 100644 fips-mode-setup --enable FIPS_CONF="/etc/dracut.conf.d/40-fips.conf" diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml -index a686f80b7..9a9643bf9 100644 +index 62cfc0d6a..38793f1bc 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml @@ -1,6 +1,6 @@ @@ -19538,31 +20399,21 @@ index b92e82236..138d2c997 100644 fips-mode-setup --enable FIPS_CONF="/etc/dracut.conf.d/40-fips.conf" -diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh -index 934ecaf91..9a01dada3 100644 ---- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,Red Hat Virtualization 4 -+# platform = multi_platform_rhel,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,Red Hat Virtualization 4 - {{{ bash_instantiate_variables("var_system_crypto_policy") }}} - - fips-mode-setup --enable diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -index e805136ff..3c44085f1 100644 +index 3b50e0706..fe102e2f5 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -@@ -28,7 +28,7 @@ - var_system_crypto_policy - - +@@ -68,7 +68,7 @@ + - {{% if product in ["ol9","rhel9"] -%}} + {{% if product in ["ol9","rhel9", "almalinux9"] -%}} ^FIPS(:OSPP)?$ {{%- else %}} - {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}} + {{# Legacy and more relaxed list of crypto policies that were historically considered diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml -index c6895f23d..d04ab03a4 100644 +index c6e966202..ea9661cc3 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -1,6 +1,6 @@ @@ -19574,7 +20425,7 @@ index c6895f23d..d04ab03a4 100644 title: Enable FIPS Mode diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml -index fd61358da..0639e9397 100644 +index 33841e4d3..3a232595f 100644 --- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml @@ -1,6 +1,6 @@ @@ -19586,7 +20437,7 @@ index fd61358da..0639e9397 100644 title: Ensure '/etc/system-fips' exists diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml -index 15c99cfcc..b07ca6538 100644 +index 2aafe35d7..701a49758 100644 --- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -1,6 +1,6 @@ @@ -19608,7 +20459,7 @@ index 0cdb5d98d..a98b5566c 100644 {{{ bash_package_install("aide") }}} {{% if 'sle' in product %}} diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml -index 430f34c1e..d43da891a 100644 +index 43e5f16ef..4e70d505a 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml @@ -1,6 +1,6 @@ @@ -19620,7 +20471,7 @@ index 430f34c1e..d43da891a 100644 title: 'Build and Test AIDE Database' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml -index 5905ea8d0..19ca9df0a 100644 +index 883c40270..496e772c1 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -19630,7 +20481,7 @@ index 5905ea8d0..19ca9df0a 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh -index a81e25c39..a52955aeb 100644 +index ea2a1113b..fbc6b9b8a 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh @@ -1,4 +1,4 @@ @@ -19640,50 +20491,61 @@ index a81e25c39..a52955aeb 100644 # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml -index 4555d8aef..8b09c0dfc 100644 +index 4d786f01b..0c4189f58 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol8,ol9,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Configure AIDE to Verify the Audit Tools' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh -index 1a1ab8aed..d5539bdcd 100644 +index 5f751bee5..2684687ff 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + # packages = aide - - yum -y install aide + aide --init diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh -index 769deaa4f..121c79b9f 100644 +index f80f6fd52..3d2bde623 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + # packages = aide - yum -y install aide + declare -a bins +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh +index 692a60d0e..50411aad5 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + # packages = aide + declare -a bins diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh -index 868a3d2b3..13f8fcf03 100644 +index 65bf85123..708ef4e4d 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux + # packages = aide - - yum -y install aide + aide --init diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh index dfa5c1b6c..60ac94141 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh @@ -19695,20 +20557,20 @@ index dfa5c1b6c..60ac94141 100644 {{{ bash_package_install("aide") }}} diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -index 1600478f0..63d8dd7c8 100644 +index 123e0ebf2..6d707f151 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Configure Periodic Execution of AIDE' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml -index 9015d01e7..b0906f2b3 100644 +index 8ba2e2067..eae51324a 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml @@ -1,6 +1,6 @@ @@ -19741,16 +20603,6 @@ index b6b7b17b2..28010113b 100644 title: 'Configure AIDE to Use FIPS 140-2 for Validating Hashes' -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/bash/shared.sh -index bcf29f05b..71ee850e7 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle - - {{{ bash_package_install("aide") }}} - diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml index acf599624..d8d135e23 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml @@ -19763,16 +20615,6 @@ index acf599624..d8d135e23 100644 title: 'Configure AIDE to Verify Access Control Lists (ACLs)' -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/bash/shared.sh -index ab7ad7ab8..f3fb9b530 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle -+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_almalinux,multi_platform_ol,multi_platform_sle - - {{{ bash_package_install("aide") }}} - diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml index 161718276..97b2863a4 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml @@ -19786,50 +20628,50 @@ index 161718276..97b2863a4 100644 title: 'Configure AIDE to Verify Extended Attributes' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_group_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_group_ownership/rule.yml -index 93466f035..5411b89fe 100644 +index 7cb7eb36d..ffa6a2c4c 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_group_ownership/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_group_ownership/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol8,ol9,rhel8,rhel9 -+prodtype: ol8,ol9,rhel8,rhel9,almalinux9 +-prodtype: alinux3,ol8,ol9,rhel8,rhel9 ++prodtype: alinux3,ol8,ol9,rhel8,rhel9,almalinux9 title: Audit Tools Must Be Group-owned by Root diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_ownership/rule.yml -index f7a7aa2b4..922480b38 100644 +index 077a39e0e..e8aedaa82 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_ownership/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_ownership/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol8,ol9,rhel8,rhel9 -+prodtype: ol8,ol9,rhel8,rhel9,almalinux9 +-prodtype: alinux3,ol8,ol9,rhel8,rhel9 ++prodtype: alinux3,ol8,ol9,rhel8,rhel9,almalinux9 title: Audit Tools Must Be Owned by Root diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_permissions/rule.yml -index 706780077..726122b18 100644 +index d31eb6e93..f883d6134 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_permissions/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/file_audit_tools_permissions/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol8,ol9,rhel8,rhel9 -+prodtype: ol8,ol9,rhel8,rhel9,almalinux9 +-prodtype: alinux3,ol8,ol9,rhel8,rhel9 ++prodtype: alinux3,ol8,ol9,rhel8,rhel9,almalinux9 title: Audit Tools Must Have a Mode of 0755 or Less Permissive diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml -index f500f741a..5fabbb99b 100644 +index 6e9b2554a..b99d34ef3 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Install AIDE' @@ -19864,14 +20706,14 @@ index fe8f7abc1..2e36bd503 100644 # Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )" diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml -index 5c22b2064..4cb0f61d3 100644 +index 1706d789a..ab7f15e2d 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 title: 'Verify File Hashes with RPM' @@ -19896,7 +20738,7 @@ index 329a00f56..d3cce1c0c 100644 # strategy = restrict # complexity = high diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -index f1af4757d..8211ef5d6 100644 +index b5b67ae1f..2e806fc04 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml @@ -1,6 +1,6 @@ @@ -19928,26 +20770,26 @@ index 0f791c95e..0efde1682 100644 # strategy = restrict # complexity = high diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -index 050bda6c2..dda2e56e0 100644 +index 5ba5ce1f0..1ec02d90f 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 title: 'Verify and Correct File Permissions with RPM' diff --git a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml -index 825041703..8e1bc36bf 100644 +index 4652a0922..35e52e971 100644 --- a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml +++ b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 -+prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +-prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 ++prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Install sudo Package' @@ -20017,17 +20859,17 @@ index 0e5aed5d0..c75edccd5 100644 # Make sure sudo is owned by root group diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml -index fc0ec838f..b7dfc9926 100644 +index 78ee25868..6954f3e00 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 -+prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,sle12,sle15,ubuntu2204 + + title: 'Require Re-Authentication When Using the sudo Command' - title: 'The operating system must require Re-Authentication when using the sudo command. - Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout' diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index b90f566ab..d4dec8c3c 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -20054,7 +20896,7 @@ index 4d57b106b..b39e53aeb 100644 title: 'Ensure sudo only includes the default configuration directory' diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml -index cdd03adcc..bfae417a0 100644 +index bd9d93947..f39b84748 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true @@ -20240,7 +21082,7 @@ index 2c29f67f5..636247dc1 100644 title: 'Install openscap-scanner Package' diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml -index 461389520..2dcb28af0 100644 +index 68043ea54..3630b3518 100644 --- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml @@ -1,6 +1,6 @@ @@ -20252,7 +21094,7 @@ index 461389520..2dcb28af0 100644 title: 'Install rear Package' diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml -index f3b7725c5..467a7451a 100644 +index 41a484f26..ff9887bac 100644 --- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml @@ -1,6 +1,6 @@ @@ -20329,7 +21171,7 @@ index 34127fd17..e30b09600 100644 {{% if 'sle' in product %}} {{{ bash_replace_or_append('/etc/zypp/zypp.conf', '^solver.upgradeRemoveDroppedPackages', 'true', '%s=%s') }}} diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml -index 58b3ece0c..eded78e90 100644 +index ee66181ab..ce062dc75 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml @@ -1,6 +1,6 @@ @@ -20584,19 +21426,19 @@ index 2bf91c8ca..b5f520737 100644 {{{ bash_replace_or_append( pkg_manager_config_file , '^gpgcheck', '1') }}} diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -index e5b41c4bb..7448e2052 100644 +index 91cd19e26..17852be3e 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,uos20 title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration' diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml -index 579db66b0..e01840efd 100644 +index d02e8df1a..86fbb3be5 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml @@ -1,6 +1,6 @@ @@ -20608,7 +21450,7 @@ index 579db66b0..e01840efd 100644 title: 'Ensure gpgcheck Enabled for Local Packages' diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml -index 8ba650131..6728e4d50 100644 +index 9fd7f4b5d..3b81d7866 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml @@ -1,4 +1,4 @@ @@ -20628,7 +21470,7 @@ index 07e02fa47..ee1d023d9 100644 sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/* {{% else %}} diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml -index 1a31ab2d1..0e5ccf17f 100644 +index 64287817b..b387ae5ad 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml @@ -1,6 +1,6 @@ @@ -20682,14 +21524,14 @@ index fd844d2a1..2932351f4 100644 # strategy = patch # complexity = low diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml -index d114c3236..2b5df001f 100644 +index 99aa0518a..332a361ec 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true --prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,uos20 +-prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,uos20 ++prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,almalinux9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,uos20 title: 'Ensure Software Patches Installed' @@ -20719,12 +21561,12 @@ index 5ae61e5d6..375ac3876 100644 diff --git a/products/almalinux9/CMakeLists.txt b/products/almalinux9/CMakeLists.txt new file mode 100644 -index 000000000..b1933c5ed +index 000000000..b9614b81a --- /dev/null +++ b/products/almalinux9/CMakeLists.txt @@ -0,0 +1,20 @@ +# Sometimes our users will try to do: "cd almalinux9; cmake ." That needs to error in a nice way. -+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") ++if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + @@ -20736,7 +21578,7 @@ index 000000000..b1933c5ed + +ssg_build_html_srgmap_tables(${PRODUCT}) + -+if (SSG_SRG_XLSX_EXPORT) ++if(SSG_SRG_XLSX_EXPORT) + ssg_build_xlsx_srg_export(${PRODUCT} "srg_gpos") +endif() + @@ -20745,10 +21587,10 @@ index 000000000..b1933c5ed +#ssg_build_html_stig_tables(${PRODUCT} "ospp") diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_enhanced-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_enhanced-ks.cfg new file mode 100644 -index 000000000..b2403e9f1 +index 000000000..9d1d5433d --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_enhanced-ks.cfg -@@ -0,0 +1,158 @@ +@@ -0,0 +1,154 @@ +# SCAP Security Guide ANSSI BP-028 (enhanced) profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-07-13 @@ -20788,7 +21630,7 @@ index 000000000..b2403e9f1 +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -20820,16 +21662,16 @@ index 000000000..b2403e9f1 +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password -+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --append="audit=1 audit_backlog_limit=8192" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware -+# ++# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture @@ -20840,16 +21682,16 @@ index 000000000..b2403e9f1 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +# Ensure /usr Located On Separate Partition -+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" ++logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +# Ensure /opt Located On Separate Partition -+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /srv Located On Separate Partition -+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition @@ -20859,24 +21701,24 @@ index 000000000..b2403e9f1 +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default -+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this ++# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. -+# ++# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). -+# ++# +# The following keys are recognized by the add-on: +# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. +# - If the content-type is scap-security-guide, the add-on will use content provided by the @@ -20890,7 +21732,7 @@ index 000000000..b2403e9f1 +# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. +# +# The following is an example %addon com_redhat_oscap section which uses content from the -+# scap-security-guide on the installation media: ++# scap-security-guide on the installation media: +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced @@ -20898,21 +21740,17 @@ index 000000000..b2403e9f1 + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_high-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_high-ks.cfg new file mode 100644 -index 000000000..0c15c1853 +index 000000000..fa7b596f9 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_high-ks.cfg -@@ -0,0 +1,162 @@ +@@ -0,0 +1,158 @@ +# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-07-13 @@ -20952,7 +21790,7 @@ index 000000000..0c15c1853 +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -20988,9 +21826,9 @@ index 000000000..0c15c1853 +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password -+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --append="audit=1 audit_backlog_limit=8192" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr @@ -21008,16 +21846,16 @@ index 000000000..0c15c1853 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +# Ensure /usr Located On Separate Partition -+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" ++logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +# Ensure /opt Located On Separate Partition -+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /srv Located On Separate Partition -+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition @@ -21027,9 +21865,9 @@ index 000000000..0c15c1853 +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) @@ -21066,21 +21904,17 @@ index 000000000..0c15c1853 + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_intermediary-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_intermediary-ks.cfg new file mode 100644 -index 000000000..97fb83b0d +index 000000000..3feec9cd4 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_intermediary-ks.cfg -@@ -0,0 +1,158 @@ +@@ -0,0 +1,154 @@ +# SCAP Security Guide ANSSI BP-028 (intermediary) profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-07-13 @@ -21120,7 +21954,7 @@ index 000000000..97fb83b0d +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -21152,9 +21986,9 @@ index 000000000..97fb83b0d +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password -+bootloader --location=mbr ++bootloader + +# Initialize (format) all disks (optional) +zerombr @@ -21172,16 +22006,16 @@ index 000000000..97fb83b0d +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +# Ensure /usr Located On Separate Partition -+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" ++logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +# Ensure /opt Located On Separate Partition -+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /srv Located On Separate Partition -+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition @@ -21191,9 +22025,9 @@ index 000000000..97fb83b0d +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) @@ -21230,21 +22064,17 @@ index 000000000..97fb83b0d + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_minimal-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_minimal-ks.cfg new file mode 100644 -index 000000000..d6252402e +index 000000000..a32b40fe8 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-anssi_bp28_minimal-ks.cfg -@@ -0,0 +1,122 @@ +@@ -0,0 +1,118 @@ +# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for AlmaLinux 9 +# Version: 0.0.1 +# Date: 2021-07-13 @@ -21284,7 +22114,7 @@ index 000000000..d6252402e +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -21306,9 +22136,9 @@ index 000000000..d6252402e +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password -+bootloader --location=mbr ++bootloader + +# Initialize (format) all disks (optional) +zerombr @@ -21358,22 +22188,417 @@ index 000000000..d6252402e + +# Packages selection (%packages section is required) +%packages ++%end + -+# Require @Base -+@Base ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ccn_advanced-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ccn_advanced-ks.cfg +new file mode 100644 +index 000000000..c0600a960 +--- /dev/null ++++ b/products/almalinux9/kickstart/ssg-almalinux9-ccn_advanced-ks.cfg +@@ -0,0 +1,127 @@ ++# SCAP Security Guide CCN profile (Advanced) kickstart for AlmaLinux 9 Server ++# Version: 0.0.1 ++# Date: 2023-07-18 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/performing_an_advanced_rhel_9_installation/starting-kickstart-installations_installing-rhel-as-an-experienced-user + -+%end # End of %packages section ++# Specify installation method to use for installation. To use a different one comment out ++# the 'url' one below, update the selected choice with proper options & un-comment it. ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in. ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++ ++ ++# Set language to use during installation and default language on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard --vckeymap us ++ ++# Configure network information for target system and activate network devices in the ++# installer environment (optional): ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see ++# how to create encrypted password form for different plaintext password. ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile may restrict root login. ++# Add a user that can login and escalate privileges. ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing. ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create ++# encrypted password form for different plaintext password. ++bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger. ++# Modify size of partitions appropriately to reflect actual machine's hardware. ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Ensure /dev/shm is a separate partition ++part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 ++logvol swap --name=swap --vgname=VolGroup --size=2016 ++ ++# Harden installation with CCN profile (Advanced) ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_ccn_advanced ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++%end ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ccn_basic-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ccn_basic-ks.cfg +new file mode 100644 +index 000000000..6030e1529 +--- /dev/null ++++ b/products/almalinux9/kickstart/ssg-almalinux9-ccn_basic-ks.cfg +@@ -0,0 +1,127 @@ ++# SCAP Security Guide CCN profile (Basic) kickstart for AlmaLinux 9 Server ++# Version: 0.0.1 ++# Date: 2023-07-18 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/performing_an_advanced_rhel_9_installation/starting-kickstart-installations_installing-rhel-as-an-experienced-user ++ ++# Specify installation method to use for installation. To use a different one comment out ++# the 'url' one below, update the selected choice with proper options & un-comment it. ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in. ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++ ++ ++# Set language to use during installation and default language on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard --vckeymap us ++ ++# Configure network information for target system and activate network devices in the ++# installer environment (optional): ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see ++# how to create encrypted password form for different plaintext password. ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile may restrict root login. ++# Add a user that can login and escalate privileges. ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing. ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create ++# encrypted password form for different plaintext password. ++bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger. ++# Modify size of partitions appropriately to reflect actual machine's hardware. ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Ensure /dev/shm is a separate partition ++part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 ++logvol swap --name=swap --vgname=VolGroup --size=2016 ++ ++# Harden installation with CCN profile (Basic) ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_ccn_basic ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++%end ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ccn_intermediate-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ccn_intermediate-ks.cfg +new file mode 100644 +index 000000000..ab7e6a6d8 +--- /dev/null ++++ b/products/almalinux9/kickstart/ssg-almalinux9-ccn_intermediate-ks.cfg +@@ -0,0 +1,127 @@ ++# SCAP Security Guide CCN profile (Intermediate) kickstart for AlmaLinux 9 Server ++# Version: 0.0.1 ++# Date: 2023-07-18 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/performing_an_advanced_rhel_9_installation/starting-kickstart-installations_installing-rhel-as-an-experienced-user ++ ++# Specify installation method to use for installation. To use a different one comment out ++# the 'url' one below, update the selected choice with proper options & un-comment it. ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in. ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++ ++ ++# Set language to use during installation and default language on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard --vckeymap us ++ ++# Configure network information for target system and activate network devices in the ++# installer environment (optional): ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see ++# how to create encrypted password form for different plaintext password. ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile may restrict root login. ++# Add a user that can login and escalate privileges. ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing. ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create ++# encrypted password form for different plaintext password. ++bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger. ++# Modify size of partitions appropriately to reflect actual machine's hardware. ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Ensure /dev/shm is a separate partition ++part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 ++logvol swap --name=swap --vgname=VolGroup --size=2016 ++ ++# Harden installation with CCN profile (Intermediate) ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_ccn_intermediate ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis-ks.cfg new file mode 100644 -index 000000000..92a9d285d +index 000000000..36b23f1b4 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-cis-ks.cfg -@@ -0,0 +1,132 @@ -+# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for AlmaLinux 9 +@@ -0,0 +1,131 @@ ++# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for AlmaLinux 9 Server +# Version: 0.0.1 +# Date: 2021-08-12 +# @@ -21413,7 +22638,7 @@ index 000000000..92a9d285d +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -21447,9 +22672,9 @@ index 000000000..92a9d285d + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password -+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr @@ -21466,24 +22691,27 @@ index 000000000..92a9d285d +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + ++# Ensure /dev/shm is a separate partition ++part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 ++ +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition -+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition -+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition -+logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition -+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 -+logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 ++logvol swap --name=swap --vgname=VolGroup --size=2016 + + +# Harden installation with CIS profile @@ -21496,22 +22724,18 @@ index 000000000..92a9d285d + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis_server_l1-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis_server_l1-ks.cfg new file mode 100644 -index 000000000..4422b553b +index 000000000..9fa71fa28 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-cis_server_l1-ks.cfg -@@ -0,0 +1,122 @@ -+# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for AlmaLinux 9 +@@ -0,0 +1,131 @@ ++# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for AlmaLinux 9 Server +# Version: 0.0.1 +# Date: 2021-08-12 +# @@ -21551,7 +22775,7 @@ index 000000000..4422b553b +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -21585,9 +22809,9 @@ index 000000000..4422b553b + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password -+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr @@ -21604,14 +22828,27 @@ index 000000000..4422b553b +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + ++# Ensure /dev/shm is a separate partition ++part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 ++ +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition -+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -+logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 ++logvol swap --name=swap --vgname=VolGroup --size=2016 + + +# Harden installation with CIS profile @@ -21624,22 +22861,18 @@ index 000000000..4422b553b + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l1-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l1-ks.cfg new file mode 100644 -index 000000000..61fbe906a +index 000000000..31f8990bc --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l1-ks.cfg -@@ -0,0 +1,122 @@ -+# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for AlmaLinux 9 +@@ -0,0 +1,131 @@ ++# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for AlmaLinux 9 Server +# Version: 0.0.1 +# Date: 2021-08-12 +# @@ -21679,7 +22912,7 @@ index 000000000..61fbe906a +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -21713,9 +22946,9 @@ index 000000000..61fbe906a + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password -+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr @@ -21732,14 +22965,27 @@ index 000000000..61fbe906a +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + ++# Ensure /dev/shm is a separate partition ++part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 ++ +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition -+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -+logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 ++logvol swap --name=swap --vgname=VolGroup --size=2016 + + +# Harden installation with CIS profile @@ -21752,22 +22998,18 @@ index 000000000..61fbe906a + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l2-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l2-ks.cfg new file mode 100644 -index 000000000..92e4c0fc7 +index 000000000..b759130d7 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-cis_workstation_l2-ks.cfg -@@ -0,0 +1,132 @@ -+# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for AlmaLinux 9 +@@ -0,0 +1,131 @@ ++# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for AlmaLinux 9 Server +# Version: 0.0.1 +# Date: 2021-08-12 +# @@ -21807,7 +23049,7 @@ index 000000000..92e4c0fc7 +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -21841,9 +23083,9 @@ index 000000000..92e4c0fc7 + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password -+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr @@ -21860,24 +23102,27 @@ index 000000000..92e4c0fc7 +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + ++# Ensure /dev/shm is a separate partition ++part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 ++ +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition -+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition -+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition -+logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition -+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 -+logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 ++logvol swap --name=swap --vgname=VolGroup --size=2016 + + +# Harden installation with CIS profile @@ -21890,21 +23135,17 @@ index 000000000..92e4c0fc7 + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-cui-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-cui-ks.cfg new file mode 100644 -index 000000000..ae244b804 +index 000000000..aae4b1f6a --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-cui-ks.cfg -@@ -0,0 +1,153 @@ +@@ -0,0 +1,149 @@ +# SCAP Security Guide CUI profile kickstart for AlmaLinux 9 +# +# Based on: @@ -21942,7 +23183,7 @@ index 000000000..ae244b804 +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -21977,9 +23218,9 @@ index 000000000..ae244b804 + +# Specify how the bootloader should be installed (required) +# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password -+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" ++bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" + +# Initialize (format) all disks (optional) +zerombr @@ -21997,7 +23238,7 @@ index 000000000..ae244b804 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow @@ -22010,9 +23251,9 @@ index 000000000..ae244b804 +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) @@ -22049,22 +23290,18 @@ index 000000000..ae244b804 + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-e8-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-e8-ks.cfg new file mode 100644 -index 000000000..a308170e3 +index 000000000..9388ba6a3 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-e8-ks.cfg -@@ -0,0 +1,111 @@ -+# SCAP Security Guide Essential Eight profile kickstart for AlmaLinux 9 +@@ -0,0 +1,107 @@ ++# SCAP Security Guide Essential Eight profile kickstart for AlmaLinux 9 Server +# Version: 0.0.1 +# Date: 2021-07-13 +# @@ -22104,7 +23341,7 @@ index 000000000..a308170e3 +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -22138,9 +23375,9 @@ index 000000000..a308170e3 + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password -+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr @@ -22166,22 +23403,18 @@ index 000000000..a308170e3 + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-hipaa-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-hipaa-ks.cfg new file mode 100644 -index 000000000..90f88a98e +index 000000000..d72dd656f --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-hipaa-ks.cfg -@@ -0,0 +1,111 @@ -+# SCAP Security Guide HIPAA profile kickstart for AlmaLinux 9 +@@ -0,0 +1,107 @@ ++# SCAP Security Guide HIPAA profile kickstart for AlmaLinux 9 Server +# Version: 0.0.1 +# Date: 2021-07-13 +# @@ -22221,7 +23454,7 @@ index 000000000..90f88a98e +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -22255,9 +23488,9 @@ index 000000000..90f88a98e + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password -+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr @@ -22283,22 +23516,18 @@ index 000000000..90f88a98e + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ism_o-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ism_o-ks.cfg new file mode 100644 -index 000000000..d79a1a8f5 +index 000000000..80056963b --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-ism_o-ks.cfg -@@ -0,0 +1,110 @@ -+# SCAP Security Guide ISM Official profile kickstart for AlmaLinux 9 +@@ -0,0 +1,106 @@ ++# SCAP Security Guide ISM Official profile kickstart for AlmaLinux 9 Server +# Version: 0.0.1 +# Date: 2021-08-16 +# @@ -22338,7 +23567,7 @@ index 000000000..d79a1a8f5 +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -22373,7 +23602,7 @@ index 000000000..d79a1a8f5 +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" ++bootloader + +# Initialize (format) all disks (optional) +zerombr @@ -22399,21 +23628,17 @@ index 000000000..d79a1a8f5 + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-ospp-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-ospp-ks.cfg new file mode 100644 -index 000000000..8b30120f4 +index 000000000..14e68d24d --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-ospp-ks.cfg -@@ -0,0 +1,153 @@ +@@ -0,0 +1,149 @@ +# SCAP Security Guide OSPP profile kickstart for AlmaLinux 9 +# +# Based on: @@ -22451,7 +23676,7 @@ index 000000000..8b30120f4 +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -22486,16 +23711,16 @@ index 000000000..8b30120f4 + +# Specify how the bootloader should be installed (required) +# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password -+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" ++bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware -+# ++# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture @@ -22506,7 +23731,7 @@ index 000000000..8b30120f4 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow @@ -22519,24 +23744,24 @@ index 000000000..8b30120f4 +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default -+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this ++# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. -+# ++# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). -+# ++# +# The following keys are recognized by the add-on: +# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. +# - If the content-type is scap-security-guide, the add-on will use content provided by the @@ -22550,7 +23775,7 @@ index 000000000..8b30120f4 +# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. +# +# The following is an example %addon com_redhat_oscap section which uses content from the -+# scap-security-guide on the installation media: ++# scap-security-guide on the installation media: +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_ospp @@ -22558,21 +23783,17 @@ index 000000000..8b30120f4 + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-pci-dss-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-pci-dss-ks.cfg new file mode 100644 -index 000000000..b3086f7d7 +index 000000000..f0593586f --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-pci-dss-ks.cfg -@@ -0,0 +1,148 @@ +@@ -0,0 +1,144 @@ +# SCAP Security Guide PCI-DSS profile kickstart for AlmaLinux 9 +# +# Based on: @@ -22611,7 +23832,7 @@ index 000000000..b3086f7d7 +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -22642,13 +23863,9 @@ index 000000000..b3086f7d7 +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password -+# -+# PASSWORD TEMPORARILY DISABLED -+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" -+#bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 -+ ++bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr @@ -22666,21 +23883,21 @@ index 000000000..b3086f7d7 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow +# CCE-26557-9: Ensure /home Located On Separate Partition -+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# CCE-26435-8: Ensure /tmp Located On Separate Partition -+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# CCE-26639-5: Ensure /var Located On Separate Partition -+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 --fsoptions="nodev" ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# CCE-26215-4: Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" +# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" -+logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" ++logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default @@ -22716,17 +23933,17 @@ index 000000000..b3086f7d7 + +# Packages selection (%packages section is required) +%packages -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-stig-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-stig-ks.cfg new file mode 100644 -index 000000000..6639afde0 +index 000000000..052c33aa1 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-stig-ks.cfg -@@ -0,0 +1,154 @@ +@@ -0,0 +1,150 @@ +# SCAP Security Guide STIG profile kickstart for AlmaLinux 9 +# +# Based on: @@ -22764,7 +23981,7 @@ index 000000000..6639afde0 +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -22800,9 +24017,9 @@ index 000000000..6639afde0 +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password -+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr @@ -22820,7 +24037,7 @@ index 000000000..6639afde0 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow @@ -22833,9 +24050,9 @@ index 000000000..6639afde0 +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) @@ -22872,21 +24089,17 @@ index 000000000..6639afde0 + +# Packages selection (%packages section is required) +%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/almalinux9/kickstart/ssg-almalinux9-stig_gui-ks.cfg b/products/almalinux9/kickstart/ssg-almalinux9-stig_gui-ks.cfg new file mode 100644 -index 000000000..7e31e160b +index 000000000..0b612b999 --- /dev/null +++ b/products/almalinux9/kickstart/ssg-almalinux9-stig_gui-ks.cfg -@@ -0,0 +1,155 @@ +@@ -0,0 +1,154 @@ +# SCAP Security Guide STIG with GUI profile kickstart for AlmaLinux 9 +# +# Based on: @@ -22924,7 +24137,7 @@ index 000000000..7e31e160b +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) -+keyboard us ++keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time @@ -22961,9 +24174,9 @@ index 000000000..7e31e160b +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# grub2-mkpasswd-pbkdf2 +# to see how to create encrypted password form for different plaintext password -+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr @@ -22981,7 +24194,7 @@ index 000000000..7e31e160b +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 ++volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow @@ -22994,9 +24207,9 @@ index 000000000..7e31e160b +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec" ++logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) @@ -23034,10 +24247,9 @@ index 000000000..7e31e160b +# Packages selection (%packages section is required) +%packages + -+# Require @Base -+@Base ++@Server with GUI + -+%end # End of %packages section ++%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting @@ -23223,16 +24435,23 @@ index 000000000..bdfb1cbd8 + diff --git a/products/almalinux9/product.yml b/products/almalinux9/product.yml new file mode 100644 -index 000000000..5b17ee87c +index 000000000..11ab5bae6 --- /dev/null +++ b/products/almalinux9/product.yml -@@ -0,0 +1,45 @@ +@@ -0,0 +1,52 @@ +product: almalinux9 +full_name: AlmaLinux 9 +type: platform + ++families: ++ - rhel ++ - rhel-like ++ ++major_version_ordinal: 9 ++ +benchmark_id: ALMALINUX-9 +benchmark_root: "../../linux_os/guide" ++components_root: "../../components" + +profiles_root: "./profiles" + @@ -23241,8 +24460,6 @@ index 000000000..5b17ee87c +init_system: "systemd" + +# EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig -+grub2_boot_path: "/boot/grub2" -+grub2_uefi_boot_path: "/boot/grub2" + +groups: + dedicated_ssh_keyowner: @@ -23257,6 +24474,7 @@ index 000000000..5b17ee87c +pkg_release: "61e69f29" +pkg_version: "b86b3716" + ++release_key_fingerprint: "BF18AC2876178908D6E71267D36CB86CB86B3716" +oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-9.xml.bz2" + +cpes_root: "../../shared/applicability" @@ -23272,9 +24490,10 @@ index 000000000..5b17ee87c + +reference_uris: + cis: 'https://www.cisecurity.org/benchmark/almalinuxos_linux/' ++ ccn: 'https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html' diff --git a/products/almalinux9/profiles/anssi_bp28_enhanced.profile b/products/almalinux9/profiles/anssi_bp28_enhanced.profile new file mode 100644 -index 000000000..da048c9b5 +index 000000000..62cbe1715 --- /dev/null +++ b/products/almalinux9/profiles/anssi_bp28_enhanced.profile @@ -0,0 +1,19 @@ @@ -23287,7 +24506,7 @@ index 000000000..da048c9b5 +title: 'ANSSI-BP-028 (enhanced)' + +description: |- -+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. @@ -23299,10 +24518,10 @@ index 000000000..da048c9b5 + - anssi:all:enhanced diff --git a/products/almalinux9/profiles/anssi_bp28_high.profile b/products/almalinux9/profiles/anssi_bp28_high.profile new file mode 100644 -index 000000000..729326e4d +index 000000000..204e141b1 --- /dev/null +++ b/products/almalinux9/profiles/anssi_bp28_high.profile -@@ -0,0 +1,19 @@ +@@ -0,0 +1,21 @@ +documentation_complete: true + +metadata: @@ -23312,7 +24531,7 @@ index 000000000..729326e4d +title: 'ANSSI-BP-028 (high)' + +description: |- -+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. @@ -23322,9 +24541,11 @@ index 000000000..729326e4d + +selections: + - anssi:all:high ++ # the following rule renders UEFI systems unbootable ++ - '!sebool_secure_mode_insmod' diff --git a/products/almalinux9/profiles/anssi_bp28_intermediary.profile b/products/almalinux9/profiles/anssi_bp28_intermediary.profile new file mode 100644 -index 000000000..2811f8ed1 +index 000000000..81b684668 --- /dev/null +++ b/products/almalinux9/profiles/anssi_bp28_intermediary.profile @@ -0,0 +1,19 @@ @@ -23337,7 +24558,7 @@ index 000000000..2811f8ed1 +title: 'ANSSI-BP-028 (intermediary)' + +description: |- -+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. @@ -23349,7 +24570,7 @@ index 000000000..2811f8ed1 + - anssi:all:intermediary diff --git a/products/almalinux9/profiles/anssi_bp28_minimal.profile b/products/almalinux9/profiles/anssi_bp28_minimal.profile new file mode 100644 -index 000000000..ef70da40b +index 000000000..79a63fd43 --- /dev/null +++ b/products/almalinux9/profiles/anssi_bp28_minimal.profile @@ -0,0 +1,20 @@ @@ -23362,7 +24583,7 @@ index 000000000..ef70da40b +title: 'ANSSI-BP-028 (minimal)' + +description: |- -+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. @@ -23373,9 +24594,84 @@ index 000000000..ef70da40b +selections: + - anssi:all:minimal + +diff --git a/products/almalinux9/profiles/ccn_advanced.profile b/products/almalinux9/profiles/ccn_advanced.profile +new file mode 100644 +index 000000000..7020ad66a +--- /dev/null ++++ b/products/almalinux9/profiles/ccn_advanced.profile +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++metadata: ++ SMEs: ++ - marcusburghardt ++ ++reference: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html ++ ++title: 'CCN Red Hat Enterprise Linux 9 - Advanced' ++ ++description: |- ++ This profile defines a baseline that aligns with the "Advanced" configuration of the ++ CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10. ++ ++ The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, ++ intermediate, and advanced levels. ++ ++selections: ++ - ccn_rhel9:all:advanced +diff --git a/products/almalinux9/profiles/ccn_basic.profile b/products/almalinux9/profiles/ccn_basic.profile +new file mode 100644 +index 000000000..29dae54aa +--- /dev/null ++++ b/products/almalinux9/profiles/ccn_basic.profile +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++metadata: ++ SMEs: ++ - marcusburghardt ++ ++reference: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html ++ ++title: 'CCN Red Hat Enterprise Linux 9 - Basic' ++ ++description: |- ++ This profile defines a baseline that aligns with the "Basic" configuration of the ++ CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10. ++ ++ The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, ++ intermediate, and advanced levels. ++ ++selections: ++ - ccn_rhel9:all:basic +diff --git a/products/almalinux9/profiles/ccn_intermediate.profile b/products/almalinux9/profiles/ccn_intermediate.profile +new file mode 100644 +index 000000000..d9dea2fc9 +--- /dev/null ++++ b/products/almalinux9/profiles/ccn_intermediate.profile +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++metadata: ++ SMEs: ++ - marcusburghardt ++ ++reference: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html ++ ++title: 'CCN Red Hat Enterprise Linux 9 - Intermediate' ++ ++description: |- ++ This profile defines a baseline that aligns with the "Intermediate" configuration of the ++ CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10. ++ ++ The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, ++ intermediate, and advanced levels. ++ ++selections: ++ - ccn_rhel9:all:intermediate diff --git a/products/almalinux9/profiles/cis.profile b/products/almalinux9/profiles/cis.profile new file mode 100644 -index 000000000..839ee1908 +index 000000000..4dc49aaf1 --- /dev/null +++ b/products/almalinux9/profiles/cis.profile @@ -0,0 +1,23 @@ @@ -23388,7 +24684,7 @@ index 000000000..839ee1908 + - vojtapolasek + - yuumasato + -+reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: 'CIS AlmaLinux OS 9 Benchmark for Level 2 - Server' + @@ -23404,7 +24700,7 @@ index 000000000..839ee1908 + - cis_rhel9:all:l2_server diff --git a/products/almalinux9/profiles/cis_server_l1.profile b/products/almalinux9/profiles/cis_server_l1.profile new file mode 100644 -index 000000000..bb593124f +index 000000000..c3bec0982 --- /dev/null +++ b/products/almalinux9/profiles/cis_server_l1.profile @@ -0,0 +1,23 @@ @@ -23417,7 +24713,7 @@ index 000000000..bb593124f + - vojtapolasek + - yuumasato + -+reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: 'CIS AlmaLinux OS 9 Benchmark for Level 1 - Server' + @@ -23433,7 +24729,7 @@ index 000000000..bb593124f + - cis_rhel9:all:l1_server diff --git a/products/almalinux9/profiles/cis_workstation_l1.profile b/products/almalinux9/profiles/cis_workstation_l1.profile new file mode 100644 -index 000000000..b9cb07c0e +index 000000000..8ac724cc8 --- /dev/null +++ b/products/almalinux9/profiles/cis_workstation_l1.profile @@ -0,0 +1,23 @@ @@ -23446,7 +24742,7 @@ index 000000000..b9cb07c0e + - vojtapolasek + - yuumasato + -+reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: 'CIS AlmaLinux OS 9 Benchmark for Level 1 - Workstation' + @@ -23462,10 +24758,10 @@ index 000000000..b9cb07c0e + - cis_rhel9:all:l1_workstation diff --git a/products/almalinux9/profiles/cis_workstation_l2.profile b/products/almalinux9/profiles/cis_workstation_l2.profile new file mode 100644 -index 000000000..c33d88aea +index 000000000..1f2cb0f27 --- /dev/null +++ b/products/almalinux9/profiles/cis_workstation_l2.profile -@@ -0,0 +1,23 @@ +@@ -0,0 +1,24 @@ +documentation_complete: true + +metadata: @@ -23475,7 +24771,7 @@ index 000000000..c33d88aea + - vojtapolasek + - yuumasato + -+reference: https://www.cisecurity.org/benchmark/almalinuxos_linux/ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: 'CIS AlmaLinux OS 9 Benchmark for Level 2 - Workstation' + @@ -23489,9 +24785,10 @@ index 000000000..c33d88aea + +selections: + - cis_rhel9:all:l2_workstation ++ - '!package_avahi_removed' diff --git a/products/almalinux9/profiles/cui.profile b/products/almalinux9/profiles/cui.profile new file mode 100644 -index 000000000..8300a3c00 +index 000000000..3f278237b --- /dev/null +++ b/products/almalinux9/profiles/cui.profile @@ -0,0 +1,32 @@ @@ -23519,7 +24816,7 @@ index 000000000..8300a3c00 + supplement the basic security requirements, are taken from the security controls + in NIST Special Publication 800-53. + -+ This profile configures AlmaLinux 9 to the NIST Special ++ This profile configures Red Hat Enterprise Linux 9 to the NIST Special + Publication 800-53 controls identified for securing Controlled Unclassified + Information (CUI)." + @@ -23529,7 +24826,7 @@ index 000000000..8300a3c00 + - inactivity_timeout_value=10_minutes diff --git a/products/almalinux9/profiles/e8.profile b/products/almalinux9/profiles/e8.profile new file mode 100644 -index 000000000..54faaeccc +index 000000000..24683d254 --- /dev/null +++ b/products/almalinux9/profiles/e8.profile @@ -0,0 +1,153 @@ @@ -23540,12 +24837,12 @@ index 000000000..54faaeccc + - shaneboulden + - tjbutt58 + -+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers ++reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + +title: 'Australian Cyber Security Centre (ACSC) Essential Eight' + +description: |- -+ This profile contains configuration checks for AlmaLinux 9 ++ This profile contains configuration checks for Red Hat Enterprise Linux 9 + that align to the Australian Cyber Security Centre (ACSC) Essential Eight. + + A copy of the Essential Eight in Linux Environments guide can be found at the @@ -23573,7 +24870,7 @@ index 000000000..54faaeccc + - service_squid_disabled + + ### Software update -+ - ensure_almalinux_gpgkey_installed ++ - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_globally_activated @@ -23688,7 +24985,7 @@ index 000000000..54faaeccc + - package_rear_installed diff --git a/products/almalinux9/profiles/hipaa.profile b/products/almalinux9/profiles/hipaa.profile new file mode 100644 -index 000000000..7280e278d +index 000000000..3eff557b3 --- /dev/null +++ b/products/almalinux9/profiles/hipaa.profile @@ -0,0 +1,166 @@ @@ -23710,9 +25007,9 @@ index 000000000..7280e278d + confidentiality, integrity, and security of electronic protected health + information. + -+ This profile configures AlmaLinux 9 to the HIPAA Security ++ This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security + Rule identified for securing of electronic protected health information. -+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). ++ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + +selections: + - grub2_password @@ -23780,7 +25077,7 @@ index 000000000..7280e278d + - sysctl_kernel_randomize_va_space + - rpm_verify_hashes + - rpm_verify_permissions -+ - ensure_almalinux_gpgkey_installed ++ - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_local_packages @@ -23860,7 +25157,7 @@ index 000000000..7280e278d + - audit_rules_usergroup_modification_shadow diff --git a/products/almalinux9/profiles/ism_o.profile b/products/almalinux9/profiles/ism_o.profile new file mode 100644 -index 000000000..3377fb3cd +index 000000000..3cd0db691 --- /dev/null +++ b/products/almalinux9/profiles/ism_o.profile @@ -0,0 +1,138 @@ @@ -23879,12 +25176,12 @@ index 000000000..3377fb3cd +title: 'Australian Cyber Security Centre (ACSC) ISM Official' + +description: |- -+ This profile contains configuration checks for AlmaLinux 9 ++ This profile contains configuration checks for Red Hat Enterprise Linux 9 + that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) + with the applicability marking of OFFICIAL. + -+ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning -+ AlmaLinux security controls with the ISM, which can be used to select controls ++ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning ++ Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls + specific to an organisation's security posture and risk profile. + + A copy of the ISM can be found at the ACSC website: @@ -23951,7 +25248,7 @@ index 000000000..3377fb3cd + - accounts_password_pam_minlen + + ## Centralised logging facility -+ ## Identifiers 1405 / 0988 ++ ## Identifiers 1405 / 0988 + - rsyslog_cron_logging + - rsyslog_files_groupownership + - rsyslog_files_ownership @@ -23979,7 +25276,7 @@ index 000000000..3377fb3cd + ## Identifiers 1552 / 1277 + + ## Network design and configuration -+ ## Identifiers 1055 / 1311 ++ ## Identifiers 1055 / 1311 + - network_nmcli_permissions + - service_snmpd_disabled + - snmpd_use_newer_protocol @@ -23989,8 +25286,8 @@ index 000000000..3377fb3cd + - wireless_disable_interfaces + + ## ASD Approved Cryptographic Algorithms -+ ## Identifiers 0471 / 0472 / 0473 / 0474 / 0475 / 0476 / 0477 / -+ ## 0479 / 0480 / 0481 / 0489 / 0497 / 0994 / 0998 / 1001 / 1139 / ++ ## Identifiers 0471 / 0472 / 0473 / 0474 / 0475 / 0476 / 0477 / ++ ## 0479 / 0480 / 0481 / 0489 / 0497 / 0994 / 0998 / 1001 / 1139 / + ## 1372 / 1373 / 1374 / 1375 + - enable_fips_mode + - var_system_crypto_policy=fips @@ -24004,7 +25301,7 @@ index 000000000..3377fb3cd + - file_permissions_sshd_private_key diff --git a/products/almalinux9/profiles/ospp.profile b/products/almalinux9/profiles/ospp.profile new file mode 100644 -index 000000000..28602c672 +index 000000000..d77041404 --- /dev/null +++ b/products/almalinux9/profiles/ospp.profile @@ -0,0 +1,347 @@ @@ -24021,7 +25318,7 @@ index 000000000..28602c672 +title: 'Protection Profile for General Purpose Operating Systems' + +description: |- -+ This profile is part of AlmaLinux 9 Common Criteria Guidance ++ This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance + documentation for Target of Evaluation based on Protection Profile for + General Purpose Operating Systems (OSPP) version 4.2.1 and Functional + Package for SSH version 1.0. @@ -24064,7 +25361,7 @@ index 000000000..28602c672 + - grub2_systemd_debug-shell_argument_absent + + ### Software update -+ - ensure_almalinux_gpgkey_installed ++ - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled @@ -24357,7 +25654,7 @@ index 000000000..28602c672 + - zipl_systemd_debug-shell_argument_absent diff --git a/products/almalinux9/profiles/pci-dss.profile b/products/almalinux9/profiles/pci-dss.profile new file mode 100644 -index 000000000..707424189 +index 000000000..1368ffe62 --- /dev/null +++ b/products/almalinux9/profiles/pci-dss.profile @@ -0,0 +1,149 @@ @@ -24477,7 +25774,7 @@ index 000000000..707424189 + - accounts_password_pam_lcredit + - accounts_password_pam_unix_remember + - accounts_maximum_age_login_defs -+ - ensure_almalinux_gpgkey_installed ++ - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled + - security_patches_up_to_date @@ -24719,11 +26016,11 @@ index affb9770c..7273e6d7d 100644 multi_platform_rhv multi_platform_sle multi_platform_ubuntu -diff --git a/shared/references/disa-stig-ol7-v2r9-xccdf-manual.xml b/shared/references/disa-stig-ol7-v2r9-xccdf-manual.xml -index 45b7a0956..3c953e30f 100644 ---- a/shared/references/disa-stig-ol7-v2r9-xccdf-manual.xml -+++ b/shared/references/disa-stig-ol7-v2r9-xccdf-manual.xml -@@ -930,7 +930,7 @@ Check to see if an encrypted grub superusers password is set. On systems that us +diff --git a/shared/references/disa-stig-ol7-v2r11-xccdf-manual.xml b/shared/references/disa-stig-ol7-v2r11-xccdf-manual.xml +index f1607eb65..8db20f544 100644 +--- a/shared/references/disa-stig-ol7-v2r11-xccdf-manual.xml ++++ b/shared/references/disa-stig-ol7-v2r11-xccdf-manual.xml +@@ -929,7 +929,7 @@ Check to see if an encrypted grub superusers password is set. On systems that us $ sudo grep -iw grub2_password /boot/grub2/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] @@ -24732,7 +26029,7 @@ index 45b7a0956..3c953e30f 100644 Generate an encrypted grub2 password for the grub superusers account with the following command: -@@ -942,7 +942,7 @@ For systems that are running a version of Oracle Linux prior to 7.2, this is Not +@@ -941,7 +941,7 @@ For systems that are running a version of Oracle Linux prior to 7.2, this is Not Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command: @@ -24741,7 +26038,7 @@ index 45b7a0956..3c953e30f 100644 GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>OL07-00-010500The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. -@@ -1845,7 +1845,7 @@ On BIOS-based machines, use the following command: +@@ -1836,7 +1836,7 @@ On BIOS-based machines, use the following command: On UEFI-based machines, use the following command: @@ -24750,7 +26047,7 @@ index 45b7a0956..3c953e30f 100644 If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: -@@ -1876,7 +1876,7 @@ dracut-fips-033-360.el7_2.x86_64.rpm +@@ -1867,7 +1867,7 @@ dracut-fips-033-360.el7_2.x86_64.rpm If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command: @@ -24759,7 +26056,7 @@ index 45b7a0956..3c953e30f 100644 # grep fips /boot/grub2/grub.cfg /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet -@@ -1971,14 +1971,14 @@ All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux +@@ -1939,14 +1939,14 @@ An example rule that includes the "sha512" rule follows: If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>OL07-00-021700The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108367V-99263CCI-001813Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. @@ -24776,7 +26073,7 @@ index 45b7a0956..3c953e30f 100644 Check that the grub configuration file has the set root command in each menu entry with the following commands: -@@ -4492,12 +4492,12 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} +@@ -4479,12 +4479,12 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} Generate a new grub.cfg file with the following command: @@ -24791,11 +26088,11 @@ index 45b7a0956..3c953e30f 100644 set superusers="[someuniquestringhere]" export superusers -diff --git a/shared/references/disa-stig-ol8-v1r4-xccdf-manual.xml b/shared/references/disa-stig-ol8-v1r4-xccdf-manual.xml -index 55252a9e0..a1aa5b167 100644 ---- a/shared/references/disa-stig-ol8-v1r4-xccdf-manual.xml -+++ b/shared/references/disa-stig-ol8-v1r4-xccdf-manual.xml -@@ -439,7 +439,7 @@ $ sudo egrep "^SHA_CRYPT_" /etc/login.defs +diff --git a/shared/references/disa-stig-ol8-v1r6-xccdf-manual.xml b/shared/references/disa-stig-ol8-v1r6-xccdf-manual.xml +index 8181b3b09..364c07f42 100644 +--- a/shared/references/disa-stig-ol8-v1r6-xccdf-manual.xml ++++ b/shared/references/disa-stig-ol8-v1r6-xccdf-manual.xml +@@ -439,7 +439,7 @@ SHA_CRYPT_MIN_ROUNDS 5000SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-010500The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. -@@ -1851,7 +1851,7 @@ On BIOS-based machines, use the following command: +@@ -1864,7 +1864,7 @@ On BIOS-based machines, use the following command: On UEFI-based machines, use the following command: @@ -24858,7 +26155,7 @@ index 2ac417f0e..b84cd4b83 100644 If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: -@@ -1882,7 +1882,7 @@ dracut-fips-033-360.el7_2.x86_64.rpm +@@ -1895,7 +1895,7 @@ dracut-fips-033-360.el7_2.x86_64.rpm If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command: @@ -24867,7 +26164,7 @@ index 2ac417f0e..b84cd4b83 100644 # grep fips /boot/grub2/grub.cfg /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet -@@ -1955,14 +1955,14 @@ An example rule that includes the "sha512" rule follows: +@@ -1968,14 +1968,14 @@ An example rule that includes the "sha512" rule follows: If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-021700The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86699V-72075CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. @@ -24884,7 +26181,7 @@ index 2ac417f0e..b84cd4b83 100644 Check that the grub configuration file has the set root command in each menu entry with the following commands: -@@ -4452,13 +4452,13 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} +@@ -4475,13 +4475,13 @@ password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} Generate a new grub.cfg file with the following command: @@ -24900,407 +26197,363 @@ index 2ac417f0e..b84cd4b83 100644 set superusers="[someuniquestringhere]" export superusers -diff --git a/shared/references/disa-stig-rhel7-v3r10-xccdf-scap.xml b/shared/references/disa-stig-rhel7-v3r10-xccdf-scap.xml -index ee53d1416..c298fc185 100644 ---- a/shared/references/disa-stig-rhel7-v3r10-xccdf-scap.xml -+++ b/shared/references/disa-stig-rhel7-v3r10-xccdf-scap.xml -@@ -3236,7 +3236,7 @@ Confirm password: - SV-95719 - V-81007 - CCI-000213 -- Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. -+ Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. - - Generate an encrypted grub2 password for the grub superusers account with the following command: - -@@ -4010,7 +4010,7 @@ On BIOS-based machines, use the following command: - - On UEFI-based machines, use the following command: - --# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg -+# grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg - - If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: - -@@ -7504,7 +7504,8 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ - Disable Prelinking - - multi_platform_fedora -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - multi_platform_rhel-osp - - The prelinking feature can interfere with the operation of -@@ -7535,7 +7536,8 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ - - Package openssh-server Removed - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - multi_platform_fedora - multi_platform_sle - -@@ -8346,7 +8348,8 @@ Password complexity is one factor of several that determines how long it takes t - - Limit Password Reuse - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - multi_platform_fedora - - The passwords to remember should be set correctly. -@@ -8362,7 +8365,8 @@ Password complexity is one factor of several that determines how long it takes t - - RHEL-07-040160 - The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. - -@@ -8456,7 +8460,8 @@ Terminating network connections associated with communications sessions includes - - RHEL-07-030410 - The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod and fchmodat syscalls. - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -@@ -8512,7 +8517,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - RHEL-07-030370 - The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat and lchown syscalls. - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - - -@@ -8558,7 +8564,8 @@ When a user logs on, the auid is set to the uid of the account that is being aut - - RHEL-07-030440 - The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr and lremovexattr syscalls. - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - - -@@ -9655,7 +9662,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Disable Host-Based Authentication - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - SSH host-based authentication should be disabled. - -@@ -9670,7 +9678,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Package prelink Removed - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - The RPM package prelink should be removed. - -@@ -9813,7 +9822,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Mount Remote Filesystems with nosuid - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - - -@@ -9843,7 +9853,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Package net-snmp Removed - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - The RPM package net-snmp should be removed. - -@@ -9870,7 +9881,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Package telnet-server Removed - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - The RPM package telnet-server should be removed. - -@@ -9898,7 +9910,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Package vsftpd Removed - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - The RPM package vsftpd should be removed. - -@@ -9911,7 +9924,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Package xorg-x11-server-common Removed - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - multi_platform_fedora - - -@@ -9940,7 +9954,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Ensure /home Located On Separate Partition - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - If user home directories will be stored locally, create a - separate partition for /home. If /home will be mounted from another -@@ -9958,7 +9973,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Ensure /var Located On Separate Partition - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - - -@@ -9976,7 +9992,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Ensure /var/log/audit Located On Separate Partition - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - - -@@ -9995,7 +10012,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - Verify File Hashes with RPM - - multi_platform_fedora -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - Verify the RPM digests of system binaries using the RPM database. - -@@ -10069,7 +10087,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Ensure Only Protocol 2 Connections Allowed - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - multi_platform_debian - multi_platform_ubuntu - -@@ -10105,7 +10124,8 @@ The system call rules are loaded into a matching engine that intercepts each sys - - Disable .rhosts Files - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - - -@@ -10170,7 +10190,8 @@ This should be disabled. - - Do Not Allow Users to Set Environment Options - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - - PermitUserEnvironment should be disabled - -@@ -10519,7 +10540,8 @@ By specifying a cipher list with the order of ciphers being in a "strongest to w - - Package openssh-server is version 7.4 or higher - -- multi_platform_rhel -+ multi_platform_rhel -+multi_platform_almalinux - multi_platform_fedora - multi_platform_sle - -@@ -10756,12 +10778,12 @@ The ability to enable/disable a session lock is given to the user by default. Di - The UEFI grub2 boot loader should have password protection enabled. - - -- -+ - -- -+ - -- -- -+ -+ - - - -@@ -11660,7 +11682,7 @@ The ability to enable/disable a session lock is given to the user by default. Di - - - -- -+ - - - -@@ -12210,10 +12232,10 @@ The ability to enable/disable a session lock is given to the user by default. Di - - - -- -+ - - -- -+ - - - -@@ -13637,7 +13659,7 @@ The ability to enable/disable a session lock is given to the user by default. Di - /boot/grub2/grub.cfg - - -- /boot/efi/EFI/redhat/grub.cfg -+ /boot/efi/EFI/almalinux/grub.cfg - - - -@@ -14472,12 +14494,12 @@ The ability to enable/disable a session lock is given to the user by default. Di - 1 - - -- /boot/efi/EFI/redhat/user.cfg -+ /boot/efi/EFI/almalinux/user.cfg - ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512\.\S+$ - 1 - - -- /boot/efi/EFI/redhat/grub.cfg -+ /boot/efi/EFI/almalinux/grub.cfg - ^[\s]*set[\s]+superusers=\"\S+\"$ - 1 - -@@ -15057,7 +15079,7 @@ The ability to enable/disable a session lock is given to the user by default. Di - - - /boot/grub2/grub.cfg -- /boot/efi/EFI/redhat/grub.cfg -+ /boot/efi/EFI/almalinux/grub.cfg - - - /etc/sysctl.d -diff --git a/shared/references/disa-stig-rhel8-v1r8-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r8-xccdf-scap.xml -index 92f67b352..6c52370e8 100644 ---- a/shared/references/disa-stig-rhel8-v1r8-xccdf-scap.xml -+++ b/shared/references/disa-stig-rhel8-v1r8-xccdf-scap.xml -@@ -2531,7 +2531,7 @@ SHA_CRYPT_MIN_ROUNDS 5000 - 2921 - - CCI-000213 -- Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. -+ Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. - - Generate an encrypted grub2 password for the grub superusers account with the following command: - -@@ -9869,11 +9869,11 @@ Passwords need to be protected at all times, and encryption is the standard meth - - If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. - -- -- -+ -+ - -- -- -+ -+ - - - -@@ -10612,7 +10612,7 @@ Configuration settings are the set of parameters that can be changed in hardware - The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - - -- -+ - - - -@@ -13863,15 +13863,15 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - - -- -+ - - - -- -+ - - - -@@ -15390,18 +15390,18 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\b - 1 - -- -- /boot/efi/EFI/redhat/grub.cfg -+ -+ /boot/efi/EFI/almalinux/grub.cfg - ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$ - 1 - -- -- /boot/efi/EFI/redhat/user.cfg -+ -+ /boot/efi/EFI/almalinux/user.cfg - ^\s*GRUB2_PASSWORD=(\S+)\b - 1 - -- -- /boot/efi/EFI/redhat/grub.cfg -+ -+ /boot/efi/EFI/almalinux/grub.cfg - - - /boot/grub2/grub.cfg -diff --git a/shared/references/disa-stig-rhel8-v1r9-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r9-xccdf-manual.xml -index 4d2982317..6d1974a59 100644 ---- a/shared/references/disa-stig-rhel8-v1r9-xccdf-manual.xml -+++ b/shared/references/disa-stig-rhel8-v1r9-xccdf-manual.xml -@@ -374,7 +374,7 @@ SHA_CRYPT_MIN_ROUNDS 5000 + SV-95719 + V-81007 + CCI-000213 +- Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. ++ Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. + + Generate an encrypted grub2 password for the grub superusers account with the following command: + +@@ -4005,7 +4005,7 @@ On BIOS-based machines, use the following command: + + On UEFI-based machines, use the following command: + +-# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg ++# grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg + + If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: + +@@ -7538,6 +7538,7 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ + + multi_platform_fedora + multi_platform_rhel ++multi_platform_almalinux + multi_platform_rhel-osp + + The prelinking feature can interfere with the operation of +@@ -7569,6 +7570,7 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ + Package openssh-server Removed + + multi_platform_rhel ++multi_platform_almalinux + multi_platform_fedora + multi_platform_sle + +@@ -8340,6 +8342,7 @@ Password complexity is one factor of several that determines how long it takes t + Limit Password Reuse + + multi_platform_rhel ++multi_platform_almalinux + multi_platform_fedora + + The passwords to remember should be set correctly. +@@ -8356,6 +8359,7 @@ Password complexity is one factor of several that determines how long it takes t + RHEL-07-040160 - The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. + + multi_platform_rhel ++multi_platform_almalinux + + Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. + +@@ -8413,6 +8417,7 @@ Terminating network connections associated with communications sessions includes + RHEL-07-030410 - The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod and fchmodat syscalls. + + multi_platform_rhel ++multi_platform_almalinux + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +@@ -8469,6 +8474,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + RHEL-07-030370 - The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat and lchown syscalls. + + multi_platform_rhel ++multi_platform_almalinux + + + +@@ -8515,6 +8521,7 @@ When a user logs on, the auid is set to the uid of the account that is being aut + RHEL-07-030440 - The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr and lremovexattr syscalls. + + multi_platform_rhel ++multi_platform_almalinux + + + +@@ -9612,6 +9619,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Disable Host-Based Authentication + + multi_platform_rhel ++multi_platform_almalinux + + SSH host-based authentication should be disabled. + +@@ -9627,6 +9635,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Package prelink Removed + + multi_platform_rhel ++multi_platform_almalinux + + The RPM package prelink should be removed. + +@@ -9770,6 +9779,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Mount Remote Filesystems with nosuid + + multi_platform_rhel ++multi_platform_almalinux + + + +@@ -9800,6 +9810,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Package net-snmp Removed + + multi_platform_rhel ++multi_platform_almalinux + + The RPM package net-snmp should be removed. + +@@ -9827,6 +9838,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Package telnet-server Removed + + multi_platform_rhel ++multi_platform_almalinux + + The RPM package telnet-server should be removed. + +@@ -9855,6 +9867,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Package vsftpd Removed + + multi_platform_rhel ++multi_platform_almalinux + + The RPM package vsftpd should be removed. + +@@ -9868,6 +9881,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Package xorg-x11-server-common Removed + + multi_platform_rhel ++multi_platform_almalinux + multi_platform_fedora + + +@@ -9897,6 +9911,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Ensure /home Located On Separate Partition + + multi_platform_rhel ++multi_platform_almalinux + + If user home directories will be stored locally, create a + separate partition for /home. If /home will be mounted from another +@@ -9915,6 +9930,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Ensure /var Located On Separate Partition + + multi_platform_rhel ++multi_platform_almalinux + + + +@@ -9933,6 +9949,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Ensure /var/log/audit Located On Separate Partition + + multi_platform_rhel ++multi_platform_almalinux + + + +@@ -9952,6 +9969,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + + multi_platform_fedora + multi_platform_rhel ++multi_platform_almalinux + + Verify the RPM digests of system binaries using the RPM database. + +@@ -10026,6 +10044,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Ensure Only Protocol 2 Connections Allowed + + multi_platform_rhel ++multi_platform_almalinux + multi_platform_debian + multi_platform_ubuntu + +@@ -10062,6 +10081,7 @@ The system call rules are loaded into a matching engine that intercepts each sys + Disable .rhosts Files + + multi_platform_rhel ++multi_platform_almalinux + + + +@@ -10127,6 +10147,7 @@ This should be disabled. + Do Not Allow Users to Set Environment Options + + multi_platform_rhel ++multi_platform_almalinux + + PermitUserEnvironment should be disabled + +@@ -10476,6 +10497,7 @@ By specifying a cipher list with the order of ciphers being in a "strongest to w + Package openssh-server is version 7.4 or higher + + multi_platform_rhel ++multi_platform_almalinux + multi_platform_fedora + multi_platform_sle + +@@ -10712,12 +10734,12 @@ The ability to enable/disable a session lock is given to the user by default. Di + The UEFI grub2 boot loader should have password protection enabled. + + +- ++ + +- ++ + +- +- ++ ++ + + + +@@ -11662,7 +11684,7 @@ This requirement addresses concurrent sessions for information system accounts a + + + +- ++ + + + +@@ -12191,10 +12213,10 @@ This requirement addresses concurrent sessions for information system accounts a + + + +- ++ + + +- ++ + + + +@@ -13639,7 +13661,7 @@ This requirement addresses concurrent sessions for information system accounts a + /boot/grub2/grub.cfg + + +- /boot/efi/EFI/redhat/grub.cfg ++ /boot/efi/EFI/almalinux/grub.cfg + + + +@@ -14441,12 +14463,12 @@ This requirement addresses concurrent sessions for information system accounts a + 1 + + +- /boot/efi/EFI/redhat/user.cfg ++ /boot/efi/EFI/almalinux/user.cfg + ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512\.\S+$ + 1 + + +- /boot/efi/EFI/redhat/grub.cfg ++ /boot/efi/EFI/almalinux/grub.cfg + ^[\s]*set[\s]+superusers=\"\S+\"$ + 1 + +@@ -15022,7 +15044,7 @@ This requirement addresses concurrent sessions for information system accounts a + + + /boot/grub2/grub.cfg +- /boot/efi/EFI/redhat/grub.cfg ++ /boot/efi/EFI/almalinux/grub.cfg + + + /etc/sysctl.d +diff --git a/shared/references/disa-stig-rhel8-v1r10-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r10-xccdf-scap.xml +index b417e7fec..ebaf26f52 100644 +--- a/shared/references/disa-stig-rhel8-v1r10-xccdf-scap.xml ++++ b/shared/references/disa-stig-rhel8-v1r10-xccdf-scap.xml +@@ -2549,7 +2549,7 @@ SHA_CRYPT_MIN_ROUNDS 5000 + 2921 + + CCI-000213 +- Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. ++ Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. + + Generate an encrypted grub2 password for the grub superusers account with the following command: + +@@ -10026,11 +10026,11 @@ Passwords need to be protected at all times, and encryption is the standard meth + + If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +- +- ++ ++ + +- +- ++ ++ + + + +@@ -10696,7 +10696,7 @@ Configuration settings are the set of parameters that can be changed in hardware + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + + +- ++ + + + +@@ -14092,15 +14092,15 @@ By limiting the number of attempts to meet the pwquality module complexity requi + + + +- ++ + + + +- ++ + + + +- ++ + + + +@@ -15677,18 +15677,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi + ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\b + 1 + +- +- /boot/efi/EFI/redhat/grub.cfg ++ ++ /boot/efi/EFI/almalinux/grub.cfg + ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$ + 1 + +- +- /boot/efi/EFI/redhat/user.cfg ++ ++ /boot/efi/EFI/almalinux/user.cfg + ^\s*GRUB2_PASSWORD=(\S+)\b + 1 + +- +- /boot/efi/EFI/redhat/grub.cfg ++ ++ /boot/efi/EFI/almalinux/grub.cfg + + + /boot/grub2/grub.cfg +diff --git a/shared/references/disa-stig-rhel8-v1r11-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r11-xccdf-manual.xml +index 747e322d8..2fd54a056 100644 +--- a/shared/references/disa-stig-rhel8-v1r11-xccdf-manual.xml ++++ b/shared/references/disa-stig-rhel8-v1r11-xccdf-manual.xml +@@ -376,7 +376,7 @@ SHA_CRYPT_MIN_ROUNDS 5000TMOUT option in /etc/profile ensures that diff --git a/tests/unit/ssg-module/data/accounts_tmout_without_ocil.yml b/tests/unit/ssg-module/data/accounts_tmout_without_ocil.yml -index 151fb1c1b..d17101e1f 100644 +index 1feaeb55c..0dcddd023 100644 --- a/tests/unit/ssg-module/data/accounts_tmout_without_ocil.yml +++ b/tests/unit/ssg-module/data/accounts_tmout_without_ocil.yml @@ -1,4 +1,4 @@ @@ -26360,10 +27658,10 @@ index 8e5e284ee..ce1b79416 100644 # remediation = none # variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=requisite diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py -index a25f2321d..e539e9cea 100755 +index 60eaf4402..e5d7fc005 100755 --- a/utils/ansible_playbook_to_role.py +++ b/utils/ansible_playbook_to_role.py -@@ -57,6 +57,7 @@ yaml.add_constructor(_mapping_tag, dict_constructor) +@@ -58,6 +58,7 @@ yaml.add_constructor(_mapping_tag, dict_constructor) PRODUCT_ALLOWLIST = set([ "rhel7", "rhel8", diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index f3f4754..e94a97f 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -21,7 +21,7 @@ Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patc BuildArch: noarch # AlmaLinux 9 -Patch1000: scap-security-guide-0.1.66-add-almalinux9-product.patch +Patch1000: scap-security-guide-0.1.69-add-almalinux9-product.patch BuildRequires: libxslt BuildRequires: expat